2021-02-11 Possible Cobalt Strike Stager IOCs

1. THREAT ATTRIBUTION: POSSIBLE COBALT STRIKE STAGER
2.  
3. SUBJECTS OBSERVED
4. , medical complaint
5. <Lastname>, medical complaint
6. <Lastname>, lawyer request
7. RE: Customer Complaint,
8. RE: Customer Complaint, <Lastname>
9.  
10. SENDERS OBSERVED
11. [email protected]
12. [email protected]
13. [email protected]
14. [email protected]
15. [email protected]
16. [email protected]
17. [email protected]
18. [email protected]
19. [email protected]
20. [email protected]
21. [email protected]
22. [email protected]
23. [email protected]
24. [email protected]
25. [email protected]
26. [email protected]
27.  
28. COBALT STRIKE STAGER PAYLOAD LANDING URLS
29. https://clinic-customer-complaint-11feb.getresponsepages.com/
30. https://lawyer-complaint-rep-2-11.subscribemenow.com/
31.  
32. COBALT STRIKE STAGER FILE HASHES
33. MedicalComplaint.exe
34. a96004144208bdd15eb2daa0f4687df7
35.  
36. LawyerCustomerComplaint.exe
37. 60772f2f4ba787c019ff29dc9c747381
38.  
39. BOTH CALL OUT TO:
40. https://fast1arrival.com/sq?lid=false
41.  
42. SUPPORTING EVIDENCE
43. https://www.virustotal.com/gui/domain/fast1arrival.com/relations
44. https://www.virustotal.com/gui/file/7fa4ef5925f7374a93494b97a6ab43b0951c2d504972bbf43f9d29398e55481f/community
45. https://www.virustotal.com/gui/file/8914f3788daa9f035228f97ad92fd3f3b3fd44891fa53a18bbfc61b932cdb1b5/detection
46. https://www.virustotal.com/gui/file/d3ec7efe7d7477c4323560cb97a367d9052b9364fdff08f1e7c9626147de3160/behavior
47.  
48. https://app.any.run/tasks/b1277892-503c-4c5f-9a92-1ccce8138796/
49. https://bazaar.abuse.ch/sample/7fa4ef5925f7374a93494b97a6ab43b0951c2d504972bbf43f9d29398e55481f/