A Multi-Method Approach
to Identifying Rogue
Cobalt Strike Servers
Common Information
| Type | Value |
|---|---|
| UUID | b466f3de-e340-4f68-94c2-2e28ffe34943 |
| Fingerprint | 4bb6fbb602629b82c62bcd899e7307ce9fcf3ca3b2536976be1f0d4032ae6634 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | June 17, 2019, 11:55 a.m. |
| Added to db | March 10, 2024, 12:51 a.m. |
| Last updated | Aug. 30, 2024, 10:24 p.m. |
| Headline | A Multi-Method Approach to Identifying Rogue Cobalt Strike Servers |
| Title | A Multi-Method Approach to Identifying Rogue Cobalt Strike Servers |
| Detected Hints/Tags/Attributes | 113/2/33 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://go.recordedfuture.com/hubfs/reports/cta-2019-0618.pdf |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 546 | www.recordedfuture.com |
|
| Details | Domain | 154 | urlscan.io |
|
| Details | Domain | 1 | mail.sexlove24.com |
|
| Details | Domain | 1 | forum.happyhippos.org |
|
| Details | Domain | 1 | ssss.ppwu.xyz |
|
| Details | Domain | 1 | kongbu.koubaogangjiao.xyz |
|
| Details | sha256 | 1 | 87f2085c32b6a2cc709b365f55873e207a9caa10bffecf2fd16d3cf9d94d390c |
|
| Details | sha256 | 1 | 3a143d038aae9e4253ed6656beaaae298795a3df20e874544c0122435ef79bc0 |
|
| Details | sha256 | 1 | 9668c17504a0d9471668dac64b3c5c2abfb3b186c25dc28d91afbe95ed341002 |
|
| Details | sha256 | 1 | 06f8004835c5851529403f73ad23168b1127315d02c68e0153e362a73f915c72 |
|
| Details | IPv4 | 2 | 89.105.198.28 |
|
| Details | IPv4 | 619 | 0.0.0.0 |
|
| Details | IPv4 | 1 | 89.105.202.58 |
|
| Details | IPv4 | 1 | 199.189.108.71 |
|
| Details | IPv4 | 1 | 31.220.43.11 |
|
| Details | IPv4 | 1 | 185.80.233.166 |
|
| Details | IPv4 | 4 | 176.126.85.207 |
|
| Details | IPv4 | 1 | 89.105.198.18 |
|
| Details | IPv4 | 1 | 89.105.198.21 |
|
| Details | IPv4 | 1 | 106.12.204.25 |
|
| Details | IPv4 | 1 | 91.152.8.14 |
|
| Details | IPv4 | 1 | 91.152.8.173 |
|
| Details | IPv4 | 1 | 99.81.122.12 |
|
| Details | IPv4 | 1 | 72.14.184.90 |
|
| Details | IPv4 | 1 | 172.96.250.199 |
|
| Details | IPv4 | 1 | 139.162.18.83 |
|
| Details | IPv4 | 1 | 139.162.18.179 |
|
| Details | IPv4 | 1 | 124.156.106.98 |
|
| Details | Mandiant Temporary Group Assumption | 44 | TEMP.PERISCOPE |
|
| Details | Threat Actor Identifier - APT | 132 | APT32 |
|
| Details | Threat Actor Identifier - APT | 143 | APT40 |
|
| Details | Threat Actor Identifier - FIN | 73 | FIN6 |
|
| Details | Url | 1 | https://72.14.184.90 |