Configuration
ns7.softline.top —
x86 —
port 443
hash 327629c21782f90f4bd5f7c0779d05e9dbe87244dbf6bbef6703293700f2a620
first 2026-03-27 15:12:23 CET / last 2026-03-27 15:12:23 CET
Attributes
| Path | Value |
|---|---|
| version | Cobalt Strike 3.8 (May 23, 2017) |
| watermark | None |
| trial | True |
| protocol | dns |
| settings.SETTING_PROTOCOL | 1 |
| settings.SETTING_PORT | 443 |
| settings.SETTING_SLEEPTIME | 5000 |
| settings.SETTING_MAXGET | 1048576 |
| settings.SETTING_JITTER | 0 |
| settings.SETTING_MAXDNS | 255 |
| settings.SETTING_PUBKEY | 48ce3db239a851e2cb8b79ce22cea1babe5d55b36af2e6b6e2f6b67fa59e9c7a |
| settings.SETTING_DOMAINS | ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books |
| settings.SETTING_USERAGENT | Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko |
| settings.SETTING_SUBMITURI | /N4215/adj/amzn.us.sr.aps |
| settings.SETTING_C2_RECOVER[0][0] | |
| settings.SETTING_C2_RECOVER[0][1] | True |
| settings.SETTING_C2_REQUEST[0][0] | _HEADER |
| settings.SETTING_C2_REQUEST[0][1] | Accept: */* |
| settings.SETTING_C2_REQUEST[1][0] | _HEADER |
| settings.SETTING_C2_REQUEST[1][1] | Host: www.amazon.com |
| settings.SETTING_C2_REQUEST[2][0] | BUILD |
| settings.SETTING_C2_REQUEST[2][1] | metadata |
| settings.SETTING_C2_REQUEST[3][0] | BASE64 |
| settings.SETTING_C2_REQUEST[3][1] | True |
| settings.SETTING_C2_REQUEST[4][0] | PREPEND |
| settings.SETTING_C2_REQUEST[4][1] | session-token= |
| settings.SETTING_C2_REQUEST[5][0] | PREPEND |
| settings.SETTING_C2_REQUEST[5][1] | skin=noskin; |
| settings.SETTING_C2_REQUEST[6][0] | APPEND |
| settings.SETTING_C2_REQUEST[6][1] | csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996 |
| settings.SETTING_C2_REQUEST[7][0] | HEADER |
| settings.SETTING_C2_REQUEST[7][1] | Cookie |
| settings.SETTING_C2_POSTREQ[0][0] | _HEADER |
| settings.SETTING_C2_POSTREQ[0][1] | Accept: */* |
| settings.SETTING_C2_POSTREQ[1][0] | _HEADER |
| settings.SETTING_C2_POSTREQ[1][1] | Content-Type: text/xml |
| settings.SETTING_C2_POSTREQ[2][0] | _HEADER |
| settings.SETTING_C2_POSTREQ[2][1] | X-Requested-With: XMLHttpRequest |
| settings.SETTING_C2_POSTREQ[3][0] | _HEADER |
| settings.SETTING_C2_POSTREQ[3][1] | Host: www.amazon.com |
| settings.SETTING_C2_POSTREQ[4][0] | _PARAMETER |
| settings.SETTING_C2_POSTREQ[4][1] | sz=160x600 |
| settings.SETTING_C2_POSTREQ[5][0] | _PARAMETER |
| settings.SETTING_C2_POSTREQ[5][1] | oe=oe=ISO-8859-1; |
| settings.SETTING_C2_POSTREQ[6][0] | BUILD |
| settings.SETTING_C2_POSTREQ[6][1] | id |
| settings.SETTING_C2_POSTREQ[7][0] | PARAMETER |
| settings.SETTING_C2_POSTREQ[7][1] | sn |
| settings.SETTING_C2_POSTREQ[8][0] | _PARAMETER |
| settings.SETTING_C2_POSTREQ[8][1] | s=3717 |
| settings.SETTING_C2_POSTREQ[9][0] | _PARAMETER |
| settings.SETTING_C2_POSTREQ[9][1] | dc_ref=http%3A%2F%2Fwww.amazon.com |
| settings.SETTING_C2_POSTREQ[10][0] | BUILD |
| settings.SETTING_C2_POSTREQ[10][1] | output |
| settings.SETTING_C2_POSTREQ[11][0] | BASE64 |
| settings.SETTING_C2_POSTREQ[11][1] | True |
| settings.SETTING_C2_POSTREQ[12][0] | |
| settings.SETTING_C2_POSTREQ[12][1] | True |
| settings.SETTING_SPAWNTO_X86 | %windir%\syswow64\rundll32.exe |
| settings.SETTING_SPAWNTO_X64 | %windir%\sysnative\rundll32.exe |
| settings.SETTING_PIPENAME | \\%s\pipe\msagent_%x |
| settings.SETTING_CRYPTO_SCHEME | 1 |
| settings.SETTING_DNS_IDLE | 0.0.0.0 |
| settings.SETTING_DNS_SLEEP | 0 |
| settings.SETTING_C2_VERB_GET | GET |
| settings.SETTING_C2_VERB_POST | POST |
| settings.SETTING_C2_CHUNK_POST | 0 |
| settings.SETTING_PROXY_BEHAVIOR | 2 |
| settings.SETTING_BOF_ALLOCATOR | VirtualAlloc |
| settings.SETTING_SYSCALL_METHOD | 0 |
| settings.SETTING_KILLDATE_DAY | 0 |
| settings.SETTING_INJECT_OPTIONS | 3 |
Full JSON
{
"protocol": "dns",
"settings": {
"SETTING_BOF_ALLOCATOR": "VirtualAlloc",
"SETTING_C2_CHUNK_POST": 0,
"SETTING_C2_POSTREQ": [
[
"_HEADER",
"Accept: */*"
],
[
"_HEADER",
"Content-Type: text/xml"
],
[
"_HEADER",
"X-Requested-With: XMLHttpRequest"
],
[
"_HEADER",
"Host: www.amazon.com"
],
[
"_PARAMETER",
"sz=160x600"
],
[
"_PARAMETER",
"oe=oe=ISO-8859-1;"
],
[
"BUILD",
"id"
],
[
"PARAMETER",
"sn"
],
[
"_PARAMETER",
"s=3717"
],
[
"_PARAMETER",
"dc_ref=http%3A%2F%2Fwww.amazon.com"
],
[
"BUILD",
"output"
],
[
"BASE64",
true
],
[
"PRINT",
true
]
],
"SETTING_C2_RECOVER": [
[
"print",
true
]
],
"SETTING_C2_REQUEST": [
[
"_HEADER",
"Accept: */*"
],
[
"_HEADER",
"Host: www.amazon.com"
],
[
"BUILD",
"metadata"
],
[
"BASE64",
true
],
[
"PREPEND",
"session-token="
],
[
"PREPEND",
"skin=noskin;"
],
[
"APPEND",
"csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996"
],
[
"HEADER",
"Cookie"
]
],
"SETTING_C2_VERB_GET": "GET",
"SETTING_C2_VERB_POST": "POST",
"SETTING_CRYPTO_SCHEME": 1,
"SETTING_DNS_IDLE": "0.0.0.0",
"SETTING_DNS_SLEEP": 0,
"SETTING_DOMAINS": "ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",
"SETTING_INJECT_OPTIONS": 3,
"SETTING_JITTER": 0,
"SETTING_KILLDATE_DAY": 0,
"SETTING_MAXDNS": 255,
"SETTING_MAXGET": 1048576,
"SETTING_PIPENAME": "\\\\%s\\pipe\\msagent_%x",
"SETTING_PORT": 443,
"SETTING_PROTOCOL": 1,
"SETTING_PROXY_BEHAVIOR": 2,
"SETTING_PUBKEY": "48ce3db239a851e2cb8b79ce22cea1babe5d55b36af2e6b6e2f6b67fa59e9c7a",
"SETTING_SLEEPTIME": 5000,
"SETTING_SPAWNTO_X64": "%windir%\\sysnative\\rundll32.exe",
"SETTING_SPAWNTO_X86": "%windir%\\syswow64\\rundll32.exe",
"SETTING_SUBMITURI": "/N4215/adj/amzn.us.sr.aps",
"SETTING_SYSCALL_METHOD": 0,
"SETTING_USERAGENT": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
},
"trial": true,
"version": "Cobalt Strike 3.8 (May 23, 2017)",
"watermark": null
}