sysopfb/beacons.txt

## beacons.txt
 Pivot from config at https://twitter.com/VK_Intel/status/1260296104672886790

 {
   C2_CHUNK_POST: 0
   C2_POSTREQ: [('_HEADER', 0, 'Content-Type: application/octet-stream'), ('BUILD', ('PARAMETER', 'id'))]
   C2_RECOVER:
   C2_REQUEST: [('BUILD', ('BASE64', 'HEADER', 'Cookie'))]
   C2_VERB_GET: GET
   C2_VERB_POST: POST
   CRYPTO_sCHEME: 1
   DNS_IDLE: 0
   DNS_SLEEP: 0
   DOMAINS: 37.252.15.241,/visit.js
   ITTER: 0
   KILLDATE_DAY: 0
   KILLDATE_MONTH: 0
   KILLDATE_YEAR: 0
   MAXDNS: 255
   MAXGET: 1048576
   PIPENAME: \\%s\pipe\msagent_%x
   PORT: 80
   PROTOCOL: 0
   PUBKEY: 30819f300d06092a864886f70d010101050003818d0030818902818100e6c96e9ba9ebe3596e8367afb772ecf1c5705efc838ee52ca6957be5f6bc2cf0f93378c2f2cf0989d8971c366dd9d5a38231e3a786ddc0e605db448f865fb5325d647192588639d05f456ece6b44390860319b2d9fd56cdb6dbbc4036f67cfe11f2250c59abd21f1d7f2cab0a7b2b863b4ba4470663d1de10da6983554d74b930203010001
   SLEEPTIME: 60000
   SPAWNTO_X64: %windir%\sysnative\rundll32.exe
   SPAWNTO_X86: %windir%\syswow64\rundll32.exe
   SUBMITURI: /submit.php
   USERAGENT: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; MAAU; NP08)
   dos_stub_hash:
   mal_type: mal_configs
   md5: 2588add337ae787071d3796d39636133
   overlay_hash:
   pe_header_hash: b5d31274da56847386a43f9cca674dc2
   pe_start_data_hash: 1cdf62336a780a4680fdfa2a04d2ea5e
   rich_hdr_data: 9a3da20ede5ccc5dde5ccc5dde5ccc5d40fc0b5ddf5ccc5d2f9a035df45ccc5d2f9a025d585ccc5d2f9a015dd45ccc5db8b21e5d465ccc5dd7245f5dd15ccc5dde5ccd5d0d5ccc5db8b2025dfc5ccc5db8b2065ddf5ccc5db8b2055ddf5ccc5db8b2005ddf5ccc5d52696368de5ccc5d
   rich_hdr_hash: ea1776604db4068abb31a44ad26da7fb
   section_name_hash: 3bee9f62d5857e3ae29319c4526f337e
   sha1: 29898a8111f18895158c5d306fbe8bc14861883b
   sha256: ae0cbcddf935d11065074d0a30c57a6e7d790742365d6dff49ede387f9e37c34
   str_hash_10: fb2763f88585f3c3675363065eb8cb8a
   str_hash_3: 6553ec150f913c996d8c25e729232fef
   str_hash_4: a4e8d00cdd4447416b9c67a1e79a3844
   str_hash_5: b14e3e6523b1bed5b1bab4cedbf8ffef
   str_hash_6: f21dab46581c014bd43c465f03046c1f
   str_hash_7: 95de61cb97728907d0ae21c2e3234afb
   str_hash_8: 11491a352375205315c7ccd5492e2eab
   str_hash_9: ba558dc6a823848c5e56072c11890e4c
   type: cobaltstrike
}

 {
   C2_CHUNK_POST: 0
   C2_POSTREQ: [('_HEADER', 0, 'Content-Type: application/octet-stream'), ('BUILD', ('PARAMETER', 'id'))]
   C2_RECOVER:
   C2_REQUEST: [('BUILD', ('BASE64', 'HEADER', 'Cookie'))]
   C2_VERB_GET: GET
   C2_VERB_POST: POST
   CRYPTO_sCHEME: 1
   DNS_IDLE: 0
   DNS_SLEEP: 0
   DOMAINS: 47.106.204.157,/g.pixel
   ITTER: 0
   MAXDNS: 255
   MAXGET: 1048576
   PIPENAME: \\%s\pipe\msagent_%x
   PORT: 9000
   PROTOCOL: 0
   PROXY_BEHAVIOR: 2
   PUBKEY: 30819f300d06092a864886f70d010101050003818d003081890281810081af738becf4a3be8fa2e7b26d1a24ef1ef241c5693a5e790478e1a3ec4151a9ec80a20fcd197afd34a114fcee5587e7fedea6584a3af03f9d80d93443b788f79e9bae2f4d65c557d3e8e26d21f65b3580d21550b82232ae1fb8776b6c3558c43c527ababa9af254ed6fda8b1ca20a660f45b74af5e6e7b968077fd729fd205b0203010001
   SLEEPTIME: 60000
   SPAWNTO_X64: %windir%\sysnative\rundll32.exe
   SPAWNTO_X86: %windir%\syswow64\rundll32.exe
   SUBMITURI: /submit.php
   UNKNOWN38: 30
   UNKNOWN39: 30
   UNKNOWN40: 0
   UNKNOWN41: 0
   UNKNOWN43: 3634
   UNKNOWN44: 3634
   UNKNOWN45: 0
   UNKNOWN46:
   UNKNOWN47:
   UNKNOWN48: 35
   USERAGENT: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; MAAU; NP08)
   WATERMARK: 0
   dos_stub_hash:
   mal_type: mal_configs
   md5: 1605ece7685faea45079fd86787ad069
   overlay_hash:
   pe_header_hash: b6020d629a4abe024912f14d8bdefa53
   pe_start_data_hash: 6760ed79d0ef1b66177ef5b5112bd366
   rich_hdr_data: d7fd5e35939c3066939c3066939c30662ed3a666929c30668dceb466bb9c30668dcea566809c30668dceb366119c3066b45a4b669c9c3066939c3166729c30668dceb9662f9c30668dcea266929c30668dcea166929c306652696368939c3066
   rich_hdr_hash: c1252a3a14c2b314ae3d300218e38c57
   section_name_hash: 7b1af1699e23046300e1cd097dee731b
   sha1: cb928ad7fd80726b4edc062374bc7016f837b95a
   sha256: 89dd5b039fca14713fddd3fdb5ba9426eb3b0c07d4acfa8836bf5145343593b5
   str_hash_10: e366f32591fd1ff9b626c3b48bc179bb
   str_hash_3: 5a434326bdf0960654f4df303d15b607
   str_hash_4: ff332a9215115e72f8cbec03d08ef340
   str_hash_5: 501d1421d081e3a2632e1ee5e7378ec4
   str_hash_6: 1e092fa193e6fe5d4774a8c9480ff1d2
   str_hash_7: 0effa190e99ebd76214bc80ed3953749
   str_hash_8: 31a94f4db83d26418748ecefcf401ac6
   str_hash_9: e2c5c600245d4a035520a425feeecf95
   type: cobaltstrike
}

 {
   C2_CHUNK_POST: 0
   C2_POSTREQ: [('_HEADER', 0, 'Content-Type: application/octet-stream'), ('BUILD', ('PARAMETER', 'id'))]
   C2_RECOVER:
   C2_REQUEST: [('BUILD', ('BASE64', 'HEADER', 'Cookie'))]
   C2_VERB_GET: GET
   C2_VERB_POST: POST
   CRYPTO_sCHEME: 1
   DNS_IDLE: 0
   DNS_SLEEP: 0
   DOMAINS: 103.86.86.71,/dot.gif
   INJECT_OPTIONS: 1
   ITTER: 0
   KILLDATE_DAY: 0
   KILLDATE_MONTH: 0
   KILLDATE_YEAR: 0
   MAXDNS: 255
   MAXGET: 1048576
   PIPENAME: \\%s\pipe\msagent_%x
   PORT: 443
   PROTOCOL: 8
   PROXY_BEHAVIOR: 2
   PUBKEY: 30819f300d06092a864886f70d010101050003818d00308189028181008ad075b9a232d45cf856f2901ea3e78b4f223c05139db648df79b9f17072512db69d396bf1ba58a160c55d37de2b7b707e57c50526ca123a6ef45b5b1e99a1e7c009aa40487e1c97ef1d4b19c30b3c2b2e8ea94c937f0c52d31c892e730845c1661301b4b34253c53d02d3d4a3f567706c9741180c9aac3f2373ac89a79bacad0203010001
   SLEEPTIME: 60000
   SPAWNTO_X64: %windir%\sysnative\rundll32.exe
   SPAWNTO_X86: %windir%\syswow64\rundll32.exe
   SUBMITURI: /submit.php
   USERAGENT: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; NP08; MAAU; NP08)
   dos_stub_hash: 44d88612fea8a8f36de82e1278abb02f
   mal_type: mal_configs
   md5: df9f26ee74ee5883b717c77bc2e8c6a9
   overlay_hash: 44d88612fea8a8f36de82e1278abb02f
   pe_header_hash: 15bbc192e0d2300066ce08561fa03e6d
   pe_start_data_hash: b5ef8563010a7f9c8ecd92abed9e9441
   rich_hdr_data: 9fd21c16dbb37245dbb37245dbb3724566fce445dab37245c5e1f645f2b37245c5e1e745c8b37245c5e1f1455ab37245fc750945d4b37245dbb3734506b37245c5e1fb4562b37245c5e1e045dab37245c5e1e345dab3724552696368dbb37245
   rich_hdr_hash: fbaf77a64eafa5f5c68da888bd097323
   section_name_hash: 40a71983f0a3bba083f701530540dc35
   sha1: d48a73f44b4177c0f80a7e781d6d0b50ab0a1fb5
   sha256: cc218b5afd1a7a6ca5da19eff3bddd01185d92de12a88341184064469f8684ae
   str_hash_10: 700a87bf27fb6f4c5a5fad349dc6ed84
   str_hash_3: f4cb724f4d32e8ae7152fc7f70a0767c
   str_hash_4: a76bb354534a79a40f090d17794dc5b9
   str_hash_5: 1cb78c260e7ba9c256777067cf920ed5
   str_hash_6: 8815ac60632d931aff6482f0d7eee7eb
   str_hash_7: 059ae037dd5084e2153622160fb7e425
   str_hash_8: 564cfdbf396a4cdf7a18cba3178e38bc
   str_hash_9: 1501e2b9913b1bd24c0fde900ee7eabb
   type: cobaltstrike
}
	Pivot from config at https://twitter.com/VK_Intel/status/1260296104672886790

	{
	C2_CHUNK_POST: 0
	C2_POSTREQ: [('_HEADER', 0, 'Content-Type: application/octet-stream'), ('BUILD', ('PARAMETER', 'id'))]
	C2_RECOVER:
	C2_REQUEST: [('BUILD', ('BASE64', 'HEADER', 'Cookie'))]
	C2_VERB_GET: GET
	C2_VERB_POST: POST
	CRYPTO_sCHEME: 1
	DNS_IDLE: 0
	DNS_SLEEP: 0
	DOMAINS: 37.252.15.241,/visit.js
	ITTER: 0
	KILLDATE_DAY: 0
	KILLDATE_MONTH: 0
	KILLDATE_YEAR: 0
	MAXDNS: 255
	MAXGET: 1048576
	PIPENAME: \\%s\pipe\msagent_%x
	PORT: 80
	PROTOCOL: 0
	PUBKEY: 30819f300d06092a864886f70d010101050003818d0030818902818100e6c96e9ba9ebe3596e8367afb772ecf1c5705efc838ee52ca6957be5f6bc2cf0f93378c2f2cf0989d8971c366dd9d5a38231e3a786ddc0e605db448f865fb5325d647192588639d05f456ece6b44390860319b2d9fd56cdb6dbbc4036f67cfe11f2250c59abd21f1d7f2cab0a7b2b863b4ba4470663d1de10da6983554d74b930203010001
	SLEEPTIME: 60000
	SPAWNTO_X64: %windir%\sysnative\rundll32.exe
	SPAWNTO_X86: %windir%\syswow64\rundll32.exe
	SUBMITURI: /submit.php
	USERAGENT: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; MAAU; NP08)
	dos_stub_hash:
	mal_type: mal_configs
	md5: 2588add337ae787071d3796d39636133
	overlay_hash:
	pe_header_hash: b5d31274da56847386a43f9cca674dc2
	pe_start_data_hash: 1cdf62336a780a4680fdfa2a04d2ea5e
	rich_hdr_data: 9a3da20ede5ccc5dde5ccc5dde5ccc5d40fc0b5ddf5ccc5d2f9a035df45ccc5d2f9a025d585ccc5d2f9a015dd45ccc5db8b21e5d465ccc5dd7245f5dd15ccc5dde5ccd5d0d5ccc5db8b2025dfc5ccc5db8b2065ddf5ccc5db8b2055ddf5ccc5db8b2005ddf5ccc5d52696368de5ccc5d
	rich_hdr_hash: ea1776604db4068abb31a44ad26da7fb
	section_name_hash: 3bee9f62d5857e3ae29319c4526f337e
	sha1: 29898a8111f18895158c5d306fbe8bc14861883b
	sha256: ae0cbcddf935d11065074d0a30c57a6e7d790742365d6dff49ede387f9e37c34
	str_hash_10: fb2763f88585f3c3675363065eb8cb8a
	str_hash_3: 6553ec150f913c996d8c25e729232fef
	str_hash_4: a4e8d00cdd4447416b9c67a1e79a3844
	str_hash_5: b14e3e6523b1bed5b1bab4cedbf8ffef
	str_hash_6: f21dab46581c014bd43c465f03046c1f
	str_hash_7: 95de61cb97728907d0ae21c2e3234afb
	str_hash_8: 11491a352375205315c7ccd5492e2eab
	str_hash_9: ba558dc6a823848c5e56072c11890e4c
	type: cobaltstrike
	}

	{
	C2_CHUNK_POST: 0
	C2_POSTREQ: [('_HEADER', 0, 'Content-Type: application/octet-stream'), ('BUILD', ('PARAMETER', 'id'))]
	C2_RECOVER:
	C2_REQUEST: [('BUILD', ('BASE64', 'HEADER', 'Cookie'))]
	C2_VERB_GET: GET
	C2_VERB_POST: POST
	CRYPTO_sCHEME: 1
	DNS_IDLE: 0
	DNS_SLEEP: 0
	DOMAINS: 47.106.204.157,/g.pixel
	ITTER: 0
	MAXDNS: 255
	MAXGET: 1048576
	PIPENAME: \\%s\pipe\msagent_%x
	PORT: 9000
	PROTOCOL: 0
	PROXY_BEHAVIOR: 2
	PUBKEY: 30819f300d06092a864886f70d010101050003818d003081890281810081af738becf4a3be8fa2e7b26d1a24ef1ef241c5693a5e790478e1a3ec4151a9ec80a20fcd197afd34a114fcee5587e7fedea6584a3af03f9d80d93443b788f79e9bae2f4d65c557d3e8e26d21f65b3580d21550b82232ae1fb8776b6c3558c43c527ababa9af254ed6fda8b1ca20a660f45b74af5e6e7b968077fd729fd205b0203010001
	SLEEPTIME: 60000
	SPAWNTO_X64: %windir%\sysnative\rundll32.exe
	SPAWNTO_X86: %windir%\syswow64\rundll32.exe
	SUBMITURI: /submit.php
	UNKNOWN38: 30
	UNKNOWN39: 30
	UNKNOWN40: 0
	UNKNOWN41: 0
	UNKNOWN43: 3634
	UNKNOWN44: 3634
	UNKNOWN45: 0
	UNKNOWN46:
	UNKNOWN47:
	UNKNOWN48: 35
	USERAGENT: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; MAAU; NP08)
	WATERMARK: 0
	dos_stub_hash:
	mal_type: mal_configs
	md5: 1605ece7685faea45079fd86787ad069
	overlay_hash:
	pe_header_hash: b6020d629a4abe024912f14d8bdefa53
	pe_start_data_hash: 6760ed79d0ef1b66177ef5b5112bd366
	rich_hdr_data: d7fd5e35939c3066939c3066939c30662ed3a666929c30668dceb466bb9c30668dcea566809c30668dceb366119c3066b45a4b669c9c3066939c3166729c30668dceb9662f9c30668dcea266929c30668dcea166929c306652696368939c3066
	rich_hdr_hash: c1252a3a14c2b314ae3d300218e38c57
	section_name_hash: 7b1af1699e23046300e1cd097dee731b
	sha1: cb928ad7fd80726b4edc062374bc7016f837b95a
	sha256: 89dd5b039fca14713fddd3fdb5ba9426eb3b0c07d4acfa8836bf5145343593b5
	str_hash_10: e366f32591fd1ff9b626c3b48bc179bb
	str_hash_3: 5a434326bdf0960654f4df303d15b607
	str_hash_4: ff332a9215115e72f8cbec03d08ef340
	str_hash_5: 501d1421d081e3a2632e1ee5e7378ec4
	str_hash_6: 1e092fa193e6fe5d4774a8c9480ff1d2
	str_hash_7: 0effa190e99ebd76214bc80ed3953749
	str_hash_8: 31a94f4db83d26418748ecefcf401ac6
	str_hash_9: e2c5c600245d4a035520a425feeecf95
	type: cobaltstrike
	}

	{
	C2_CHUNK_POST: 0
	C2_POSTREQ: [('_HEADER', 0, 'Content-Type: application/octet-stream'), ('BUILD', ('PARAMETER', 'id'))]
	C2_RECOVER:
	C2_REQUEST: [('BUILD', ('BASE64', 'HEADER', 'Cookie'))]
	C2_VERB_GET: GET
	C2_VERB_POST: POST
	CRYPTO_sCHEME: 1
	DNS_IDLE: 0
	DNS_SLEEP: 0
	DOMAINS: 103.86.86.71,/dot.gif
	INJECT_OPTIONS: 1
	ITTER: 0
	KILLDATE_DAY: 0
	KILLDATE_MONTH: 0
	KILLDATE_YEAR: 0
	MAXDNS: 255
	MAXGET: 1048576
	PIPENAME: \\%s\pipe\msagent_%x
	PORT: 443
	PROTOCOL: 8
	PROXY_BEHAVIOR: 2
	PUBKEY: 30819f300d06092a864886f70d010101050003818d00308189028181008ad075b9a232d45cf856f2901ea3e78b4f223c05139db648df79b9f17072512db69d396bf1ba58a160c55d37de2b7b707e57c50526ca123a6ef45b5b1e99a1e7c009aa40487e1c97ef1d4b19c30b3c2b2e8ea94c937f0c52d31c892e730845c1661301b4b34253c53d02d3d4a3f567706c9741180c9aac3f2373ac89a79bacad0203010001
	SLEEPTIME: 60000
	SPAWNTO_X64: %windir%\sysnative\rundll32.exe
	SPAWNTO_X86: %windir%\syswow64\rundll32.exe
	SUBMITURI: /submit.php
	USERAGENT: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; NP08; MAAU; NP08)
	dos_stub_hash: 44d88612fea8a8f36de82e1278abb02f
	mal_type: mal_configs
	md5: df9f26ee74ee5883b717c77bc2e8c6a9
	overlay_hash: 44d88612fea8a8f36de82e1278abb02f
	pe_header_hash: 15bbc192e0d2300066ce08561fa03e6d
	pe_start_data_hash: b5ef8563010a7f9c8ecd92abed9e9441
	rich_hdr_data: 9fd21c16dbb37245dbb37245dbb3724566fce445dab37245c5e1f645f2b37245c5e1e745c8b37245c5e1f1455ab37245fc750945d4b37245dbb3734506b37245c5e1fb4562b37245c5e1e045dab37245c5e1e345dab3724552696368dbb37245
	rich_hdr_hash: fbaf77a64eafa5f5c68da888bd097323
	section_name_hash: 40a71983f0a3bba083f701530540dc35
	sha1: d48a73f44b4177c0f80a7e781d6d0b50ab0a1fb5
	sha256: cc218b5afd1a7a6ca5da19eff3bddd01185d92de12a88341184064469f8684ae
	str_hash_10: 700a87bf27fb6f4c5a5fad349dc6ed84
	str_hash_3: f4cb724f4d32e8ae7152fc7f70a0767c
	str_hash_4: a76bb354534a79a40f090d17794dc5b9
	str_hash_5: 1cb78c260e7ba9c256777067cf920ed5
	str_hash_6: 8815ac60632d931aff6482f0d7eee7eb
	str_hash_7: 059ae037dd5084e2153622160fb7e425
	str_hash_8: 564cfdbf396a4cdf7a18cba3178e38bc
	str_hash_9: 1501e2b9913b1bd24c0fde900ee7eabb
	type: cobaltstrike
	}