Report - d1j1tfq58ortei.cloudfront.net/26-https-regasm.zip

Report Overview

Visitedpublic

2024-01-09 21:03:19

Detections

urlquery

Network Intrusion Detection

Threat Detection Systems

Host Summary

Host	Rank	Registered	First Seen	Last Seen	Sent	Received	IP
d1j1tfq58ortei.cloudfront.net	unknown	2008-04-25	2024-01-09 20:24:38	2024-01-09 20:24:38	515 B	314 kB	54.230.241.133
aus5.mozilla.org	2548	1998-01-24	2015-10-27 08:06:24	2024-01-09 05:09:25	523 B	1.2 kB	35.244.181.201
ciscobinary.openh264.org	40822	2013-10-19	2014-10-07 07:43:56	2024-01-09 05:09:25	305 B	512 kB	2.22.61.59

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

No alerts detected

Threat Detection Systems

Public InfoSec YARA rules

Scan Date	Severity	Indicator	Alert
2024-01-09	medium	d1j1tfq58ortei.cloudfront.net/26-https-regasm.zip	Identifies strings used in Cobalt Strike Beacon DLL
2024-01-09	medium	d1j1tfq58ortei.cloudfront.net/26-https-regasm.zip	The CobaltStrike malware family.
2024-01-09	medium	d1j1tfq58ortei.cloudfront.net/26-https-regasm.zip	Detects CobaltStrike C2 encoded profile configuration
2024-01-09	medium	d1j1tfq58ortei.cloudfront.net/26-https-regasm.zip	Detects CobaltStrike MZ header ReflectiveLoader launcher
2024-01-09	medium	d1j1tfq58ortei.cloudfront.net/26-https-regasm.zip	Detects static bytes in Cobalt Strike 4.5 sleep mask function that are not obfuscated
2024-01-09	medium	d1j1tfq58ortei.cloudfront.net/26-https-regasm.zip	Detects CobaltStrike payloads
2024-01-09	medium	d1j1tfq58ortei.cloudfront.net/26-https-regasm.zip	Trojan_Raw_Generic_4
2024-01-09	medium	d1j1tfq58ortei.cloudfront.net/26-https-regasm.zip	Cobalt Strike's sleeve/BeaconLoader.x64.o (Base) Versions 4.3 through at least 4.6
2024-01-09	medium	d1j1tfq58ortei.cloudfront.net/26-https-regasm.zip	Detects Meterpreter in-memory
2024-01-09	medium	d1j1tfq58ortei.cloudfront.net/26-https-regasm.zip	Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
2024-01-09	medium	d1j1tfq58ortei.cloudfront.net/26-https-regasm.zip	Rule to detect CobaltStrike beacon
2024-01-09	medium	d1j1tfq58ortei.cloudfront.net/26-https-regasm.zip	meth_stackstrings
2024-01-09	medium	d1j1tfq58ortei.cloudfront.net/26-https-regasm.zip	Cobalt Strike Beacon Payload
2024-01-09	medium	d1j1tfq58ortei.cloudfront.net/26-https-regasm.zip	Windows.Trojan.CobaltStrike
2024-01-09	medium	d1j1tfq58ortei.cloudfront.net/26-https-regasm.zip	Windows.Trojan.CobaltStrike
2024-01-09	medium	d1j1tfq58ortei.cloudfront.net/26-https-regasm.zip	Windows.Trojan.CobaltStrike
2024-01-09	medium	d1j1tfq58ortei.cloudfront.net/26-https-regasm.zip	Windows.Trojan.CobaltStrike
2024-01-09	medium	d1j1tfq58ortei.cloudfront.net/26-https-regasm.zip	Windows.Trojan.CobaltStrike
2024-01-09	medium	d1j1tfq58ortei.cloudfront.net/26-https-regasm.zip	Cobalt Strike's sleeve/BeaconLoader.x64.o (Base) Versions 4.3 through at least 4.6
2024-01-09	medium	d1j1tfq58ortei.cloudfront.net/26-https-regasm.zip	Detects win.cobalt_strike.

OpenPhish

No alerts detected

PhishTank

No alerts detected

mnemonic secure dns

No alerts detected

Quad9 DNS

No alerts detected

ThreatFox

No alerts detected

File detected

URL

d1j1tfq58ortei.cloudfront.net/26-https-regasm.zip

IP / ASN

54.230.241.133

#16509 AMAZON-02

File Overview

File TypeZip archive data, at least v2.0 to extract, compression method=store

Size314 kB (314036 bytes)

MD54f045ec9b258abb011d1a591a08f4fda

SHA1ddb952149339d518c2b4204793bc5d1dd193b525

SHA256b21b2156297902929bc81d2ef5d64501be81c6f1ed1770cc19bfbace04a3e0cc

Archive (2)

Modified	Filename	Size	MD5	File type
2024-01-03 13:39	regasm-payload_x64.dll	312 kB	bb70a52d15107c0683ad8bef64bdc9a0	PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows, 2 sections
2024-01-03 13:39	regasm-payload_x64.lnk	2.0 kB	c9e5e0201509ec897af4aa8874a65da1	MS Windows shortcut, Item id list present, Points to a file or directory, Has command line arguments, Icon number=278, Archive, ctime=Sat Dec 7 09:10:34 2019, mtime=Wed Dec 16 18:27:32 2020, atime=Sat Dec 7 09:10:34 2019, length=65168, window=hidenormalshowminimized

Detections

Analyzer	Verdict	Alert
Public Nextron YARA rules	malware	Identifies strings used in Cobalt Strike Beacon DLL
Public Nextron YARA rules	malware	The CobaltStrike malware family.
Public Nextron YARA rules	malware	Detects CobaltStrike C2 encoded profile configuration
Public Nextron YARA rules	malware	Detects CobaltStrike MZ header ReflectiveLoader launcher
Public Nextron YARA rules	malware	Detects static bytes in Cobalt Strike 4.5 sleep mask function that are not obfuscated
Public Nextron YARA rules	malware	Detects CobaltStrike payloads
Public Nextron YARA rules	malware	Cobalt Strike's sleeve/BeaconLoader.x64.o (Base) Versions 4.3 through at least 4.6
Public Nextron YARA rules	malware	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Public Nextron YARA rules	malware	Detects Meterpreter in-memory
Public Nextron YARA rules	malware	Detects an XORed URL in an executable
Public Nextron YARA rules	malware	Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Trellix Threat Reasearch YARA rules	malware	Rule to detect CobaltStrike beacon
YARAhub by abuse.ch	malware	meth_stackstrings
CAPEv2 YARA detection rules	malware	Cobalt Strike Beacon Payload
Elastic Security YARA Rules	malware	Windows.Trojan.CobaltStrike
Elastic Security YARA Rules	malware	Windows.Trojan.CobaltStrike
Elastic Security YARA Rules	malware	Windows.Trojan.CobaltStrike
Elastic Security YARA Rules	malware	Windows.Trojan.CobaltStrike
Elastic Security YARA Rules	malware	Windows.Trojan.CobaltStrike
Google GCTI YARA rules	malware	Cobalt Strike's sleeve/BeaconLoader.x64.o (Base) Versions 4.3 through at least 4.6
Malpedia's yara-signator rules	malware	Detects win.cobalt_strike.
Public InfoSec YARA rules	malware	Identifies executable artefacts in shortcut (LNK) files.
Public Nextron YARA rules	malware	Identifies strings used in Cobalt Strike Beacon DLL
Public Nextron YARA rules	malware	The CobaltStrike malware family.
Public Nextron YARA rules	malware	Detects CobaltStrike C2 encoded profile configuration
Public Nextron YARA rules	malware	Detects CobaltStrike MZ header ReflectiveLoader launcher
Public Nextron YARA rules	malware	Detects static bytes in Cobalt Strike 4.5 sleep mask function that are not obfuscated
Public Nextron YARA rules	malware	Detects CobaltStrike payloads
Public Nextron YARA rules	malware	Trojan_Raw_Generic_4
Public Nextron YARA rules	malware	Cobalt Strike's sleeve/BeaconLoader.x64.o (Base) Versions 4.3 through at least 4.6
Public Nextron YARA rules	malware	Detects Meterpreter in-memory
Public Nextron YARA rules	malware	Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Trellix Threat Reasearch YARA rules	malware	Rule to detect CobaltStrike beacon
YARAhub by abuse.ch	malware	meth_stackstrings
CAPEv2 YARA detection rules	malware	Cobalt Strike Beacon Payload
Elastic Security YARA Rules	malware	Windows.Trojan.CobaltStrike
Elastic Security YARA Rules	malware	Windows.Trojan.CobaltStrike
Elastic Security YARA Rules	malware	Windows.Trojan.CobaltStrike
Elastic Security YARA Rules	malware	Windows.Trojan.CobaltStrike
Elastic Security YARA Rules	malware	Windows.Trojan.CobaltStrike
Google GCTI YARA rules	malware	Cobalt Strike's sleeve/BeaconLoader.x64.o (Base) Versions 4.3 through at least 4.6
Malpedia's yara-signator rules	malware	Detects win.cobalt_strike.

URL

ciscobinary.openh264.org/openh264-linux64-2e1774ab6dc6c43debb0b5b628bdf122a391d521.zip

IP / ASN

2.22.61.59

#20940 Akamai International B.V.

File Overview

File TypeZip archive data, at least v2.0 to extract, compression method=deflate

Size512 kB (511815 bytes)

MD5152eda253e242e18443ef3282495bc7c

SHA1ff0fa85565f21ec4931baad4573b4c0bd08c4019

SHA2568e03090fee16f6e0ee2e436af8e51d0c3deed6d9f0db80dec048e668fc009a48

Archive (2)

Modified	Filename	Size	MD5	File type
2019-03-02 16:47	gmpopenh264.info	116 B	3d33cdc0b3d281e67dd52e14435dd04f	ASCII text
2019-03-02 16:47	libgmpopenh264.so	1.4 MB	b2c1253e8a09cfe03b3d7f37de12dff7	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV)

JavaScript (0)

HTTP Transactions (3)

URL IP Response Size

GET d1j1tfq58ortei.cloudfront.net/26-https-regasm.zip

54.230.241.133

200 OK

314 kB

URL

d1j1tfq58ortei.cloudfront.net/26-https-regasm.zip

IP / ASN

54.230.241.133

#16509 AMAZON-02

Requested byN/A

Resource Info

File typeZip archive data, at least v2.0 to extract, compression method=store

First Seen2024-08-20

Last Seen2024-08-20

Times Seen1

Size314 kB (314036 bytes)

MD54f045ec9b258abb011d1a591a08f4fda

SHA1ddb952149339d518c2b4204793bc5d1dd193b525

SHA256b21b2156297902929bc81d2ef5d64501be81c6f1ed1770cc19bfbace04a3e0cc

Certificate Info

IssuerAmazon

Subject*.cloudfront.net

FingerprintFA:21:45:DC:4D:94:03:A3:09:77:51:78:4A:21:F2:C5:6D:94:BE:52

ValidityTue, 10 Oct 2023 00:00:00 GMT - Thu, 19 Sep 2024 23:59:59 GMT

Detections

Analyzer	Verdict	Alert
Public Nextron YARA rules	malware	Identifies strings used in Cobalt Strike Beacon DLL
Public Nextron YARA rules	malware	The CobaltStrike malware family.
Public Nextron YARA rules	malware	Detects CobaltStrike C2 encoded profile configuration
Public Nextron YARA rules	malware	Detects CobaltStrike MZ header ReflectiveLoader launcher
Public Nextron YARA rules	malware	Detects static bytes in Cobalt Strike 4.5 sleep mask function that are not obfuscated
Public Nextron YARA rules	malware	Detects CobaltStrike payloads
Public Nextron YARA rules	malware	Trojan_Raw_Generic_4
Public Nextron YARA rules	malware	Cobalt Strike's sleeve/BeaconLoader.x64.o (Base) Versions 4.3 through at least 4.6
Public Nextron YARA rules	malware	Detects Meterpreter in-memory
Public Nextron YARA rules	malware	Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Trellix Threat Reasearch YARA rules	malware	Rule to detect CobaltStrike beacon
YARAhub by abuse.ch	malware	meth_stackstrings
CAPEv2 YARA detection rules	malware	Cobalt Strike Beacon Payload
Elastic Security YARA Rules	malware	Windows.Trojan.CobaltStrike
Elastic Security YARA Rules	malware	Windows.Trojan.CobaltStrike
Elastic Security YARA Rules	malware	Windows.Trojan.CobaltStrike
Elastic Security YARA Rules	malware	Windows.Trojan.CobaltStrike
Elastic Security YARA Rules	malware	Windows.Trojan.CobaltStrike
Google GCTI YARA rules	malware	Cobalt Strike's sleeve/BeaconLoader.x64.o (Base) Versions 4.3 through at least 4.6
Malpedia's yara-signator rules	malware	Detects win.cobalt_strike.
urlquery	malware	Malware - Cobalt Strike

HTTP Headers

GET /26-https-regasm.zip HTTP/1.1
Host: d1j1tfq58ortei.cloudfront.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Upgrade-Insecure-Requests: 1
Connection: keep-alive
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-type: application/zip
content-length: 314036
date: Tue, 9 Jan 2024 21:02:54 GMT
x-cache: Miss from cloudfront
via: 1.1 a2c3c8b833b34851dca4f7753ecaae58.cloudfront.net (CloudFront)
x-amz-cf-pop: OSL50-P1
x-amz-cf-id: sc2nOlgtU9I3OUR52w5qHbZ41lRwih-p634e1FRhVDhsdLWlklYuzA==
X-Firefox-Spdy: h2

aus5.mozilla.org/update/3/GMP/111.0a1/20230218104546/Linux_x86_64-gcc3/null/default/Linux%205.15.0-76-generic%20(GTK%203.24.34%2Clibpulse%20not-available)/default/default/update.xml

35.244.181.201

444 B

URL

aus5.mozilla.org/update/3/GMP/111.0a1/20230218104546/Linux_x86_64-gcc3/null/default/Linux%205.15.0-76-generic%20(GTK%203.24.34%2Clibpulse%20not-available)/default/default/update.xml

IP / ASN

35.244.181.201

#15169 GOOGLE

Requested byN/A

Resource Info

File typeXML 1.0 document, ASCII text, with very long lines (332)

First Seen2023-10-13

Last Seen2025-06-20

Times Seen185315

Size444 B (444 bytes)

MD53b324dec137a87ef7e24a30a65b13dd0

SHA1c0faa95b2f1018e264b3a14aaf50d1003e6c27b3

SHA2566cd0b591d9239fc8564627e92a804fc261951b1cbaf5fa58a8ada3cc13f51463

HTTP Headers

GET /update/3/GMP/111.0a1/20230218104546/Linux_x86_64-gcc3/null/default/Linux%205.15.0-76-generic%20(GTK%203.24.34%2Clibpulse%20not-available)/default/default/update.xml HTTP/1.1
Host: aus5.mozilla.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Cache-Control: no-cache
Pragma: no-cache
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site

HTTP/2 200 OK
server: nginx
rule-id: unknown
rule-data-version: unknown
content-signature: x5u=https://content-signature-2.cdn.mozilla.net/chains/aus.content-signature.mozilla.org-2024-02-08-20-06-05.chain; p384ecdsa=qW47XcbbKvd7l19RE-D9rpVB2V7rfp90VlNxwW4Uy2EXfXTT7SonKuZvUdMkDw5-W9IMMps1Pcbwl4wRru1GJ9cWu4ty05-QT-b-CS4JuJYDzq7DS6RN8--6Aw-Q2Gwk
strict-transport-security: max-age=31536000;
x-content-type-options: nosniff
content-security-policy: default-src 'none'; frame-ancestors 'none'
x-proxy-cache-status: EXPIRED
content-encoding: gzip
via: 1.1 google
date: Tue, 09 Jan 2024 21:03:07 GMT
content-type: text/xml; charset=utf-8
vary: Accept-Encoding
content-length: 444
age: 6
cache-control: public,max-age=90
alt-svc: clear
X-Firefox-Spdy: h2

ciscobinary.openh264.org/openh264-linux64-2e1774ab6dc6c43debb0b5b628bdf122a391d521.zip

2.22.61.59

512 kB

URL

ciscobinary.openh264.org/openh264-linux64-2e1774ab6dc6c43debb0b5b628bdf122a391d521.zip

IP / ASN

2.22.61.59

#20940 Akamai International B.V.

Requested byN/A

Resource Info

File typeZip archive data, at least v2.0 to extract, compression method=deflate

First Seen2023-04-05

Last Seen2025-03-24

Times Seen32987

Size512 kB (511815 bytes)

MD5152eda253e242e18443ef3282495bc7c

SHA1ff0fa85565f21ec4931baad4573b4c0bd08c4019

SHA2568e03090fee16f6e0ee2e436af8e51d0c3deed6d9f0db80dec048e668fc009a48

HTTP Headers

GET /openh264-linux64-2e1774ab6dc6c43debb0b5b628bdf122a391d521.zip HTTP/1.1
Host: ciscobinary.openh264.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

HTTP/1.1 200 OK
Last-Modified: Thu, 16 Nov 2023 07:38:15 GMT
ETag: 152eda253e242e18443ef3282495bc7c
Content-Length: 511815
Accept-Ranges: bytes
X-Timestamp: 1700120294.87662
Content-Type: application/zip
X-Trans-Id: tx35e1afa589ba4bd9a93ea-006556c567dfw1
Cache-Control: public, max-age=231511
Expires: Fri, 12 Jan 2024 13:21:44 GMT
Date: Tue, 09 Jan 2024 21:03:13 GMT
Connection: keep-alive