Scenario

As an Intelligence Analyst you are tasked with assisting the SOC Analysts with their investigations, providing additional context and information.

https://blueteamlabs.online/home/investigation/foxy-45e69136ae

1- The SOC recently observed network connections from 3 internal hosts towards hxxp://45.63.126[.]199/dot.gif (URL has been sanitized). What is this activity likely related to?

Cobalt Strike

remove sanitization and search with the ip in full_urls.csv or full_ip-port.csv

2- How many URLs are using the same endpoint 'dot.gif', across all export files? (include duplicates)

568

so i grep for dot.git in every csv then add them

instead of just using * 💀

3- The SHA256 hash of a file was detected and quarantined on one of the Executives old android phones. We are trying to work out what this file does so we can take next steps. The hash value is 6461851c092d0074150e4e56a146108ae82130c22580fb444c1444e7d936e0b5. Is this file associated with malware? If so, what is the malware name? (as stated by Malware Bazaar)