Share this page!

♠️Michael Koczwara Profile picture
Twitter logo
13 Sep, 9 tweets, 3 min read
I had a look at another hosting provider Reliablesite.]net from CS C2 104.194.10[.]21 to C2 attributed to #CVE202140444

and it is full of CS C2's

shodan.io/search?query=o…

45.58.124.98 xisiyi.]com
104.194.10.61 kelowuh.]com
104.194.9.236 zosohev.]com

Watermarks: 1580103814
209.222.101.]21 lajipil.]com
104.243.45.]141 radezig.]com
209.222.98.]45 exrap.]com
104.243.32.]108 hulixo.]com
199.127.61.]201 yiyuro.]com
45.58.127.]226 mezugen.]com
45.126.211.]2 hubojo.]com
104.243.34.]215 tubaho.]com
103.195.101.]89 nefida.]com
209.222.97.]3 xegogiv.]com
45.58.113.]178 viwiba.]com
206.221.176.]130 mubuwu.]com
104.243.33.]7 wiwege.]com
199.127.60.]67 zipflag.]com
104.194.8.]164 repdot.]com
209.222.98.]168 lozobo.]com
104.243.40.]249 xicozeh.]com
103.195.100.]89 koviluk.]com
185.150.190.]154 badiwaw.]com
104.243.37.]7 dipadux.]com
209.222.98.]111 sexefo.]com
104.194.9.]101 xesoxaf.]com
199.127.61.]194 xagadi.]com
185.150.190.]244 paxobuy.]com
103.195.100.]204 rurofo.]com
185.150.189.]202 pofifa.]com
104.194.10.]57 cubigif.]com
185.150.191.]35 zikojut.]com
45.58.112.]202 tepiwo.]com
209.222.101.]96 vigave.]com
199.127.61.]113 dirupun.]com
104.243.37.]153 lipozi.]com
209.222.99.]26 ximihul.]com
103.195.100.]2 yeyidun.]com
104.194.10.]22 koxiga.]com
206.221.176.]220 sidevot.]com
104.194.11.]107 zuveye.]com
104.243.33.]222 kuyeguh.]com
104.194.10.]21 comecal.]com
199.127.62.]132 keholus.]com
104.194.9.]228 cuyuzah.]com
104.194.11.]148 rasokuc.]com
104.194.9.]180 hexihan.]com
104.243.33.]123 pazovet.]com
104.194.11.]160 avetool.]com
104.194.10.]222 pecojap.]com
104.194.10.]153 bumoyez.]com
104.194.9.]51 nemupim.]com
172.93.109.]82 dopimi.]com
199.127.61.]15 wupake.]com
172.93.105.]2 wezaju.]com
103.195.103.]171 zedoxuf.]com
172.93.100.]155 tifiru.]com
185.150.191.]44 hacoyay.]com
206.221.184.]130 gohaduw.]com
104.243.40.]170 kidukes.]com
209.222.101.]221 ganobaz.]com
199.127.60.]15 fepaza.]com
104.238.205.]128 wigeco.]com
104.243.33.]221 xoxalab.]com
104.238.221.]42 pavateg.]com
185.150.191.]10 nacicaw.]com
103.195.101.]98 jafiha.]com
104.243.33.]100 nupahe.]com
172.96.160.214 hufamal.]com
104.238.221.50 jikoxaz.]com
209.222.101.242 kizuho.]com
172.96.143.218 jenupe.]com

All of these are Cobalt Strike C2's

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with ♠️Michael Koczwara

♠️Michael Koczwara Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @MichalKoczwara

♠️Michael Koczwara Profile picture
16 Sep
Red Team bad opsec part 2

Let's start with this legit-looking website

facilities-awareness.]com
13.249.22.]98

When you pay attention you can spot one interesting detail here.

The website logo/name (Model/Remodel) is not matching with URL: facilities-awareness.]com ImageImage
According to Cisco Talos website is categorized as Real Estate. Image
Now let's find out more details about the domain

You can see three IP addresses but let focus only on 64.69.57.]212 and 13.349.135.xx range Image
Read 11 tweets
♠️Michael Koczwara Profile picture
6 Sep
Cobalt Strike Hunting with @shodanhq

Default cert:

ssl.cert.serial:146473198

shodan.io/search?query=s…

example

shodan.io/host/155.138.2…

725 hits ImageImageImageImage
Cobalt Strike Hunting

hash + port (FP filtering is required)

hash:-2007783223 port:"50050"

50050 is CS TeamServer port

shodan.io/search?query=h…

example:
beta.shodan.io/host/155.138.2…

1357 hits ImageImageImage
Cobalt Strike Hunting

JARM (FP filtering is required)

ssl.jarm:07d14d16d21d21d00042d41d00041de5fb3038104f457d92ba02e9311512c2

You can get other JARMs from here
github.com/carbonblack/ac…

example
shodan.io/host/18.167.1.…

1519 hits ImageImageImage
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @MichalKoczwara has new unrolls!

Check out other threads from @MichalKoczwara!

Read all threads by @MichalKoczwara

:(