Using default safebrowsing malleable profile for C2.
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Spawn and inject in: rundll32.exe
Example GET URI: /safebrowsing/rd/CltOb12nLW1IbHehcmUtd2hUdmFzEBAY7-0KIOkUDC7h2
Example POST URI: /safebrowsing/rd/CINnu27nLO8hbHdfgmUtc2ihdmFyEAcY4
Headers:
https://github.com/jacobsoo/ThreatHunting/blob/master/Vietnam/1bc5a02963497fc74e265f11d809cd179fd46852b762e732f736ced12cad9077.md
Using default safebrowsing malleable profile for C2.
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Spawn and inject in: rundll32.exe Example GET URI: /safebrowsing/rd/CltOb12nLW1IbHehcmUtd2hUdmFzEBAY7-0KIOkUDC7h2 Example POST URI: /safebrowsing/rd/CINnu27nLO8hbHdfgmUtc2ihdmFyEAcY4 Headers:
It "may" use DNS C2, configured DNS idle response to 0.0.0.0. DNS Sleep is 0. HTTP Sleep is 5 seconds.
Pipename: msagent_*