2022-08-30 (TUESDAY) - FOLLOW-UP TRAFFIC FROM BUMBLEBEE INFECTION (SLIVER)
NOTES:
- I can't share the full pcap, but I extracted the unidentified TLSv1.3 traffic over TCP port 8557, in case someone can figure out what it is.
- Zip files are password-protected. If you don't know the password, see the "about" page of this website.
- UPDATE: I was informed through a trusted source this traffic was caused by malware based on Sliver.
ASSOCIATED FILES:
- 2022-08-30-IPv4-65.20.115.15-TCP-port-8557.pcap.zip 21.0 kB (21,004 bytes)
INDICATORS
FILE USED TO GENERATE THIS INFECTION:
- Powershell script (.ps1) file: link to sample on bazaar.abuse.ch
TRAFFIC:
- Bumblebee HTTPS (TLSv1.2) traffic: 142.11.234.238:443
- Unidentified TLSv1.3 traffic: 65.20.115.15:8557
- Cobalt Strike HTTPS (TLSv1.3) traffic: 23.19.58:94:443
- Cobalt Strike HTTPS (TLSv1.3) traffic: 23.81.246.152:443
IMAGES
Shown above: Traffic from the infection filtered in Wireshark.
Shown above: TCP stream of the unidentified TLSv1.3 traffic over TCP port 8557.
Shown above: TCP stream of the unidentified TLSv1.3 traffic over TCP port 8557 kept alive while victim host was active.
Click here to return to the main page.