Report - brusselssprout.blob.core.windows.net/cobalt/HTTPS_x64_normal_profile

Report Overview

Visited public
2024-02-27 09:50:00
Tags
URL
brusselssprout.blob.core.windows.net/cobalt/HTTPS_x64_normal_profile_ps1.zip
Finishing URL
about:privatebrowsing
IP / ASN
52.239.143.164
#8075 MICROSOFT-CORP-MSN-AS-BLOCK
Title
about:privatebrowsing

Detections

urlquery

Network Intrusion Detection

Threat Detection Systems

Domain Summary

Domain / FQDN	Rank	Registered	First Seen	Last Seen	Sent	Received	IP
brusselssprout.blob.core.windows.net	unknown	1995-08-10	2024-02-08 12:49:57	2024-02-27 09:32:41	530 B	226 kB	52.239.143.164

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

No alerts detected

Threat Detection Systems

Public InfoSec YARA rules

No alerts detected

OpenPhish

No alerts detected

PhishTank

No alerts detected

mnemonic secure dns

No alerts detected

Quad9 DNS

Scan Date	Severity	Indicator	Alert
2024-02-27	medium	brusselssprout.blob.core.windows.net	Sinkholed

ThreatFox

No alerts detected

Files detected

URL
brusselssprout.blob.core.windows.net/cobalt/HTTPS_x64_normal_profile_ps1.zip
IP
52.239.143.164
ASN
#8075 MICROSOFT-CORP-MSN-AS-BLOCK

File type
Zip archive data, at least v2.0 to extract, compression method=deflate
Size
226 kB (226025 bytes)
Hash
c67dbbaece72f10a6ff806b8921afddd
4f40545687f84c16e875a7f3025d3047a4483605
a4d9a5907c84676a56bff78560642fd9ea25f87f726c7a6f62279131f13d67eb

Archive (1)

Filename

Md5

File type

HTTPS_x64_normal_profile.ps1

e32d91d6875fdd0763ee0e0147e5ff38

ASCII text, with very long lines (63893)

Detections

Analyzer	Verdict	Alert
Public Nextron YARA rules	malware	Cobalt Strike's resources/template.x64.ps1, resources/template.hint.x64.ps1 and resources/template.hint.x32.ps1 from v3.0 to v4.x except 3.12 and 3.13
Public Nextron YARA rules	malware	Metasploit Payloads - file msf-ref.ps1
Google GCTI YARA rules	malware	Cobalt Strike's resources/template.x64.ps1, resources/template.hint.x64.ps1 and resources/template.hint.x32.ps1 from v3.0 to v4.x except 3.12 and 3.13
VirusTotal	malicious	VirusTotal - Scan result 40/61

JavaScript (0)

HTTP Transactions (1)

URL IP Response Size

brusselssprout.blob.core.windows.net/cobalt/HTTPS_x64_normal_profile_ps1.zip

52.239.143.164

200 OK

226 kB

URL User Request GET HTTP/1.1
brusselssprout.blob.core.windows.net/cobalt/HTTPS_x64_normal_profile_ps1.zip
IP
52.239.143.164:443
ASN
#8075 MICROSOFT-CORP-MSN-AS-BLOCK

Certificate
IssuerMicrosoft Corporation
Subject*.blob.core.windows.net
Fingerprint46:9C:08:76:F4:06:7F:36:14:A5:18:F8:48:5D:36:4F:FA:35:1B:4E
ValidityThu, 28 Sep 2023 09:17:56 GMT - Sat, 28 Sep 2024 09:17:56 GMT

File type
Zip archive data, at least v2.0 to extract, compression method=deflate
Size
226 kB (226025 bytes)
Hash
c67dbbaece72f10a6ff806b8921afddd
4f40545687f84c16e875a7f3025d3047a4483605
a4d9a5907c84676a56bff78560642fd9ea25f87f726c7a6f62279131f13d67eb

Detections

Analyzer	Verdict	Alert
Quad9 DNS	malicious	Sinkholed
VirusTotal	malicious	VirusTotal - Scan result 40/61

HTTP Headers

GET /cobalt/HTTPS_x64_normal_profile_ps1.zip HTTP/1.1
Host: brusselssprout.blob.core.windows.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Upgrade-Insecure-Requests: 1
Connection: keep-alive
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Content-Length: 226025
Content-Type: application/zip
Content-MD5: xn27rs5y8Qpv+Aa4khr93Q==
Last-Modified: Tue, 23 Jan 2024 12:36:20 GMT
ETag: 0x8DC1C0FE6B25C57
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: a0be5cbf-601e-003d-3a62-69eb2d000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Tue, 27 Feb 2024 09:49:00 GMT

Report Overview

Domain Summary

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

Threat Detection Systems

Public InfoSec YARA rules

OpenPhish

PhishTank

mnemonic secure dns

Quad9 DNS

ThreatFox

Files detected

URL

IP

ASN

File type

Size

Hash

Archive (1)

Detections

JavaScript (0)

HTTP Transactions (1)

URL User Request GET HTTP/1.1

IP

ASN

Certificate

File type

Size

Hash

Detections

HTTP Headers