usualsuspect/config.txt

## config.txt
BeaconType                       - HTTPS
Port                             - 443
SleepTime                        - 60000
MaxGetSize                       - 1398104
Jitter                           - 30
MaxDNS                           - Not Found
PublicKey_MD5                    - 4dbaa2821fcfa995554ad7612a869a6d
C2Server                         - exdiy.com,/web/portal
UserAgent                        - Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36
HttpPostUri                      - /logon/index.php
Malleable_C2_Instructions        - Base64 decode
HttpGet_Metadata                 - ConstHeaders
                                   	Content-Type: text/html
                                   	Cache-Control: no-cache
                                   Metadata
                                   	netbios
                                   	append "fadBX"
                                   	uri_append
HttpPost_Metadata                - ConstHeaders
                                   	Content-Type: multipart/form-data
                                   	Cache-Control: no-cache
                                   SessionId
                                   	netbiosu
                                   	append ".aspx"
                                   	uri_append
                                   Output
                                   	base64url
                                   	print
PipeName                         - Not Found
DNS_Idle                         - Not Found
DNS_Sleep                        - Not Found
SSH_Host                         - Not Found
SSH_Port                         - Not Found
SSH_Username                     - Not Found
SSH_Password_Plaintext           - Not Found
SSH_Password_Pubkey              - Not Found
SSH_Banner                       -
HttpGet_Verb                     - GET
HttpPost_Verb                    - POST
HttpPostChunk                    - 0
Spawnto_x86                      - %windir%\syswow64\dllhost.exe
Spawnto_x64                      - %windir%\sysnative\dllhost.exe
CryptoScheme                     - 0
Proxy_Config                     - Not Found
Proxy_User                       - Not Found
Proxy_Password                   - Not Found
Proxy_Behavior                   - Use IE settings
Watermark_Hash                   - Not Found
Watermark                        - 1359593325
bStageCleanup                    - False
bCFGCaution                      - False
KillDate                         - 0
bProcInject_StartRWX             - False
bProcInject_UseRWX               - False
bProcInject_MinAllocSize         - 17500
ProcInject_PrependAppend_x86     - b'\x90\x90'
                                   Empty
ProcInject_PrependAppend_x64     - b'\x90\x90'
                                   Empty
ProcInject_Execute               - ntdll:RtlUserThreadStart
                                   CreateThread
                                   NtQueueApcThread-s
                                   kernel32.dll:LoadLibraryA
                                   RtlCreateUserThread
ProcInject_AllocationMethod      - NtMapViewOfSection
bUsesCookies                     - False
HostHeader                       -
headersToRemove                  - Not Found
DNS_Beaconing                    - Not Found
DNS_get_TypeA                    - Not Found
DNS_get_TypeAAAA                 - Not Found
DNS_get_TypeTXT                  - Not Found
DNS_put_metadata                 - Not Found
DNS_put_output                   - Not Found
DNS_resolver                     - Not Found
DNS_strategy                     - Not Found
DNS_strategy_rotate_seconds      - Not Found
DNS_strategy_fail_x              - Not Found
DNS_strategy_fail_seconds        - Not Found
Retry_Max_Attempts               - Not Found
Retry_Increase_Attempts          - Not Found
Retry_Duration                   - Not Found
	BeaconType - HTTPS
	Port - 443
	SleepTime - 60000
	MaxGetSize - 1398104
	Jitter - 30
	MaxDNS - Not Found
	PublicKey_MD5 - 4dbaa2821fcfa995554ad7612a869a6d
	C2Server - exdiy.com,/web/portal
	UserAgent - Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36
	HttpPostUri - /logon/index.php
	Malleable_C2_Instructions - Base64 decode
	HttpGet_Metadata - ConstHeaders
	Content-Type: text/html
	Cache-Control: no-cache
	Metadata
	netbios
	append "fadBX"
	uri_append
	HttpPost_Metadata - ConstHeaders
	Content-Type: multipart/form-data
	Cache-Control: no-cache
	SessionId
	netbiosu
	append ".aspx"
	uri_append
	Output
	base64url
	print
	PipeName - Not Found
	DNS_Idle - Not Found
	DNS_Sleep - Not Found
	SSH_Host - Not Found
	SSH_Port - Not Found
	SSH_Username - Not Found
	SSH_Password_Plaintext - Not Found
	SSH_Password_Pubkey - Not Found
	SSH_Banner -
	HttpGet_Verb - GET
	HttpPost_Verb - POST
	HttpPostChunk - 0
	Spawnto_x86 - %windir%\syswow64\dllhost.exe
	Spawnto_x64 - %windir%\sysnative\dllhost.exe
	CryptoScheme - 0
	Proxy_Config - Not Found
	Proxy_User - Not Found
	Proxy_Password - Not Found
	Proxy_Behavior - Use IE settings
	Watermark_Hash - Not Found
	Watermark - 1359593325
	bStageCleanup - False
	bCFGCaution - False
	KillDate - 0
	bProcInject_StartRWX - False
	bProcInject_UseRWX - False
	bProcInject_MinAllocSize - 17500
	ProcInject_PrependAppend_x86 - b'\x90\x90'
	Empty
	ProcInject_PrependAppend_x64 - b'\x90\x90'
	Empty
	ProcInject_Execute - ntdll:RtlUserThreadStart
	CreateThread
	NtQueueApcThread-s
	kernel32.dll:LoadLibraryA
	RtlCreateUserThread
	ProcInject_AllocationMethod - NtMapViewOfSection
	bUsesCookies - False
	HostHeader -
	headersToRemove - Not Found
	DNS_Beaconing - Not Found
	DNS_get_TypeA - Not Found
	DNS_get_TypeAAAA - Not Found
	DNS_get_TypeTXT - Not Found
	DNS_put_metadata - Not Found
	DNS_put_output - Not Found
	DNS_resolver - Not Found
	DNS_strategy - Not Found
	DNS_strategy_rotate_seconds - Not Found
	DNS_strategy_fail_x - Not Found
	DNS_strategy_fail_seconds - Not Found
	Retry_Max_Attempts - Not Found
	Retry_Increase_Attempts - Not Found
	Retry_Duration - Not Found