cobaltstrike

General

Target

vems.exe
Size

371KB
Sample

231014-en1rlsfg5v
MD5

11a7a460407f9e4195c86cf86992b833
SHA1

915b5fd9461edcb24bde2a7345d205012231c74d
SHA256

84175d90c85177640eea2006fefe99499f4d8295e1112171f9a9054e6888db67
SHA512

67a421976cbb927f8e2310a4f1befd6417412953076dcaa603fc8e3ba3d40bb655faac3d1f4b2d1a058fa574e86961da8fdfa589cca99f4524c1ea1fe700ccfa
SSDEEP

6144:VcCI4PcgXSA8FHKw24zv6Md6NgsXyhyUzjhXGrql:VcCI4VSACKwRyzN3UmrU

Score

10^/10

Malware Config

Extracted

Family

cobaltstrike

Botnet

674054486

C2

http://brovserupescheck.info:443/broadcast

Attributes

access_type
512
beacon_type
2048
host
brovserupescheck.info,/broadcast
http_header1
AAAACgAAAClBY2NlcHQ6IGFwcGxpY2F0aW9uL2pzb24sIHRleHQvcGxhaW4sICovKgAAAAoAAAAfQWNjZXB0LUxhbmd1YWdlOiBlbi1VUyxlbjtxPTAuNQAAAAoAAAAeT3JpZ2luOiBodHRwczovL3d3dy5hbWF6b24uY29tAAAACgAAAB9SZWZlcmVyOiBodHRwczovL3d3dy5hbWF6b24uY29tAAAACgAAABVTZWMtRmV0Y2gtRGVzdDogZW1wdHkAAAAKAAAAFFNlYy1GZXRjaC1Nb2RlOiBjb3JzAAAACgAAABpTZWMtRmV0Y2gtU2l0ZTogY3Jvc3Mtc2l0ZQAAAAoAAAAMVGU6IHRyYWlsZXJzAAAABwAAAAAAAAADAAAABgAAABB4LWFtem4tUmVxdWVzdElkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAeT3JpZ2luOiBodHRwczovL3d3dy5hbWF6b24uY29tAAAABwAAAAEAAAANAAAAAgAAAPR7ImV2ZW50cyI6W3siZGF0YSI6eyJzY2hlbWFJZCI6ImNzYS5WaWRlb0ludGVyYWN0aW9ucy4xIiwiYXBwbGljYXRpb24iOiJSZXRhaWw6UHJvZDosInJlcXVlc3RJZCI6Ik1CRlY4MlRUUVYySk5CS0pKNTBCIiwidGl0bGUiOiJBbWF6b24uY29tLiBTcGVuZCBsZXNzLiBTbWlsZSBtb3JlLiIsInN1YlBhZ2VUeXBlIjoiZGVza3RvcCIsInNlc3Npb24iOnsiaWQiOiIxMzMtOTkwNTA1NS0yNjc3MjY2In0sInZpZGVvIjp7ImlkIjoiAAAAAQAAAAIiCgAAAAEAAAB1InBsYXllck1vZGUiOiJJTkxJTkUiLCJ2aWRlb1JlcXVlc3RJZCI6Ik1CRlY4MlRUUVYySk5CS0pKNTBCIiwiaXNBdWRpb09uIjoiZmFsc2UiLCJwbGF5ZXIiOiJJVlMiLCJldmVudCI6Ik5PTkUifX19fV19AAAABAAAAAcAAAAAAAAADQAAAAYAAAAJeC1hbXotcmlkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
7680
polling_time
1.2e+06
port_number
443
sc_process32
%windir%\syswow64\gpupdate.exe
sc_process64
%windir%\sysnative\gpupdate.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdZcrTgNoA9YhE9c28Ot9+50F9Eq8KMNVyq1GZmBuStkpPVvpYyP0Lc+3PhcJTlq56ACaJEZCuI/OD2OlYa8QbdIt7jzHMZ73JFaDNm+jz6LdLWJQBIS2C45jEbQGdP+H20szUTRtLhFzUsZfQ3OSZWb8kABztvZVvxRwaLGKz6wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
9.28716032e+08
unknown2
AAAABAAAAAEAAAUcAAAAAQAAAAEAAAACAAAAwgAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/1/events/com.amazon.csm.csa.prod
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
watermark
674054486

Extracted

Family

cobaltstrike

Botnet

0

Attributes

watermark
0

Targets

- Target
  
  vems.exe
- Size
  
  371KB
- MD5
  
  11a7a460407f9e4195c86cf86992b833
- SHA1
  
  915b5fd9461edcb24bde2a7345d205012231c74d
- SHA256
  
  84175d90c85177640eea2006fefe99499f4d8295e1112171f9a9054e6888db67
- SHA512
  
  67a421976cbb927f8e2310a4f1befd6417412953076dcaa603fc8e3ba3d40bb655faac3d1f4b2d1a058fa574e86961da8fdfa589cca99f4524c1ea1fe700ccfa
- SSDEEP
  
  6144:VcCI4PcgXSA8FHKw24zv6Md6NgsXyhyUzjhXGrql:VcCI4VSACKwRyzN3UmrU
Score

10^/10

cobaltstrike 0 674054486 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2