Authored by Mick Koomen

Summary

Blister is a piece of malware that loads a payload embedded inside it. We provide an overview of payloads dropped by the Blister loader based on 137 unpacked samples from the past one and a half years and take a look at recent activity of Blister. The overview shows that since its support for environmental keying, most samples have this feature enabled, indicating that attackers mostly use Blister in a targeted manner. Furthermore, there has been a shift in payload type from Cobalt Strike to Mythic agents, matching with previous reporting. Blister drops the same type of Mythic agent which we thus far cannot link to any public Mythic agents. Another development is that its developers started obfuscating the first stage of Blister, making it more evasive. We provide YARA rules and scripts¹ to help analyze the Mythic agent and the packer we observed with it.

Recap of Blister

Blister is a loader that loads a payload embedded inside it and in the past was observed with activity linked to Evil Corp^2,3. Matching with public reporting, we have also seen it as a follow-up in SocGholish infections. In the past, we observed Blister mostly dropping Cobalt Strike beacons, yet current developments show a shift to Mythic agents, another red teaming framework.

Elastic Security first documented Blister in December 2021 in a campaign that used malicious installers⁴. It used valid code signatures referencing the company Blist LLC to pose as a legitimate executable, likely leading to the name Blister. That campaign reportedly dropped Cobalt Strike and BitRat.

In 2022, Blister started solely using the x86-64 instruction set, versus including 32-bit as well. Furthermore, RedCanary wrote observing SocGholish dropping Blister⁵, which was later confirmed by other vendors as well⁶.

In August the same year, we observed a new version of Blister. This update included more configuration options, along with an optional domain hash for environmental keying, allowing attackers to deploy Blister in a targeted manner. Elastic Security recently wrote about this version⁷.

2023 initially did not bring new developments for Blister. However, similar to its previous update, we observed development activity in August. Notably, we saw samples with added obfuscation to the first stage of Blister, i.e. the loader component that is injected into a legitimate executable. Additionally, in July, Unit 42⁸ observed SocGholish dropping Blister with a Mythic agent.

In summary, 2023 brought new developments for Blister, with added obfuscations to the first stage and a new type of payload. The next part of this blog is divided into two parts: firstly, we look back at previous Blister payloads and configurations, and in the second part, we discuss the recent developments.

Looking back at Blister

In early 2023, we observed a SocGholish infection at our security operations center (SOC). We notified the customer and were given a binary that was related to the infection. This turned out to be a Blister sample, with Cobalt Strike as its payload.

We wrote an extractor that worked on the sample encountered at the SOC, but for certain other Blister samples it did not. It turned out that the sample from the SOC investigation belonged to a version of Blister that was introduced in August, 2022, while older samples had a different configuration. After writing an extractor for these older versions, we made an overview of what Blister had been dropping in roughly the past two years.

The samples we analyzed are all available on VirusTotal, the platform we used to find samples. We focus on 64-bit Blister samples, newer samples are not using 32-bit anymore, as far as we know. In total, we found 137 samples we could unpack, 33 samples with the older version and 104 samples with the newer version from 2022.

In the Appendix, we list these samples, where version 1 and 2 refer to the old and new version respectively. The table is sorted on the first seen date of a sample in VirusTotal, where you clearly see the introduction of the update.

Because we want to keep the tables comprehensible, we have split up the data into four tables. For now, it is important to note that Table 2 provides information per Blister sample we unpacked, including the date it was first uploaded to VirusTotal, the version, the label of the payload it drops, the type of payload, and two configuration flags. Furthermore, to have a list of Blister and payload hashes in clear text in the blog, we included these in Table 6. We also included a more complete data set at https://github.com/fox-it/blister-research.

Discussing payloads

Looking at the dropped payloads, we see that it mostly conforms with what has already been reported. In Figure 1, we provide a timeline based on the first seen date of a sample in VirusTotal and the family of the payload. The observed payloads consist of Cobalt Strike, Mythic, Putty, and a test application. Initially, Blister dropped various flavors of Cobalt Strike and later dropped a Mythic agent, which we refer to as BlisterMythic. Recently, we also observed a packer that unpacks BlisterMythic, which we refer to as MythicPacker. Interestingly, we did not observe any samples drop BitRat.

Figure 1, Overview of Blister samples we were able to unpack, based on the first seen date reported in VirusTotal.

From the 137 samples, we were able to retrieve 74 unique payloads. This discrepancy in amount of unique Blister samples versus unique payloads is mainly caused by various Blister samples that drop the same Putty or test application, namely 18 and 22 samples, respectively. This summer has shown a particular increase in test payloads.

Cobalt Strike

Cobalt Strike was dropped through three different types of payloads, generic shellcode, DLL stagers, or obfuscated shellcode. In total, we retrieved 61 beacons, in Table 1 we list the Cobalt Strike watermarks we observed. Watermarks are a unique value linked to a license key. It should be noted that Cobalt Strike watermarks can be changed and hence are not a sound way to identify clusters of activity.

Watermark (decimal)	Watermark (hexadecimal)	Nr. of beacons
206546002	0xc4fa452	2
1580103824	0x5e2e7890	21
1101991775	0x41af0f5f	38

The watermark 206546002, though only used twice, shows up in other reports as well, e.g. a report on an Emotet intrusion⁹ and a report linking it to Royal, Quantum, and Play ransomware activity^10,11. The watermark 1580103824 is mentioned in reports on Gootloader¹², but also Cl0p¹³ and also is the 9th most common beacon watermark, based on our dataset of Cobalt Strike beacons¹⁴. Interestingly, 1101991775, the watermark that is most common, is not mentioned in public reporting as far as we can tell.

Cobalt Strike profile generators

In Table 3, we list information on the extracted beacons. In there, we also list the submission path. Most of the submission paths contain /safebrowsing/ and /rest/2/meetings, matching with paths found in SourcePoint¹⁵, a Cobalt Strike command-and-control (C2) profile generator. This is only, however, for the regular shellcode beacons, when we look at the obfuscated shellcode and the DLL stager beacons, it seems to use a different C2 profile. The C2 profiles for these payloads match with another public C2 profile generator¹⁶.

Domain fronting

Some of the beacons are configured to use “domain fronting”, which is a technique that allows malicious actors to hide the true destination of their network traffic and evade detection by security systems. It involves routing malicious traffic through a content delivery network (CDN) or other intermediary server, making it appear as if the traffic is going to a legitimate or benign domain, while in reality, it’s communicating with a malicious C2 server.

Certain beacons have subdomains of fastly[.]net as their C2 server, e.g. backend.int.global.prod.fastly[.]net or python.docs.global.prod.fastly[.]net. However, the domains they connect to are admin.reddit[.]com or admin.wikihow[.]com, which are legitimate domains hosted on a CDN.

Obfuscated shellcode

In five cases, we observed Blister drop Cobalt Strike by first loading obfuscated shellcode. We included a YARA rule for this particular shellcode in the Appendix.

Performing a retrohunt on VirusTotal yielded only 12 samples, with names indicating potential test files and at least one sample dropping Cobalt Strike. We are unsure whether this is an obfuscator solely used by Evil Corp or whether it is used by other threat actors as well.

Figure 2, Layout of particular shellcode, with denoted steps.

The shellcode is fairly simple, we provide an overview of it in Figure 2. The entrypoint is at the start of the buffer, which calls into the decoding stub. This call instruction automatically pushes the next instruction’s address on the stack, which the decoding stub uses as a starting point to start mutating memory. Figure 3 shows some of these instructions, which are quite distinctive.

Figure 3, Decoding instructions observed in particular shellcode.

At the end of the decoding stub, it either jumps or calls back and then invokes the decryption function. This decryption function uses RC4, but the S-Box is already initialized, thus no key-scheduling algorithm is implemented. Lastly, it jumps to the final payload.

BlisterMythic

Matching with what was already reported by Unit 42⁸, Blister recently started using Mythic agents as its payload. Mythic is one of the many red teaming frameworks on GitHub¹⁸. You can use various agents, which are listed on GitHub as well¹⁹ and can roughly be compared to a Cobalt Strike beacon. It is possible to write your own Mythic agent, as long as you comply with a set of constraints. Thus far, we keep seeing the same Mythic agent, which we discuss in more detail later on. The first sample dropping Mythic agents was uploaded to VirusTotal on July 24th 2023, just days before initial reportings of SocGholish infections leading to Mythic. In Table 4, we provide the C2 information from the observed Mythic agents.

We observed Mythic either as a Portable Executable (PE) or as shellcode. The shellcode seems to be rare and unpacks a PE file which thus far always resulted in a Mythic agent, in our experience. We discuss this packer later on as well and provide scripts that help with retrieving the PE file it packs. We refer to this specific Mythic agent as BlisterMythic and to the packer as MythicPacker.

In Table 5, we list the BlisterMythic C2 servers we were able to find. Interestingly, the domains were all registered at DNSPod. We also observed this in the past with Cobalt Strike domains we linked to Evil Corp. Apart from this, we also see similarities in the domain names used, e.g. domains consisting of two or three words concatenated to each other and using com as top-level domain (TLD).

Test payloads

Besides red team tooling like Mythic and Cobalt Strike, we also observed Putty and a test application as payloads. Running Putty through Blister does not seem logical and is likely linked to testing. It would only result in Putty not touching the disk and running in memory, which in itself is not useful. Additionally, when we look at the domain hashes in the Blister samples, only the Putty and test application samples in some cases share their domain hash.

Blister configurations

We also looked at the configurations of Blister, from this we can to some extent derive how it is used by attackers. Note that the collection also contains “test samples” from the attacker. Except for the more obvious Putty and test application, some samples that dropped Mythic, for instance, could also be linked to testing. We chose to leave out samples that drop Putty or the test application, leaving 97 samples in total. This means that the samples paint a partly biased picture, though we think it is still valuable and provides a view into how Blister is used.

Environmental keying

Since its update in 2022, Blister includes an optional domain hash, that it computes over the DNS search domain of the machine (ComputerNameDnsDomain). It only continues executing if the hash matches with its configuration, enabling environmental keying.

By looking at the amount of samples that have domain hash verification enabled, we can say something about how Blister is deployed. From the 66 Blister samples, only 6 samples did not have domain hash verification enabled. This indicates it is mostly used in a targeted manner, corresponding with using SocGholish for initial access and reconnaissance and then deploying Blister, for example.

Persistence

Of the 97 samples, 70 have persistence enabled. For persistence, Blister still uses the same method as described by Elastic Security²⁰. It mostly uses IFileOperation COM interface to copy rundll32.exe and itself to the Startup folder, this is significant for detection, as it means that these operations are done by the process DllHost.exe, not the rundll32.exe process that hosts Blister.

Blister trying new things

Blister’s previous update altered the core payload, however, the loader that is injected into the legitimate executable remained unchanged. In August this year, we observed experimental samples on VirusTotal with an obfuscated loader component, hinting at developer activity. Interestingly, we could link these samples to another sample on VirusTotal which solely contained the function body of the loader and another sample that contained a loader with a large set of INT 3 instructions added to it. Perhaps the developer was experimenting with different mutations to see how it influences the detection rate.

Obfuscating the first stage

Recent samples from September 2023 have the loader obfuscated in the same manner, with bogus instructions and excessive jump instructions. These changes make it harder to detect Blister using YARA, as the loader instructions are now intertwined with junk instructions and sometimes are followed by junk data due to the added jump instructions.

Figure 4, Comparison of two loader components from recent Blister samples, left is without obfuscation and right is with obfuscation.

In Figure 4, we compare the two function bodies of the loader, one body which is normally seen in Blister samples and one obfuscated function body, observed in the recent samples. The comparison shows that naive YARA rules are less likely to trigger on the obfuscated function body. In the Appendix, we provide a Blister rule that tries to detect these obfuscated samples. The added bogus instructions include instructions, such as btc, bts, lahf and cqo, bogus instructions we also observed in the Blister core before, see the core component of SHA256 4faf362b3fe403975938e27195959871523689d0bf7fba757ddfa7d00d437fd4, for example.

Dropping Mythic agents

Apart from an obfuscated loader, Mythic agents currently are the payload of choice. In September and October, we found obfuscated Blister samples only dropping Mythic. Certain samples have low or zero detections on VirusTotal²¹ at the time of writing, showing that obfuscation does pay off.

We now discuss one sample²² that drops a shellcode eventually executing a Mythic agent. The shellcode unpacks a PE file and executes it. We provide a YARA rule for this packer in the Appendix, which we refer to as MythicPacker. Based on this rule, we did not find other samples, suggesting it is a custom packer. Until now, we have only seen this packer unpacking Mythic agents.

The dropped Mythic agents are all similar and we cannot link them to any public agents thus far. This could mean that Blister developers created their own Mythic agent, though this is uncertain. We provided a YARA rule that matches on all agents we encountered, a VirusTotal retrohunt over the past year resulted in only four samples, all linked to Blister. We think this Mythic agent is likely custom-made.

Figure 5, BlisterMythic configuration decryption.

The agents all share a similar structure, namely an encrypted configuration in the .bss section of the executable. The agent has an encrypted configuration which is decrypted by XORing the size of the configuration with a constant that differs per sample, it seems. For PE files, we have a Python script that can decrypt a configuration. Figure 5 denotes this decryption loop, where the XOR constant is 0x48E12000.

Figure 6, Decrypted BlisterMythic configuration

Dumping the configuration results in a binary blob that contains various information, including the C2 server. Figure 6 shows a hexdump of a snippet from the decrypted configuration. We created a script to dump the decrypted configuration of the BlisterMythic agent in PE format and also a script that unpacks MythicPacker shellcode and outputs a reconstructed PE file, see https://github.com/fox-it/blister-research.

Conclusion

In this post, we provided an overview of observed Blister payloads from the past one and a half years on VirusTotal and also gave insight into recent developments. Furthermore, we provided scripts and YARA rules to help analyze Blister and the Mythic agent it drops.

From the analyzed payloads, we see that Cobalt Strike was the favored choice, but that lately this has been replaced by Mythic. Cobalt Strike was mostly dropped as shellcode and briefly run through obfuscated shellcode or a DLL stager. Apart from Cobalt Strike and Mythic, we saw that Blister test samples are uploaded to VirusTotal as well.

The custom Mythic agent together with the obfuscated loader, are new Blister developments that happened in the past months. It is likely that its developers were aware that the loader component was still a weak spot in terms of static detection. Additionally, throughout the years, Cobalt Strike has received a lot of attention from the security community, with available dumpers and C2 feeds readily available. Mythic is not as popular and allows you to write your own agent, making it an appropriate replacement for now.

References

1. https://github.com/fox-it/blister-research ↩︎
2. https://www.mandiant.com/resources/blog/unc2165-shifts-to-evade-sanctions ↩︎
3. https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/ ↩︎
4. https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign ↩︎
5. https://redcanary.com/blog/intelligence-insights-january-2022/ ↩︎
6. https://www.trendmicro.com/en_ie/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html ↩︎
7. https://www.elastic.co/security-labs/revisiting-blister-new-developments-of-the-blister-loader ↩︎
8. https://twitter.com/Unit42_Intel/status/1684583246032506880 ↩︎
9. https://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/ ↩︎
10. https://www.group-ib.com/blog/shadowsyndicate-raas/ ↩︎
11. https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html ↩︎
12. https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/ ↩︎
13. https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf ↩︎
14. https://research.nccgroup.com/2022/03/25/mining-data-from-cobalt-strike-beacons/ ↩︎
15. https://github.com/Tylous/SourcePoint ↩︎
16. https://github.com/threatexpress/random_c2_profile ↩︎
17. https://twitter.com/Unit42_Intel/status/1684583246032506880 ↩︎
18. https://github.com/its-a-feature/Mythic ↩︎
19. https://mythicmeta.github.io/overview/ ↩︎
20. https://www.elastic.co/security-labs/blister-loader ↩︎
21. https://www.virustotal.com/gui/file/a5fc8d9f9f4098e2cecb3afc66d8158b032ce81e0be614d216c9deaf20e888ac ↩︎
22. https://www.virustotal.com/gui/file/f58de1733e819ea38bce21b60bb7c867e06edb8d4fd987ab09ecdbf7f6a319b9 ↩︎

Appendix

YARA rules

rule shellcode_obfuscator
{
    meta:
        os = "Windows"
        arch = "x86-64"
        description = "Detects shellcode packed with unknown obfuscator observed in Blister samples."
        reference_sample = "178ffbdd0876b99ad1c2d2097d9cf776eca56b540a36c8826b400cd9d5514566"
    strings:
        $rol_ror = { 48 C1 ?? ?? ?? 48 C1 ?? ?? ?? 48 C1 ?? ?? ?? }
        $mov_rol_mov = { 4d ?? ?? ?? 49 c1 ?? ?? ?? 4d ?? ?? ?? }
        $jmp = { 49 81 ?? ?? ?? ?? ?? 41 ?? }
    condition:
        #rol_ror > 60 and $jmp and filesize < 2MB and #mov_rol_mov > 60
}

import "pe"
import "math"

rule blister_x64_windows_loader {
    meta:
        os = "Windows"
        arch = "x86-64"
        family = "Blister"
        description = "Detects Blister loader component injected into legitimate executables."
        reference_sample = "343728792ed1e40173f1e9c5f3af894feacd470a9cdc72e4f62c0dc9cbf63fc1, 8d53dc0857fa634414f84ad06d18092dedeb110689a08426f08cb1894c2212d4, a5fc8d9f9f4098e2cecb3afc66d8158b032ce81e0be614d216c9deaf20e888ac"
    strings:
        // 65 48 8B 04 25 60 00 00 00                          mov     rax, gs:60h
        $inst_1 = {65 48 8B 04 25 60 00 00 00}
        // 48 8D 87 44 6D 00 00                                lea     rax, [rdi+6D44h]
        $inst_2 = {48 8D 87 44 6D 00 00}
        // 44 69 C8 95 E9 D1 5B                                imul    r9d, eax, 5BD1E995h
        $inst_3 = {44 ?? ?? 95 E9 D1 5B}
        // 41 81 F9 94 85 09 64                                cmp     r9d, 64098594h
        $inst_4 = {41 ?? ?? 94 85 09 64}
        // B8 FF FF FF 7F                                      mov     eax, 7FFFFFFFh
        $inst_5 = {B8 FF FF FF 7F}
        // 48 8D 4D 48                                         lea     rcx, [rbp+48h]
        $inst_6 = {48 8D 4D 48}
    condition:
        uint16(0) == 0x5A4D and
        all of ($inst_*) and
        pe.number_of_resources > 0 and
        for any i in (0..pe.number_of_resources - 1):
            ( (math.entropy(pe.resources[i].offset, pe.resources[i].length) > 6) and
                pe.resources[i].length > 200000 
            )
}

rule blister_mythic_payload {
    meta:
        os = "Windows"
        arch = "x86-64"
        family = "BlisterMythic"
        description = "Detects specific Mythic agent dropped by Blister."
        reference_samples = "2fd38f6329b9b2c5e0379a445e81ece43fe0372dec260c1a17eefba6df9ffd55, 3d2499e5c9b46f1f144cfbbd4a2c8ca50a3c109496a936550cbb463edf08cd79, ab7cab5192f0bef148670338136b0d3affe8ae0845e0590228929aef70cb9b8b, f89cfbc1d984d01c57dd1c3e8c92c7debc2beb5a2a43c1df028269a843525a38"
    strings:
        $start_inst = { 48 83 EC 28 B? [4-8] E8 ?? ?? 00 00 }
        $for_inst = { 48 2B C8 0F 1F 00 C6 04 01 00 48 2D 00 10 00 00 }
    condition:
        all of them
}

rule mythic_packer
{
    meta:
        os = "Windows"
        arch = "x86-64"
        family = "MythicPacker"
        description = "Detects specific PE packer dropped by Blister."
        reference_samples = "9a08d2db7d0bd7d4251533551d4def0f5ee52e67dff13a2924191c8258573024, 759ac6e54801e7171de39e637b9bb525198057c51c1634b09450b64e8ef47255"
    strings:
        // 41 81 38 72 47 65 74        cmp     dword ptr [r8], 74654772h
        $a = { 41 ?? ?? 72 47 65 74 }
        // 41 81 38 72 4C 6F 61        cmp     dword ptr [r8], 616F4C72h
        $b = { 41 ?? ?? 72 4C 6F 61 }
        // B8 01 00 00 00              mov     eax, 1
        // C3                          retn
        $c = { B8 01 00 00 00 C3 }
    condition:
        all of them and uint8(0) == 0x48
}

Blister payloads listing

First seen	Version	Payload family	Payload type	Environmental keying	Persistence
2021-12-03	1	Cobalt Strike	shellcode	N/a	0
2021-12-05	1	Cobalt Strike	shellcode	N/a	0
2021-12-14	1	Cobalt Strike	shellcode	N/a	0
2022-01-10	1	Cobalt Strike	shellcode	N/a	1
2022-01-11	1	Cobalt Strike	shellcode	N/a	1
2022-01-19	1	Cobalt Strike	shellcode	N/a	1
2022-01-19	1	Cobalt Strike	shellcode	N/a	1
2022-01-31	1	Cobalt Strike	shellcode	N/a	1
2022-02-14	1	Cobalt Strike	shellcode	N/a	1
2022-02-17	1	Cobalt Strike	shellcode	N/a	1
2022-02-22	1	Cobalt Strike	shellcode	N/a	1
2022-02-26	1	Cobalt Strike	shellcode	N/a	1
2022-03-10	1	Cobalt Strike	shellcode	N/a	1
2022-03-14	1	Cobalt Strike	shellcode	N/a	1
2022-03-15	1	Cobalt Strike	shellcode	N/a	0
2022-03-15	1	Cobalt Strike	shellcode	N/a	0
2022-03-18	1	Cobalt Strike	shellcode	N/a	0
2022-03-18	1	Cobalt Strike	shellcode	N/a	1
2022-03-24	1	Putty	exe	N/a	0
2022-03-24	1	Putty	exe	N/a	0
2022-03-30	1	Cobalt Strike	shellcode	N/a	1
2022-04-01	1	Cobalt Strike	shellcode	N/a	0
2022-04-11	1	Cobalt Strike	shellcode	N/a	1
2022-04-22	1	Cobalt Strike	shellcode	N/a	1
2022-04-25	1	Cobalt Strike	shellcode	N/a	0
2022-06-01	1	Cobalt Strike	shellcode	N/a	0
2022-06-02	1	Cobalt Strike	shellcode	N/a	1
2022-06-14	1	Cobalt Strike	shellcode	N/a	1
2022-07-04	1	Cobalt Strike	shellcode	N/a	1
2022-07-19	1	Cobalt Strike	shellcode	N/a	0
2022-07-21	1	Cobalt Strike	shellcode	N/a	0
2022-08-05	1	Cobalt Strike	shellcode	N/a	1
2022-08-29	2	Cobalt Strike	shellcode	0	1
2022-09-02	2	Cobalt Strike	shellcode	0	0
2022-09-29	2	Cobalt Strike	shellcode	1	0
2022-10-18	2	Cobalt Strike	shellcode	1	1
2022-10-18	2	Cobalt Strike	shellcode	1	1
2022-10-18	2	Cobalt Strike	shellcode	1	0
2022-10-18	2	Cobalt Strike	shellcode	1	1
2022-10-21	2	Cobalt Strike	shellcode	1	1
2022-10-21	2	Cobalt Strike	shellcode	1	0
2022-10-24	2	Cobalt Strike	shellcode	1	1
2022-10-26	2	Cobalt Strike	shellcode	1	1
2022-10-26	2	Cobalt Strike	shellcode	1	1
2022-10-28	2	Cobalt Strike	shellcode	1	0
2022-10-31	2	Cobalt Strike	shellcode	1	1
2022-11-02	2	Cobalt Strike	shellcode	1	1
2022-11-03	2	Cobalt Strike	shellcode	1	1
2022-11-07	2	Cobalt Strike	shellcode	1	1
2022-11-08	2	Cobalt Strike	shellcode	1	1
2022-11-17	2	Cobalt Strike	shellcode	1	1
2022-11-22	2	Cobalt Strike	shellcode	1	1
2022-11-30	2	Cobalt Strike	shellcode	1	1
2022-12-01	2	Cobalt Strike	shellcode	1	1
2022-12-01	2	Cobalt Strike	shellcode	1	0
2022-12-01	2	Cobalt Strike	shellcode	1	0
2022-12-02	2	Cobalt Strike	shellcode	1	1
2022-12-05	2	Cobalt Strike	shellcode	1	1
2022-12-12	2	Cobalt Strike	shellcode	1	1
2022-12-13	2	Cobalt Strike	shellcode	1	1
2022-12-23	2	Cobalt Strike	shellcode	1	1
2023-01-06	2	Cobalt Strike	shellcode	1	1
2023-01-16	2	Cobalt Strike obfuscated shellcode	shellcode	1	1
2023-01-16	2	Cobalt Strike obfuscated shellcode	shellcode	1	1
2023-01-16	2	Cobalt Strike obfuscated shellcode	shellcode	1	1
2023-01-17	2	Cobalt Strike	shellcode	0	1
2023-01-17	2	Cobalt Strike obfuscated shellcode	shellcode	1	1
2023-01-20	2	Cobalt Strike obfuscated shellcode	shellcode	1	1
2023-01-20	2	Cobalt Strike obfuscated shellcode	shellcode	1	1
2023-01-24	2	Cobalt Strike	shellcode	1	1
2023-01-26	2	Cobalt Strike	shellcode	1	1
2023-01-26	2	Cobalt Strike	shellcode	1	1
2023-02-02	2	Cobalt Strike	shellcode	1	1
2023-02-02	2	Test application	shellcode	1	0
2023-02-02	2	Test application	shellcode	1	0
2023-02-02	2	Putty	exe	1	0
2023-02-02	2	Test application	shellcode	1	0
2023-02-15	2	Putty	exe	1	0
2023-02-15	2	Test application	shellcode	1	0
2023-02-15	2	Putty	exe	1	0
2023-02-15	2	Test application	shellcode	1	0
2023-02-17	2	Cobalt Strike stager	exe	1	1
2023-02-27	2	Cobalt Strike stager	exe	1	1
2023-02-28	2	Cobalt Strike stager	exe	1	1
2023-03-06	2	Cobalt Strike stager	exe	1	1
2023-03-06	2	Cobalt Strike stager	exe	1	1
2023-03-06	2	Cobalt Strike stager	exe	1	1
2023-03-15	2	Cobalt Strike stager	exe	1	0
2023-03-19	2	Cobalt Strike stager	exe	1	1
2023-03-23	1	Cobalt Strike	shellcode	N/a	1
2023-03-28	2	Cobalt Strike stager	exe	1	1
2023-03-28	2	Cobalt Strike stager	exe	1	0
2023-04-03	2	Cobalt Strike stager	exe	1	1
2023-05-25	2	Cobalt Strike stager	exe	0	1
2023-05-26	2	Cobalt Strike	shellcode	1	1
2023-06-11	2	Test application	shellcode	1	0
2023-06-11	2	Putty	exe	1	0
2023-06-11	2	Putty	exe	1	0
2023-07-24	2	BlisterMythic	exe	1	1
2023-07-27	2	BlisterMythic	exe	1	1
2023-08-09	2	Test application	shellcode	1	0
2023-08-09	2	Test application	shellcode	1	0
2023-08-09	2	Test application	shellcode	1	0
2023-08-09	2	Test application	shellcode	1	0
2023-08-09	2	Test application	shellcode	1	0
2023-08-09	2	Test application	shellcode	1	0
2023-08-09	2	Test application	shellcode	1	0
2023-08-09	2	Test application	shellcode	1	0
2023-08-09	2	Test application	shellcode	1	0
2023-08-09	2	Test application	shellcode	1	0
2023-08-09	2	Test application	shellcode	1	0
2023-08-10	2	Putty	shellcode	1	0
2023-08-10	2	Putty	shellcode	1	0
2023-08-10	2	Putty	shellcode	1	0
2023-08-10	2	Putty	shellcode	1	0
2023-08-10	2	Putty	shellcode	1	0
2023-08-10	2	Putty	shellcode	1	0
2023-08-10	2	Putty	shellcode	1	0
2023-08-10	2	Putty	shellcode	1	0
2023-08-10	2	Putty	shellcode	1	0
2023-08-11	2	BlisterMythic	exe	1	0
2023-08-15	2	Test application	shellcode	1	0
2023-08-17	2	BlisterMythic	exe	1	1
2023-08-18	2	MythicPacker	shellcode	1	0
2023-09-05	2	MythicPacker	shellcode	0	0
2023-09-05	2	MythicPacker	shellcode	0	1
2023-09-08	2	Test application	shellcode	1	0
2023-09-08	2	Test application	shellcode	1	0
2023-09-08	2	Test application	shellcode	1	0
2023-09-08	2	Putty	shellcode	1	0
2023-09-08	2	Putty	shellcode	1	0
2023-09-08	2	Test application	shellcode	1	0
2023-09-19	2	BlisterMythic	exe	1	1
2023-09-21	2	MythicPacker	shellcode	1	0
2023-09-21	2	MythicPacker	shellcode	1	0
2023-10-03	2	MythicPacker	shellcode	1	0
2023-10-10	2	MythicPacker	shellcode	1	0

Cobalt Strike beacons

Watermark	Domain	URI
1101991775	albertonne[.]com	/safebrowsing/d4alBmGBO/HafYg4QZaRhMBwuLAjVmSPc
1101991775	astradamus[.]com	/Collect/union/QXMY8BHNIPH7
1101991775	backend.int.global.prod.fastly[.]net	/Detect/devs/NJYO2MUY4V
1101991775	cclastnews[.]com	/safebrowsing/d4alBmGBO/UaIzXMVGvV3tS2OJiKxSzyzbh4u1
1101991775	cdp-chebe6efcxhvd0an.z01.azurefd[.]net	/Detect/devs/NJYO2MUY4V
1101991775	deep-linking[.]com	/safebrowsing/fDeBjO/2hmXORzLK7PkevU1TehrmzD5z9
1101991775	deep-linking[.]com	/safebrowsing/fDeBjO/dMfdNUdgjjii3Ccalh10Mh4qyAFw5mS
1101991775	deep-linking[.]com	/safebrowsing/fDeBjO/vnZNyQrwUjndCPsCUXSaI
1101991775	diggin-fzbvcfcyagemchbq.z01.azurefd[.]net	/restore/how/3RG4G5T87
1101991775	edubosi[.]com	/safebrowsing/bsaGbO6l/ybGoI3wmK2uF9w9aL5qKmnS8IZIWsJqhp
1101991775	e-sistem[.]com	/Detect/devs/NJYO2MUY4V
1101991775	ewebsofts[.]com	/safebrowsing/3Tqo/UMskN3Lh0LyLy8BfpG1Bsvp
1101991775	expreshon[.]com	/safebrowsing/fDeBjO/2hmXORzLK7PkevU1TehrmzD5z9
1101991775	eymenelektronik[.]com	/safebrowsing/dfKa/B58qAhJ0AEF7aNwauoqpAL8
1101991775	gotoknysna.com.global.prod.fastly[.]net	/safebrowsing/fDeBjO/2hmXORzLK7PkevU1TehrmzD5z9
1101991775	henzy-h6hxfpfhcaguhyf5.z01.azurefd[.]net	/Detect/devs/NJYO2MUY4V
1101991775	lepont-edu[.]com	/safebrowsing/dfKa/9T1BuXpqEDg9tx53mQRU6
1101991775	lindecolas[.]com	/safebrowsing/d4alBmGBO/UaIzXMVGvV3tS2OJiKxSzyzbh4u1
1101991775	lodhaamarathane[.]com	/safebrowsing/dfKa/9T1BuXpqEDg9tx53mQRU6
1101991775	mail-adv[.]com	/safebrowsing/bsaGbO6l/dl1sskHxt1uGDGUnLDB5gxn4vYZQK1kaG6
1101991775	mainecottagebythesea[.]com	/functionalStatus/cjdl-CLe4j-XHyiEaDqQx
1101991775	onscenephotos[.]com	/restore/how/3RG4G5T87
1101991775	promedia-usa[.]com	/safebrowsing/d4alBmGBO/HafYg4QZaRhMBwuLAjVmSPc
1101991775	python.docs.global.prod.fastly[.]net	/Collect/union/QXMY8BHNIPH7
1101991775	realitygangnetwork[.]com	/functionalStatus/qPprp9dtVhrGV3R3re5Xy4M2cfQo4wB
1101991775	realitygangnetwork[.]com	/functionalStatus/vFi8EPnc9zJTD0GgRPxggCQAaNb
1101991775	sanfranciscowoodshop[.]com	/safebrowsing/dfKa/GgVYon5zhYu5L7inFbl1MZEv7RGOnsS00b
1101991775	sohopf[.]com	/apply/admin_/99ZSSAHDH
1101991775	spanish-home-sales[.]com	/safebrowsing/d4alBmGBO/EB-9sfMPmsHmH-A7pmll9HbV0g
1101991775	steveandzina[.]com	/safebrowsing/d4alBmGBO/mr3lHbohEvZa0mKDWWdwTV5Flsxh
1101991775	steveandzina[.]com	/safebrowsing/d4alBmGBO/YwTM1CK0mBV1Y7UDagpjP
1101991775	websterbarn[.]com	/safebrowsing/fDeBjO/CGZcHKnX3arVCfFp98k8
1580103824	10.158.128[.]50
1580103824	bimelectrical[.]com	/safebrowsing/7IAMO/hxNTeZ8lBNYqjAsQ2tBRS
1580103824	bimelectrical[.]com	/safebrowsing/7IAMO/Jwee0NMJNKn9sDD8sUEem4g8jcB2v44UINpCIj
1580103824	bookmark-tag[.]com	/safebrowsing/eMUgI4Z/3RzgDBAvgg3DQUn8XtN8l
1580103824	braprest[.]com	/safebrowsing/d5pERENa/3tPCoNwoGwXAvV1w1JAS-OOPyVYxL1K2styHFtbXar7ME
1580103824	change-land[.]com	/safebrowsing/TKc3hA/DzwHHcc8y8O9kAS7cl4SDK0e6z0KHKIX9w7
1580103824	change-land[.]com	/safebrowsing/TKc3hA/nLTHCIhzOKpdFp0GFHYBK-0bRwdNDlZz6Qc
1580103824	clippershipintl[.]com	/safebrowsing/sj0IWAb/YhcZADXFB3NHbxFtKgpqBtK9BllJiGEL
1580103824	couponbrothers[.]com	/safebrowsing/Jwjy4/mzAoZyZk7qHIyw3QrEpXij5WFhIo1z8JDUVA0N0
1580103824	electronic-infinity[.]com	/safebrowsing/TKc3hA/t-nAkENGu9rpZ9ebRRXr79b
1580103824	final-work[.]com	/safebrowsing/AvuvAkxsR/8I6ikMUvdNd8HOgMeD0sPfGpwSZEMr
1580103824	geotypico[.]com	/safebrowsing/d5pERENa/f5oBhEk7xS3cXxstp6Kx1G7u3N546UStcg9nEnzJn2k
1580103824	imsensors[.]com	/safebrowsing/eMUgI4Z/BOhKRIMsJsuPnn3IQvgrEc3XLQUB3W
1580103824	intradayinvestment[.]com	/safebrowsing/dpNqi/nXeFgGufr9VqHjDdsIZbw-ZH0
1580103824	medicare-cost[.]com	/safebrowsing/dpNqi/F3QExtY65SvTVK1ewA26
1580103824	optiontradingsignal[.]com	/safebrowsing/dpNqi/7CtHhF-isMMQ6m7NmHYNb0N7E7Fe
1580103824	setechnowork[.]com	/safebrowsing/fBm1b/JbcKDYjMWcQNjn69LnGggFe6mpjn5xOQ
1580103824	sikescomposites[.]com	/safebrowsing/Jwjy4/cmr4tZ7IyFGbgCiof2tHMO
1580103824	technicollit[.]com	/safebrowsing/b0kKKIjr/AzX9ZHB37oJfPsUBUaxBJjzzi132cYRZhUZc81g
1580103824	wasfatsahla[.]com	/safebrowsing/IsXNCJJfH/5x0rUIrn–r85sLJIuEY7C9q
206546002	smutlr[.]com	/functionalStatus/qPprp9dtVhrGV3R3re5Xy4M2cfQo4wB
206546002	spanish-home-sales[.]com	/functionalStatus/fb8ClEdmm-WwYudk-zODoQYB7DX3wQYR

BlisterMythic payloads

Domain	URI
139-177-202-78.ip.linodeusercontent[.]com	/etc.clientlibs/sapdx/front-layer/dist/resources/sapcom/919.9853a7ee629d48b1ddbe.js
23-92-30-58.ip.linodeusercontent[.]com	/etc.clientlibs/sapdx/front-layer/dist/resources/sapcom/919.9853a7ee629d48b1ddbe.js
aviditycellars[.]com	/etc.clientlibs/sapdx/front-layer/dist/resources/sapcom/919.9853a7ee629d48b1ddbe.js
boxofficeseer[.]com	/s/0.7.8/clarity.js
d1hp6ufzqrj3xv.cloudfront[.]net	/organizations/oauth2/v2.0/authorize
makethumbmoney[.]com	/s/0.7.8/clarity.js
rosevalleylimousine[.]com	/login.sophos.com/B2C_1A_signup_signin/api/SelfAsserted/confirmed

BlisterMythic C2 servers

IP	Domain
37.1.215[.]57	angelbusinessteam[.]com
92.118.112[.]100	danagroupegypt[.]com
104.238.60[.]11	shchiswear[.]com
172.233.238[.]215	N/a
96.126.111[.]127	N/a
23.239.11[.]145	N/a
45.33.98[.]254	N/a
45.79.199[.]4	N/a
45.56.105[.]98	N/a
149.154.158[.]243	futuretechfarm[.]com
104.243.33[.]161	sms-atc[.]com
104.243.33[.]129	makethumbmoney[.]com
138.124.180[.]241	vectorsandarrows[.]com
94.131.101[.]58	pacatman[.]com
198.58.119[.]214	N/a
185.174.101[.]53	personmetal[.]com
185.45.195[.]30	aviditycellars[.]com
185.250.151[.]145	bureaudecreationalienor[.]com
23.227.194[.]115	bitscoinc[.]com
88.119.175[.]140	boxofficeseer[.]com
88.119.175[.]137	thesheenterprise[.]com
37.1.214[.]162	remontisto[.]com
45.66.248[.]99	N/a
88.119.175[.]104	visioquote[.]com
45.66.248[.]13	cannabishang[.]com
92.118.112[.]8	turanmetal[.]com
37.1.211[.]150	lucasdoors[.]com
185.72.8[.]219	displaymercials[.]com
172.232.172[.]128	N/a
82.117.253[.]168	digtupu[.]com
104.238.60[.]112	avblokhutten[.]com
173.44.141[.]34	hom4u[.]com
170.130.165[.]140	rosevalleylimousine[.]com
172.232.172[.]110	N/a
5.8.63[.]79	boezgrt[.]com
172.232.172[.]125	N/a
162.248.224[.]56	hatchdesignsnh[.]com
185.174.101[.]13	formulaautoparts[.]com
23.152.0[.]193	ivermectinorder[.]com
192.169.6[.]200	szdeas[.]com
194.87.32[.]85	licencesolutions[.]com
185.45.195[.]205	motorrungoli[.]com

Blister samples

SHA256	Payload family	Payload SHA256
0a73a9ee3650821352d9c4b46814de8f73fde659cae6b82a11168468becb68d1	Cobalt Strike	397c08f5cdc59085a48541c89d23a8880d41552031955c4ba38ff62e57cfd803
0bbf1a3a8dd436fda213bc126b1ad0b8704d47fd8f14c75754694fd47a99526c	BlisterMythic	ab7cab5192f0bef148670338136b0d3affe8ae0845e0590228929aef70cb9b8b
0e8458223b28f24655caf37e5c9a1c01150ac7929e6cb1b11d078670da892a5b	Cobalt Strike	4420bd041ae77fce2116e6bd98f4ed6945514fad8edfbeeeab0874c84054c80a
0f07c23f7fe5ff918ee596a7f1df320ed6e7783ff91b68c636531aba949a6f33	Test application	43308bde79e71b2ed14f318374a80fadf201cc3e34a887716708635294031b1b
a3cb53ddd4a5316cb02b7dc4ccd1f615755b46e86a88152a1f8fc59efe170497	Cobalt Strike	e85a2e8995ef37acf15ea79038fae70d4566bd912baac529bad74fbec5bb9c21
a403b82a14b392f8485a22f105c00455b82e7b8a3e7f90f460157811445a8776	Cobalt Strike	e0c0491e45dda838f4ac01b731dd39cc7064675a6e1b79b184fff99cdce52f54
a5fc8d9f9f4098e2cecb3afc66d8158b032ce81e0be614d216c9deaf20e888ac	Test application	43308bde79e71b2ed14f318374a80fadf201cc3e34a887716708635294031b1b
a9ea85481e178cd35ae323410d619e97f49139dcdb2e7da72126775a89a8464f	Cobalt Strike	c7accad7d8da9797788562a3de228186290b0f52b299944bec04a95863632dc0
ac232e7594ce8fbbe19fc74e34898c562fe9e8f46d4bfddc37aefeb26b85c02b	Cobalt Strike obfuscated shellcode	cef1a88dfc436dab9ae104f0770a434891bbd609e64df43179b42b03a7e8f908
acdaac680e2194dd8fd06f937847440e7ab83ce1760eab028507ee8eba557291	Cobalt Strike	b96d4400e9335d80dedee6f74ffaa4eca9ffce24c370790482c639df52cb3127
ae148315cec7140be397658210173da372790aa38e67e7aa51597e3e746f2cb2	Cobalt Strike	f245b2bc118c3c20ed96c8a9fd0a7b659364f9e8e2ee681f5683681e93c4d78b
aeecc65ac8f0f6e10e95a898b60b43bf6ba9e2c0f92161956b1725d68482721d	Cobalt Strike	797abd3de3cb4c7a1ceb5de5a95717d84333bedcbc0d9e9776d34047203181bc
b062dd516cfa972993b6109e68a4a023ccc501c9613634468b2a5a508760873e	Cobalt Strike	122b77fd4d020f99de66bba8346961b565e804a3c29d0757db807321e9910833
b10db109b64b798f36c717b7a050c017cf4380c3cb9cfeb9acd3822a68201b5b	Cobalt Strike	902d29871d3716113ca2af5caa6745cb4ab9d0614595325c1107fb83c1494483
b1d1a972078d40777d88fb4cd6aef1a04f29c5dd916f30a6949b29f53a2d121c	Putty	0581160998be30f79bd9a0925a01b0ebc4cb94265dfa7f8da1e2839bf0f1e426
b1f3f1c06b1cc9a249403c2863afc132b2d6a07f137166bdd1e4863a0cece5b1	Cobalt Strike	e63807daa9be0228d90135ee707ddf03b0035313a88a78e50342807c27658ff2
b4c746e9a49c058ae3843799cdd6a3bb5fe14b413b9769e2b5a1f0f846cb9d37	Cobalt Strike stager	063191c49d49e6a8bdcd9d0ee2371fb1b90f1781623827b1e007e520ec925445
b4f37f13a7e9c56ea95fa3792e11404eb3bdb878734f1ca394ceed344d22858f	Test application	43308bde79e71b2ed14f318374a80fadf201cc3e34a887716708635294031b1b
b956c5e8ec6798582a68f24894c1e78b9b767aae4d5fb76b2cc71fc9c8befed8	Cobalt Strike	6fc283acfb7dda7bab02f5d23dc90b318f4c73a8e576f90e1cac235bf8d02470
b99ba2449a93ab298d2ec5cacd5099871bacf6a8376e0b080c7240c8055b1395	Cobalt Strike	96fab57ef06b433f14743da96a5b874e96d8c977b758abeeb0596f2e1222b182
b9e313e08b49d8d2ffe44cb6ec2192ee3a1c97b57c56f024c17d44db042fb9eb	Test application	43308bde79e71b2ed14f318374a80fadf201cc3e34a887716708635294031b1b
bc238b3b798552958009f3a4ce08e5ce96edff06795281f8b8de6f5df9e4f0fe	Cobalt Strike stager	191566d8cc119cd6631d353eab0b8c1b8ba267270aa88b5944841905fa740335
bcd64a8468762067d8a890b0aa7916289e68c9d8d8f419b94b78a19f5a74f378	Putty	0581160998be30f79bd9a0925a01b0ebc4cb94265dfa7f8da1e2839bf0f1e426
c113e8a1c433b4c67ce9bce5dea4b470da95e914de4dc3c3d5a4f98bce2b7d6c	Putty	0581160998be30f79bd9a0925a01b0ebc4cb94265dfa7f8da1e2839bf0f1e426
c1261f57a0481eb5d37176702903025c5b01a166ea6a6d42e1c1bdc0e5a0b04b	Cobalt Strike obfuscated shellcode	189b7afdd280d75130e633ebe2fcf8f54f28116a929f5bb5c9320f11afb182d4
c149792a5e5ce4c15f8506041e2f234a9a9254dbda214ec79ceef7d0911a3095	Putty	0581160998be30f79bd9a0925a01b0ebc4cb94265dfa7f8da1e2839bf0f1e426
c2046d64bcfbab5afcb87a75bf3110e0fa89b3e0f7029ff81a335911cf52f00a	Cobalt Strike	d048001f09ad9eedde44f471702a2a0f453c573db9c8811735ec45d65801f1d0
c3509ba690a1fcb549b95ad4625f094963effc037df37bd96f9d8ed5c7136d94	Cobalt Strike	e0c0491e45dda838f4ac01b731dd39cc7064675a6e1b79b184fff99cdce52f54
c3cfbede0b561155062c2f44a9d44c79cdb78c05461ca50948892ff9a0678f3f	Cobalt Strike	bcb32a0f782442467ea8c0bf919a28b58690c68209ae3d091be87ef45d4ef049
c79ab271d2abd3ee8c21a8f6ad90226e398df1108b4d42dc551af435a124043c	Cobalt Strike	749d061acb0e584df337aaef26f3b555d5596a96bfffc9d6cd7421e22c0bacea
cab95dc6d08089dcd24c259f35b52bca682635713c058a74533501afb94ab91f	Putty	0581160998be30f79bd9a0925a01b0ebc4cb94265dfa7f8da1e2839bf0f1e426
cea5c060dd8abd109b478e0de481f0df5ba3f09840746a6a505374d526bd28dc	MythicPacker	759ac6e54801e7171de39e637b9bb525198057c51c1634b09450b64e8ef47255
cfa604765b9d7a93765d46af78383978251486d9399e21b8e3da4590649c53e4	Cobalt Strike stager	57acdb7a22f5f0c6d374be2341dbef97efbcc61f633f324beb0e1214614fef82
d1afca36f67b24eae7f2884c27c812cddc7e02f00f64bb2f62b40b21ef431084	Cobalt Strike	f570bd331a3d75e065d1825d97b922503c83a52fc54604d601d2e28f4a70902b
d1b6671fc0875678ecf39d737866d24aca03747a48f0c7e8855a5b09fc08712d	Test application	43308bde79e71b2ed14f318374a80fadf201cc3e34a887716708635294031b1b
d3d48aa32b062b6e767966a8bab354eded60e0a11be5bc5b7ad8329aa5718c76	Cobalt Strike	60905c92501ec55883afc3f6402a05bddfd335323fdc0144515f01e8da0acbda
d3eab2a134e7bd3f2e8767a6285b38d19cd3df421e8af336a7852b74f194802c	BlisterMythic	2fd38f6329b9b2c5e0379a445e81ece43fe0372dec260c1a17eefba6df9ffd55
d439f941b293e3ded35bf52fac7f20f6a2b7f2e4b189ad2ac7f50b8358110491	Cobalt Strike	18a9eafb936bf1d527bd4f0bfae623400d63671bafd0aad0f72bfb59beb44d5f
dac00ec780aabaffed1e89b3988905a7f6c5c330218b878679546a67d7e0eef2	Cobalt Strike	adc73af758c136e5799e25b4d3d69e462e090c8204ec8b8f548e36aac0f64a66
db62152fe9185cbd095508a15d9008b349634901d37258bc3939fe3a563b4b3c	MythicPacker	7f71d316c197e4e0aa1fce9d40c6068ada4249009e5da51479318de039973ad8
db81e91fc05991f71bfd5654cd60b9093c81d247ccd8b3478ab0ebef61efd2ad	Putty	0581160998be30f79bd9a0925a01b0ebc4cb94265dfa7f8da1e2839bf0f1e426
dd42c1521dbee54173be66a5f98a811e5b6ee54ad1878183c915b03b68b7c9bb	Cobalt Strike	d988a867a53c327099a4c9732a1e4ced6fe6eca5dd68f67e5f562ab822b8374b
e0888b80220f200e522e42ec2f15629caa5a11111b8d1babff509d0da2b948f4	Cobalt Strike	915503b4e985ab31bc1d284f60003240430b3bdabb398ae112c4bd1fe45f3cdd
e30503082d3257737bba788396d7798e27977edf68b9dba7712a605577649ffb	Cobalt Strike	df01b0a8112ca80daf6922405c3f4d1ff7a8ff05233fc0786e9d06e63c9804d6
e521cad48d47d4c67705841b9c8fa265b3b0dba7de1ba674db3a63708ab63201	Cobalt Strike stager	40cac28490cddfa613fd58d1ecc8e676d9263a46a0ac6ae43bcbdfedc525b8ee
e62f5fc4528e323cb17de1fa161ad55eb451996dec3b31914b00e102a9761a52	Cobalt Strike	19e7bb5fa5262987d9903f388c4875ff2a376581e4c28dbf5ae7d128676b7065
ebafb35fd9c7720718446a61a0a1a10d09bf148d26cdcd229c1d3d672835335c	Cobalt Strike	5cb2683953b20f34ff26ddc0d3442d07b4cd863f29ec3a208cbed0dc760abd04
ebf40e12590fcc955b4df4ec3129cd379a6834013dae9bb18e0ec6f23f935bba	Cobalt Strike	d99bac48e6e347fcfd56bbf723a73b0b6fb5272f92a6931d5f30da76976d1705
ef7ff2d2decd8e16977d819f122635fcd8066fc8f49b27a809b58039583768d2	Cobalt Strike	adc73af758c136e5799e25b4d3d69e462e090c8204ec8b8f548e36aac0f64a66
efbffc6d81425ffb0d81e6771215c0a0e77d55d7f271ec685b38a1de7cc606a8	Cobalt Strike	47bd5fd96c350f5e48f5074ebee98e8b0f4efb8a0cd06db5af2bdc0f3ee6f44f
f08fdb0633d018c0245d071fa79cdc3915da75d3c6fc887a5ca6635c425f163a	Test application	43308bde79e71b2ed14f318374a80fadf201cc3e34a887716708635294031b1b
f3bfd8ab9e79645babf0cb0138d51368fd452db584989c4709f613c93caf2bdc	Cobalt Strike	cd7135c94929f55e19e5d66359eab46422c3c59d794dde00c8b4726498e4e01a
f58de1733e819ea38bce21b60bb7c867e06edb8d4fd987ab09ecdbf7f6a319b9	MythicPacker	19eae7c0b7a1096a71b595befa655803c735006d75d5041c0e18307bd967dee6
f7fa532ad074db4a39fd0a545278ea85319d08d8a69c820b081457c317c0459e	Cobalt Strike	902d29871d3716113ca2af5caa6745cb4ab9d0614595325c1107fb83c1494483
fce9de0a0acf2ba65e9e252a383d37b2984488b6a97d889ec43ab742160acce1	Cobalt Strike stager	40cac28490cddfa613fd58d1ecc8e676d9263a46a0ac6ae43bcbdfedc525b8ee
ffb255e7a2aa48b96dd3430a5177d6f7f24121cc0097301f2e91f7e02c37e6bf	Cobalt Strike	5af6626a6bc7265c21adaffb23cc58bc52c4ebfe5bf816f77711d3bc7661c3d6
1a50c358fa4b725c6e0e26eee3646de26ba38e951f3fe414f4bf73532af62455	Cobalt Strike	8f1cc6ab8e95b9bfdf22a2bde77392e706b6fb7d3c1a3711dbc7ccd420400953
1be3397c2a85b4b9a5a111b9a4e53d382df47a0a09065639d9e66e0b55fe36fc	Cobalt Strike stager	3f28a055d56f46559a21a2b0db918194324a135d7e9c44b90af5209a2d2fd549
1d058302d1e747714cac899d0150dcc35bea54cc6e995915284c3a64a76aacb1	Putty	0581160998be30f79bd9a0925a01b0ebc4cb94265dfa7f8da1e2839bf0f1e426
02b1bd89e9190ff5edfa998944fd6048d32a3bde3a72d413e8af538d9ad770b4	Cobalt Strike obfuscated shellcode	3760db55a6943f4216f14310ab10d404e5c0a53b966dd634b76dd669f59d2507
2cf125d6f21c657f8c3732be435af56ccbe24d3f6a773b15eccd3632ea509b1a	Putty	0581160998be30f79bd9a0925a01b0ebc4cb94265dfa7f8da1e2839bf0f1e426
2f2e62c9481ba738a5da7baadfc6d029ef57bf7a627c2ac0b3e615cab5b0cfa2	Cobalt Strike	39ed516d8f9d9253e590bad7c5daecce9df21f1341fb7df95d7caa31779ea40f
3bc8ce92409876526ad6f48df44de3bd1e24a756177a07d72368e2d8b223bb39	Cobalt Strike	20e43f60a29bab142f050fab8c5671a0709ee4ed90a6279a80dd850e6f071464
3dffb7f05788d981efb12013d7fadf74fdf8f39fa74f04f72be482847c470a53	Cobalt Strike	8e78ad0ef549f38147c6444910395b053c533ac8fac8cdaa00056ad60b2a0848
3f6e3e7747e0b1815eb2a46d79ebd8e3cb9ccdc7032d52274bc0e60642e9b31e	Putty	0581160998be30f79bd9a0925a01b0ebc4cb94265dfa7f8da1e2839bf0f1e426
3fff407bc45b879a1770643e09bb99f67cdcfe0e4f7f158a4e6df02299bac27e	Test application	43308bde79e71b2ed14f318374a80fadf201cc3e34a887716708635294031b1b
4b3cd3aa5b961791a443b89e281de1b05bc3a9346036ec0da99b856ae7dc53a8	Putty	0581160998be30f79bd9a0925a01b0ebc4cb94265dfa7f8da1e2839bf0f1e426
4faf362b3fe403975938e27195959871523689d0bf7fba757ddfa7d00d437fd4	Cobalt Strike	60905c92501ec55883afc3f6402a05bddfd335323fdc0144515f01e8da0acbda
5d72cc2e47d3fd781b3fc4e817b2d28911cd6f399d4780a5ff9c06c23069eae1	MythicPacker	9a08d2db7d0bd7d4251533551d4def0f5ee52e67dff13a2924191c8258573024
5ea74bca527f7f6ea8394d9d78e085bed065516eca0151a54474fffe91664198	Cobalt Strike	be314279f817f9f000a191efb8bcc2962fcc614b1f93c73dda46755269de404f
5fc79a4499bafa3a881778ef51ce29ef015ee58a587e3614702e69da304395db	BlisterMythic	3d2499e5c9b46f1f144cfbbd4a2c8ca50a3c109496a936550cbb463edf08cd79
06cd6391b5fcf529168dc851f27bf3626f20e038a9c0193a60b406ad1ece6958	Test application	43308bde79e71b2ed14f318374a80fadf201cc3e34a887716708635294031b1b
6a7ae217394047c17d56ec77b2243d9b55617a1ff591d2c2dfc01f2da335cbbf	MythicPacker	1e3b373f2438f1cc37e15fdede581bdf2f7fc22068534c89cb4e0c128d0e45dd
6e75a9266e6bbfd194693daf468dd86d106817706c57b1aad95d7720ac1e19e3	Cobalt Strike	4adf3875a3d8dd3ac4f8be9c83aaa7e3e35a8d664def68bc41fc539bfedfd33f
7e61498ec5f0780e0e37289c628001e76be88f647cad7a399759b6135be8210a	Test application	43308bde79e71b2ed14f318374a80fadf201cc3e34a887716708635294031b1b
7f7b9f40eea29cfefc7f02aa825a93c3c6f973442da68caf21a3caae92464127	Putty	0581160998be30f79bd9a0925a01b0ebc4cb94265dfa7f8da1e2839bf0f1e426
8b6eb2853ae9e5faff4afb08377525c9348571e01a0e50261c7557d662b158e1	Test application	43308bde79e71b2ed14f318374a80fadf201cc3e34a887716708635294031b1b
8d53dc0857fa634414f84ad06d18092dedeb110689a08426f08cb1894c2212d4	Putty	0581160998be30f79bd9a0925a01b0ebc4cb94265dfa7f8da1e2839bf0f1e426
8e6c0d338f201630b5c5ba4f1757e931bc065c49559c514658b4c2090a23e57b	Cobalt Strike	f2329ae2eb28bba301f132e5923282b74aa7a98693f44425789b18a447a33bff
8f9289915b3c6f8bf9a71d0a2d5aeb79ff024c108c2a8152e3e375076f3599d5	BlisterMythic	f89cfbc1d984d01c57dd1c3e8c92c7debc2beb5a2a43c1df028269a843525a38
9c5c9d35b7c2c448a610a739ff7b85139ea1ef39ecd9f51412892cd06fde4b1b	Test application	43308bde79e71b2ed14f318374a80fadf201cc3e34a887716708635294031b1b
13c7f28044fdb1db2289036129b58326f294e76e011607ca8d4c5adc2ddddb16	Cobalt Strike	19e7bb5fa5262987d9903f388c4875ff2a376581e4c28dbf5ae7d128676b7065
19b0db9a9a08ee113d667d924992a29cd31c05f89582953eff5a52ad8f533f4b	Test application	43308bde79e71b2ed14f318374a80fadf201cc3e34a887716708635294031b1b
19d4a7d08176119721b9a302c6942718118acb38dc1b52a132d9cead63b11210	Test application	43308bde79e71b2ed14f318374a80fadf201cc3e34a887716708635294031b1b
22e65a613e4520a6f824a69b795c9f36af02247f644e50014320857e32383209	Cobalt Strike	18a9eafb936bf1d527bd4f0bfae623400d63671bafd0aad0f72bfb59beb44d5f
028da30664cb9f1baba47fdaf2d12d991dcf80514f5549fa51c38e62016c1710	Cobalt Strike	8e78ad0ef549f38147c6444910395b053c533ac8fac8cdaa00056ad60b2a0848
37b6fce45f6bb52041832eaf9c6d02cbc33a3ef2ca504adb88e19107d2a7aeaa	Cobalt Strike	902d29871d3716113ca2af5caa6745cb4ab9d0614595325c1107fb83c1494483
42beac1265e0efc220ed63526f5b475c70621573920968a457e87625d66973af	Test application	43308bde79e71b2ed14f318374a80fadf201cc3e34a887716708635294031b1b
43c1ee0925ecd533e0b108c82b08a3819b371182e93910a0322617a8acf26646	Cobalt Strike	5cb2683953b20f34ff26ddc0d3442d07b4cd863f29ec3a208cbed0dc760abd04
44ce7403ca0c1299d67258161b1b700d3fa13dd68fbb6db7565104bba21e97ae	MythicPacker	f3b0357562e51311648684d381a23fa2c1d0900c32f5c4b03f4ad68f06e2adc1
49ba10b4264a68605d0b9ea7891b7078aeef4fa0a7b7831f2df6b600aae77776	Cobalt Strike	0603cf8f5343723892f08e990ae2de8649fcb4f2fd4ef3a456ef9519b545ed9e
54c7c153423250c8650efc0d610a12df683b2504e1a7a339dfd189eda25c98d4	Test application	43308bde79e71b2ed14f318374a80fadf201cc3e34a887716708635294031b1b
58fdee05cb962a13c5105476e8000c873061874aadbc5998887f0633c880296a	Test application	43308bde79e71b2ed14f318374a80fadf201cc3e34a887716708635294031b1b
73baa040cd6879d1d83c5afab29f61c3734136bffe03c72f520e025385f4e9a2	Cobalt Strike	17392d830935cfad96009107e8b034f952fb528f226a9428718669397bafd987
78d93b13efd0caa66f5d91455028928c3b1f44d0f2222d9701685080e30e317d	Putty	0581160998be30f79bd9a0925a01b0ebc4cb94265dfa7f8da1e2839bf0f1e426
83c121db96d99f0d99b9e7a2384386f3f6debcb01d977c4ddca5bcdf2c6a2daa	Cobalt Strike stager	39323f9c0031250414cb4683662e1c533960dea8a54d7a700f77c6133a59c783
84b245fce9e936f1d0e15d9fca8a1e4df47c983111de66fcc0ad012a63478c8d	Cobalt Strike stager	d961e9db4a96c87226dbc973658a14082324e95a4b30d4aae456a8abe38f5233
84b2d16124b690d77c5c43c3a0d4ad78aaf10d38f88d9851de45d6073d8fcb65	Cobalt Strike	0091186459998ad5b699fdd54d57b1741af73838841c849c47f86601776b0b33
85d3f81a362a3df9ba2f0a00dd12cd654e55692feffc58782be44f4c531d9bb9	Putty	0581160998be30f79bd9a0925a01b0ebc4cb94265dfa7f8da1e2839bf0f1e426
96e8b44ec061c49661bd192f279f7b7ba394d03495a2b46d3b37dcae0f4892f1	Cobalt Strike stager	6f7d7da247cac20d5978f1257fdd420679d0ce18fd8738bde02246129f93841b
96ebacf48656b804aed9979c2c4b651bbb1bc19878b56bdf76954d6eff8ad7ca	Cobalt Strike	d988a867a53c327099a4c9732a1e4ced6fe6eca5dd68f67e5f562ab822b8374b
113c9e7760da82261d77426d9c41bc108866c45947111dbae5cd3093d69e0f1d	Putty	0581160998be30f79bd9a0925a01b0ebc4cb94265dfa7f8da1e2839bf0f1e426
149c3d044abc3c3a15ba1bb55db7e05cbf87008bd3d23d7dd4a3e31fcfd7af10	Cobalt Strike	e63807daa9be0228d90135ee707ddf03b0035313a88a78e50342807c27658ff2
307fc7ebde82f660950101ea7b57782209545af593d2c1115c89f328de917dbb	Cobalt Strike stager	40cac28490cddfa613fd58d1ecc8e676d9263a46a0ac6ae43bcbdfedc525b8ee
356efe6b10911d7daaffed64278ba713ab51f7130d1c15f3ca86d17d65849fa5	Test application	43308bde79e71b2ed14f318374a80fadf201cc3e34a887716708635294031b1b
394ce0385276acc6f6c173a3dde6694881130278bfb646be94234cc7798fd9a9	Cobalt Strike	60e2fe4eb433d3f6d590e75b2a767755146aca7a9ba6fd387f336ccb3c5391f8
396dce335b16111089a07ecb2d69827f258420685c2d9f3ea9e1deee4bff9561	Test application	43308bde79e71b2ed14f318374a80fadf201cc3e34a887716708635294031b1b
541eab9e348c40d510db914387068c6bfdf46a6ff84364fe63f6e114af8d79cf	Cobalt Strike stager	4e2a011922e0060f995bfde375d75060bed00175dc291653445357b29d1afc38
745a3dcdda16b93fedac8d7eefd1df32a7255665b8e3ee71e1869dd5cd14d61c	Cobalt Strike obfuscated shellcode	cef1a88dfc436dab9ae104f0770a434891bbd609e64df43179b42b03a7e8f908
753f77134578d4b941b8d832e93314a71594551931270570140805675c6e9ad3	Putty	0581160998be30f79bd9a0925a01b0ebc4cb94265dfa7f8da1e2839bf0f1e426
863de84a39c9f741d8103db83b076695d0d10a7384e4e3ba319c05a6018d9737	Cobalt Strike	3a1e65d7e9c3c23c41cb1b7d1117be4355bebf0531c7473a77f957d99e6ad1d4
902fa7049e255d5c40081f2aa168ac7b36b56041612150c3a5d2b6df707a3cff	Cobalt Strike	397c08f5cdc59085a48541c89d23a8880d41552031955c4ba38ff62e57cfd803
927e04371fa8b8d8a1de58533053c305bb73a8df8765132a932efd579011c375	Cobalt Strike	2e0767958435dd4d218ba0bc99041cc9f12c9430a09bb1222ac9d1b7922c2632
2043d7f2e000502f69977b334e81f307e2fda742bbc5b38745f6c1841757fddc	Test application	43308bde79e71b2ed14f318374a80fadf201cc3e34a887716708635294031b1b
02239cac2ff37e7f822fd4ee57ac909c9f541a93c27709e9728fef2000453afe	Cobalt Strike	18a9eafb936bf1d527bd4f0bfae623400d63671bafd0aad0f72bfb59beb44d5f
4257bf17d15358c2f22e664b6112437b0c2304332ff0808095f1f47cf29fc1a2	Cobalt Strike	3a1e65d7e9c3c23c41cb1b7d1117be4355bebf0531c7473a77f957d99e6ad1d4
6558ac814046ecf3da8c69affea28ce93524f93488518d847e4f03b9327acb44	Test application	43308bde79e71b2ed14f318374a80fadf201cc3e34a887716708635294031b1b
8450ed10b4bef6f906ff45c66d1a4a74358d3ae857d3647e139fdaf0e3648c10	BlisterMythic	ab7cab5192f0bef148670338136b0d3affe8ae0845e0590228929aef70cb9b8b
9120f929938cd629471c7714c75d75d30daae1f2e9135239ea5619d77574c1fe	Cobalt Strike	647e992e24e18c14099b68083e9b04575164ed2b4f5069f33ff55f84ee97fff0
28561f309d208e885a325c974a90b86741484ba5e466d59f01f660bed1693689	Cobalt Strike	397c08f5cdc59085a48541c89d23a8880d41552031955c4ba38ff62e57cfd803
30628bcb1db7252bf710c1d37f9718ac37a8e2081a2980bead4f21336d2444bc	Cobalt Strike obfuscated shellcode	13f23b5db4a3d0331c438ca7d516d565a08cac83ae515a51a7ab4e6e76b051b1
53121c9c5164d8680ae1b88d95018a553dff871d7b4d6e06bd69cbac047fe00f	Cobalt Strike	902d29871d3716113ca2af5caa6745cb4ab9d0614595325c1107fb83c1494483
67136ab70c5e604c6817105b62b2ee8f8c5199a647242c0ddbf261064bb3ced3	Cobalt Strike obfuscated shellcode	0aecd621b386126459b39518f157ee240866c6db1885780470d30a0ebf298e16
79982f39ea0c13eeb93734b12f395090db2b65851968652cab5f6b0827b49005	MythicPacker	152455f9d970f900eb237e1fc2c29ac4c72616485b04e07c7e733b95b6afc4d8
87269a95b1c0e724a1bfe87ddcb181eac402591581ee2d9b0f56dedbaac04ff8	Cobalt Strike	f3d42e4c1a47f0e1d3812d5f912487d04662152c17c7aa63e836bef01a1a4866
89196b39a0edebdf2026053cb4e87d703b9942487196ff9054ef775fdcad1899	Test application	43308bde79e71b2ed14f318374a80fadf201cc3e34a887716708635294031b1b
91446c6d3c11074e6ff0ff42df825f9ffd5f852c2e6532d4b9d8de340fa32fb8	Test application	43308bde79e71b2ed14f318374a80fadf201cc3e34a887716708635294031b1b
96823bb6befe5899739bd69ab00a6b4ae1256fd586159968301a4a69d675a5ec	Cobalt Strike	3b3bdd819f4ee8daa61f07fc9197b2b39d0434206be757679c993b11acc8d05f
315217b860ab46c6205b36e49dfaa927545b90037373279723c3dec165dfaf11	Cobalt Strike	96fab57ef06b433f14743da96a5b874e96d8c977b758abeeb0596f2e1222b182
427481ab85a0c4e03d1431a417ceab66919c3e704d7e017b355d8d64be2ccf41	Putty	0581160998be30f79bd9a0925a01b0ebc4cb94265dfa7f8da1e2839bf0f1e426
595153eb56030c0e466cda0becb1dc9560e38601c1e0803c46e7dfc53d1d2892	Cobalt Strike	f245b2bc118c3c20ed96c8a9fd0a7b659364f9e8e2ee681f5683681e93c4d78b
812263ea9c6c44ef6b4d3950c5a316f765b62404391ddb6482bdc9a23d6cc4a6	Cobalt Strike	18a9eafb936bf1d527bd4f0bfae623400d63671bafd0aad0f72bfb59beb44d5f
1358156c01b035f474ed12408a9e6a77fe01af8df70c08995393cbb7d1e1f8a6	Cobalt Strike	b916749963bb08b15de7c302521fd0ffec1c6660ba616628997475ae944e86a3
73162738fb3b9cdd3414609d3fe930184cdd3223d9c0d7cb56e4635eb4b2ab67	Cobalt Strike	19e7bb5fa5262987d9903f388c4875ff2a376581e4c28dbf5ae7d128676b7065
343728792ed1e40173f1e9c5f3af894feacd470a9cdc72e4f62c0dc9cbf63fc1	Putty	0581160998be30f79bd9a0925a01b0ebc4cb94265dfa7f8da1e2839bf0f1e426
384408659efa1f87801aa494d912047c26259cd29b08de990058e6b45619d91a	Cobalt Strike stager	824914bb34ca55a10f902d4ad2ec931980f5607efcb3ea1e86847689e2957210
49925637250438b05d3aebaac70bb180a0825ec4272fbe74c6fecb5e085bcf10	Cobalt Strike	e0c0491e45dda838f4ac01b731dd39cc7064675a6e1b79b184fff99cdce52f54