2022-08-30 (TUESDAY) - FOLLOW-UP TRAFFIC FROM BUMBLEBEE INFECTION (SLIVER)
- I can't share the full pcap, but I extracted the unidentified TLSv1.3 traffic over TCP port 8557, in case someone can figure out what it is.
- Zip files are password-protected. If you don't know the password, see the "about" page of this website.
- UPDATE: I was informed through a trusted source this traffic was caused by malware based on Sliver.
- 2022-08-30-IPv4-184.108.40.206-TCP-port-8557.pcap.zip 21.0 kB (21,004 bytes)
FILE USED TO GENERATE THIS INFECTION:
- Powershell script (.ps1) file: link to sample on bazaar.abuse.ch
- Bumblebee HTTPS (TLSv1.2) traffic: 220.127.116.11:443
- Unidentified TLSv1.3 traffic: 18.104.22.168:8557
- Cobalt Strike HTTPS (TLSv1.3) traffic: 23.19.58:94:443
- Cobalt Strike HTTPS (TLSv1.3) traffic: 22.214.171.124:443
Shown above: Traffic from the infection filtered in Wireshark.
Shown above: TCP stream of the unidentified TLSv1.3 traffic over TCP port 8557.
Shown above: TCP stream of the unidentified TLSv1.3 traffic over TCP port 8557 kept alive while victim host was active.
Click here to return to the main page.