General
-
Target
vems.exe
-
Size
371KB
-
Sample
230913-qg2acaca8w
-
MD5
11a7a460407f9e4195c86cf86992b833
-
SHA1
915b5fd9461edcb24bde2a7345d205012231c74d
-
SHA256
84175d90c85177640eea2006fefe99499f4d8295e1112171f9a9054e6888db67
-
SHA512
67a421976cbb927f8e2310a4f1befd6417412953076dcaa603fc8e3ba3d40bb655faac3d1f4b2d1a058fa574e86961da8fdfa589cca99f4524c1ea1fe700ccfa
-
SSDEEP
6144:VcCI4PcgXSA8FHKw24zv6Md6NgsXyhyUzjhXGrql:VcCI4VSACKwRyzN3UmrU
Static task
static1
Behavioral task
behavioral1
Sample
vems.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
vems.exe
Resource
win10v2004-20230831-en
Malware Config
Extracted
cobaltstrike
674054486
http://brovserupescheck.info:443/broadcast
-
access_type
512
-
beacon_type
2048
-
host
brovserupescheck.info,/broadcast
-
http_header1
AAAACgAAAClBY2NlcHQ6IGFwcGxpY2F0aW9uL2pzb24sIHRleHQvcGxhaW4sICovKgAAAAoAAAAfQWNjZXB0LUxhbmd1YWdlOiBlbi1VUyxlbjtxPTAuNQAAAAoAAAAeT3JpZ2luOiBodHRwczovL3d3dy5hbWF6b24uY29tAAAACgAAAB9SZWZlcmVyOiBodHRwczovL3d3dy5hbWF6b24uY29tAAAACgAAABVTZWMtRmV0Y2gtRGVzdDogZW1wdHkAAAAKAAAAFFNlYy1GZXRjaC1Nb2RlOiBjb3JzAAAACgAAABpTZWMtRmV0Y2gtU2l0ZTogY3Jvc3Mtc2l0ZQAAAAoAAAAMVGU6IHRyYWlsZXJzAAAABwAAAAAAAAADAAAABgAAABB4LWFtem4tUmVxdWVzdElkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAeT3JpZ2luOiBodHRwczovL3d3dy5hbWF6b24uY29tAAAABwAAAAEAAAANAAAAAgAAAPR7ImV2ZW50cyI6W3siZGF0YSI6eyJzY2hlbWFJZCI6ImNzYS5WaWRlb0ludGVyYWN0aW9ucy4xIiwiYXBwbGljYXRpb24iOiJSZXRhaWw6UHJvZDosInJlcXVlc3RJZCI6Ik1CRlY4MlRUUVYySk5CS0pKNTBCIiwidGl0bGUiOiJBbWF6b24uY29tLiBTcGVuZCBsZXNzLiBTbWlsZSBtb3JlLiIsInN1YlBhZ2VUeXBlIjoiZGVza3RvcCIsInNlc3Npb24iOnsiaWQiOiIxMzMtOTkwNTA1NS0yNjc3MjY2In0sInZpZGVvIjp7ImlkIjoiAAAAAQAAAAIiCgAAAAEAAAB1InBsYXllck1vZGUiOiJJTkxJTkUiLCJ2aWRlb1JlcXVlc3RJZCI6Ik1CRlY4MlRUUVYySk5CS0pKNTBCIiwiaXNBdWRpb09uIjoiZmFsc2UiLCJwbGF5ZXIiOiJJVlMiLCJldmVudCI6Ik5PTkUifX19fV19AAAABAAAAAcAAAAAAAAADQAAAAYAAAAJeC1hbXotcmlkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
7680
-
polling_time
1.2e+06
-
port_number
443
-
sc_process32
%windir%\syswow64\gpupdate.exe
-
sc_process64
%windir%\sysnative\gpupdate.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdZcrTgNoA9YhE9c28Ot9+50F9Eq8KMNVyq1GZmBuStkpPVvpYyP0Lc+3PhcJTlq56ACaJEZCuI/OD2OlYa8QbdIt7jzHMZ73JFaDNm+jz6LdLWJQBIS2C45jEbQGdP+H20szUTRtLhFzUsZfQ3OSZWb8kABztvZVvxRwaLGKz6wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
9.28716032e+08
-
unknown2
AAAABAAAAAEAAAUcAAAAAQAAAAEAAAACAAAAwgAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/1/events/com.amazon.csm.csa.prod
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
-
watermark
674054486
Extracted
cobaltstrike
0
-
watermark
0
Targets
-
-
Target
vems.exe
-
Size
371KB
-
MD5
11a7a460407f9e4195c86cf86992b833
-
SHA1
915b5fd9461edcb24bde2a7345d205012231c74d
-
SHA256
84175d90c85177640eea2006fefe99499f4d8295e1112171f9a9054e6888db67
-
SHA512
67a421976cbb927f8e2310a4f1befd6417412953076dcaa603fc8e3ba3d40bb655faac3d1f4b2d1a058fa574e86961da8fdfa589cca99f4524c1ea1fe700ccfa
-
SSDEEP
6144:VcCI4PcgXSA8FHKw24zv6Md6NgsXyhyUzjhXGrql:VcCI4VSACKwRyzN3UmrU
Score10/10 -