zharkbot | 4c26dd1754f1bd8da1c39bc2c7721d5bccbd6403d56f0370c53ee4d518167874

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15-09-2024 21:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.2MB
MD5

43044a8822f069feddd9c02fe36d8517
SHA1

7ed988939944d311a580e145198a6b4cc5741355
SHA256

4c26dd1754f1bd8da1c39bc2c7721d5bccbd6403d56f0370c53ee4d518167874
SHA512

fb7f178877f94e7132508d1475dfdadbd2b71f4d8b3c779e509829fd2ea4d223328a389c6521729616cd15900d72b57a3fe0f0b6502c9bba7c60194c65d66f4b
SSDEEP

24576:v9tuVdYYq6r4KmT/VKl/kb9sY5uJ1VMa6z3ZD+yA5HQMh4/Vp58t2Wcd:vD+Js9C0udwtzJKyA5HQcKUzy

Score

10^/10

zharkbot botnet discovery

Malware Config

Signatures

Detects ZharkBot payload 2 IoCs

ZharkBot is a botnet written C++.

resource	yara_rule
behavioral2/memory/1200-38-0x0000000004880000-0x00000000048C5000-memory.dmp	zharkcore
behavioral2/memory/1200-39-0x0000000004880000-0x00000000048C5000-memory.dmp	zharkcore

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 1200 created 3532	1200	Playboy.pif	56
PID 1200 created 3532	1200	Playboy.pif	56

ZharkBot
ZharkBot is a botnet written C++.
botnet zharkbot

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	file.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZenFlow.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZenFlow.url	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1200	Playboy.pif

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2720	tasklist.exe
4612	tasklist.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DebtCraft	file.exe
File opened for modification	C:\Windows\MatsKate	file.exe
File opened for modification	C:\Windows\NovelSmith	file.exe
File opened for modification	C:\Windows\WishlistPure	file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Playboy.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
964	schtasks.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
1200	Playboy.pif
1200	Playboy.pif
1200	Playboy.pif
1200	Playboy.pif
1200	Playboy.pif
1200	Playboy.pif
1200	Playboy.pif
1200	Playboy.pif
1200	Playboy.pif
1200	Playboy.pif
1200	Playboy.pif
1200	Playboy.pif
1200	Playboy.pif
1200	Playboy.pif
1200	Playboy.pif
1200	Playboy.pif
1200	Playboy.pif
1200	Playboy.pif
1200	Playboy.pif
1200	Playboy.pif
1200	Playboy.pif
1200	Playboy.pif
1200	Playboy.pif
1200	Playboy.pif
1200	Playboy.pif
1200	Playboy.pif
1200	Playboy.pif
1200	Playboy.pif
1200	Playboy.pif
1200	Playboy.pif
1200	Playboy.pif
1200	Playboy.pif
1200	Playboy.pif
1200	Playboy.pif
1200	Playboy.pif
1200	Playboy.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4612	tasklist.exe
Token: SeDebugPrivilege	2720	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1200	Playboy.pif
1200	Playboy.pif
1200	Playboy.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1200	Playboy.pif
1200	Playboy.pif
1200	Playboy.pif

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 1608	2120	file.exe	82
PID 2120 wrote to memory of 1608	2120	file.exe	82
PID 2120 wrote to memory of 1608	2120	file.exe	82
PID 1608 wrote to memory of 4612	1608	cmd.exe	84
PID 1608 wrote to memory of 4612	1608	cmd.exe	84
PID 1608 wrote to memory of 4612	1608	cmd.exe	84
PID 1608 wrote to memory of 1788	1608	cmd.exe	85
PID 1608 wrote to memory of 1788	1608	cmd.exe	85
PID 1608 wrote to memory of 1788	1608	cmd.exe	85
PID 1608 wrote to memory of 2720	1608	cmd.exe	89
PID 1608 wrote to memory of 2720	1608	cmd.exe	89
PID 1608 wrote to memory of 2720	1608	cmd.exe	89
PID 1608 wrote to memory of 2212	1608	cmd.exe	90
PID 1608 wrote to memory of 2212	1608	cmd.exe	90
PID 1608 wrote to memory of 2212	1608	cmd.exe	90
PID 1608 wrote to memory of 2584	1608	cmd.exe	91
PID 1608 wrote to memory of 2584	1608	cmd.exe	91
PID 1608 wrote to memory of 2584	1608	cmd.exe	91
PID 1608 wrote to memory of 1020	1608	cmd.exe	92
PID 1608 wrote to memory of 1020	1608	cmd.exe	92
PID 1608 wrote to memory of 1020	1608	cmd.exe	92
PID 1608 wrote to memory of 372	1608	cmd.exe	93
PID 1608 wrote to memory of 372	1608	cmd.exe	93
PID 1608 wrote to memory of 372	1608	cmd.exe	93
PID 1608 wrote to memory of 1200	1608	cmd.exe	94
PID 1608 wrote to memory of 1200	1608	cmd.exe	94
PID 1608 wrote to memory of 1200	1608	cmd.exe	94
PID 1608 wrote to memory of 4016	1608	cmd.exe	95
PID 1608 wrote to memory of 4016	1608	cmd.exe	95
PID 1608 wrote to memory of 4016	1608	cmd.exe	95
PID 1200 wrote to memory of 3796	1200	Playboy.pif	96
PID 1200 wrote to memory of 3796	1200	Playboy.pif	96
PID 1200 wrote to memory of 3796	1200	Playboy.pif	96
PID 1200 wrote to memory of 1428	1200	Playboy.pif	98
PID 1200 wrote to memory of 1428	1200	Playboy.pif	98
PID 1200 wrote to memory of 1428	1200	Playboy.pif	98
PID 3796 wrote to memory of 964	3796	cmd.exe	100
PID 3796 wrote to memory of 964	3796	cmd.exe	100
PID 3796 wrote to memory of 964	3796	cmd.exe	100

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3532
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c move Exceed Exceed.bat & Exceed.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1608
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4612
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa opssvc"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1788
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2720
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2212
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 758927
      4⤵
      System Location Discovery: System Language Discovery
      PID:2584
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "NonCostsDialogueAngels" Oe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1020
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\Algorithm + ..\Dept + ..\Containers + ..\Cal + ..\Filled + ..\Plymouth + ..\Checks + ..\Grounds p
      4⤵
      System Location Discovery: System Language Discovery
      PID:372
  - - C:\Users\Admin\AppData\Local\Temp\758927\Playboy.pif
      Playboy.pif p
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1200
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:4016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks.exe /create /tn "Solving" /tr "wscript //B 'C:\Users\Admin\AppData\Local\MindCalm Technologies LLC\ZenFlow.js'" /sc minute /mo 5 /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3796
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /create /tn "Solving" /tr "wscript //B 'C:\Users\Admin\AppData\Local\MindCalm Technologies LLC\ZenFlow.js'" /sc minute /mo 5 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:964
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZenFlow.url" & echo URL="C:\Users\Admin\AppData\Local\MindCalm Technologies LLC\ZenFlow.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZenFlow.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:1428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\758927\Playboy.pif

Filesize
872KB

MD5
18ce19b57f43ce0a5af149c96aecc685

SHA1
1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

SHA256
d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

SHA512
a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

Download Submit
C:\Users\Admin\AppData\Local\Temp\758927\p

Filesize
569KB

MD5
83afc888b04243510b45c81be0aca90b

SHA1
24307ecbf84dbeb6ba0a1d444f4728bbbc3ddee4

SHA256
6d9736e0d27580cf23ca2dde04e7ad37e81f3784ab62055ec9e99111dea31dc4

SHA512
27ad041e8d2bd24e96038b9c91016dc443274d67ba7f09e575974c83f1cd2499f45655bbd633bd821c7ea0f138aae02b9b96c91c1286e269ea35e993885eed77

Download Submit
C:\Users\Admin\AppData\Local\Temp\Algorithm

Filesize
84KB

MD5
139313e3e17639000484574c5b868583

SHA1
3bd610784217d674a47d9ecfea8212732a27f680

SHA256
db07c2a20a33ac2fb5db98528bf254fe27de25cb57886183b945e687757c5fdf

SHA512
14ce494ed36be9d8bc85fcca5683aee50e417bc39948d8c67ac687737325a2d00bb790fc227a5fd4af71e0d9e25b4424219209d96fe0bd88604500a3def66709

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cal

Filesize
51KB

MD5
4d5b3e82ce74ba3e1dbe07e948dccfd7

SHA1
1ef8a20e6d1091e5022578a274775c5cfbbc9687

SHA256
437694e2a7677cfd3bb7b58bcc3c9953da52422faf7aeae1c124403c9fe40d0f

SHA512
c170f340a497c9d0e207c095c5b5626ae943b972589aaf07e7f5cafdc7586b7aa808e392ec012cea89d35abbaeb5496e3c5a8634740221435752e4dcea95a713

Download Submit
C:\Users\Admin\AppData\Local\Temp\Checks

Filesize
85KB

MD5
494475eb511eef17b5e3a0677e8d9d40

SHA1
8e6c081692cd942744c52421695a5e62b5572d27

SHA256
fbdcdcee83ace5e22451eba67f33daf3c996e254363f6e675b9b2ce19c43fb33

SHA512
37c3478d30ccaba10e8dc5a4c0e60519aeaffc2c615563c7c7d77a2e7785ea1cf0d855d6dfd554792d4421363551a950e9af294ad8b8ac1684e952efe61350d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Containers

Filesize
66KB

MD5
cd91ed2dd284782805c99d3d9392d070

SHA1
96a99373350320ed71b102b052279c3d99b1e5fe

SHA256
97d902027afb78a80eda022c942f7810fcfbe69e2107873c4a68cc3ecfef03d9

SHA512
718bac87cc64cc4a7c52f896cc07c1d564807c918689ad76a3e7b7208d94d69fe0ce2bebf13c67fe0b55d9e9fdcb7c16f297a5df321600a7d408e38b149a364e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dept

Filesize
97KB

MD5
ba8c8e0ac31ab41e7bf4c1bf876447a7

SHA1
bd4cecfc670bcb48649d0ef6699890ac9b87d843

SHA256
8add0b38828c1d98c42edc11ff90de9897f6d5bf336418bff10101ba85d65f87

SHA512
b9d644d786ad71f3b801f44f3c6e5375b8aa931b67a7338ee761aa742e1b59854e4dbdae748a549d4f9f5d624fd66485eee5d3a59073bf512be42d42fbf39124

Download Submit
C:\Users\Admin\AppData\Local\Temp\Exceed

Filesize
21KB

MD5
a15fb1f2fc25e382bc35a75af320c8d5

SHA1
db156f523e11d63ff07dd3a9d22ec6d81279d3ad

SHA256
6d67335c5beedeb1e53bc414f76ca3c2a811af1f920e2145d3f2ed04a892cedf

SHA512
2b77a59908219618a31da8bfe43a12d07746987ed18f2e98feee35bde77d2e6fa8e2ffc6ae4b6ee84b61e3e32465eba8e9601c962b62cc2cd263f66b890683d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Filled

Filesize
76KB

MD5
6734f9d63c2a86c37009889239ea9645

SHA1
382e96c0763a1b303ebbb486d098b02eb33e3693

SHA256
6d3e4f61e4bb756ef58c8d87628339c44f7b1ee667397ce2212bde29c434bcae

SHA512
b807d07afe4bf1dff19b0bf620eca8c5d1d464e5e02c3cdab956d82d55139c360c08c642320482ebdbed5d42fdf3c00d945210ab12eb47a3a53765129b12d5ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Grounds

Filesize
54KB

MD5
d8ff8ec0bf3e6d6adeced27764d7524c

SHA1
854859ab59e75a7b79e4b07a8c19e8bd93523676

SHA256
1486b6bf45f4c7d178c3d15dff7654be7bc56dc873754790bc33a40741f4980d

SHA512
caf6c4292d66011eae850e95fc37b96e5a0d873904ba95a4f0be6acf983828be54cef06f91af70e7a06eb039b4acf006a7efbb27cab094e7c469984243b8fd09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Leu

Filesize
869KB

MD5
9ba9a85629b0428b7c45b5a0f89c06d6

SHA1
b401b4cc2461fc49144ab3883e0bbcf54bc8d5e7

SHA256
b5452a3ec7cd068fc89f74f39180c6f60177a7aaab21d80c2d749cd787f29ca3

SHA512
797ba0ae4425c9d22a73534f7352e8da38a6f2c3194f0d95bc3c4c1c19dafee900611805a832e2f4ccd5b59d29343b4a0971edbf2af6b09d0e9c8a53b40902f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Oe

Filesize
2KB

MD5
7a940180248437b3b48a7d50940ea91e

SHA1
dfc3091d7384844294f7ce6d6d798f84b703c54b

SHA256
a50ad1d8d7dea9fe80b3cfa1788af14570ea4488d4f142f5131e8d49f54db811

SHA512
2055bf18e4269b02dc4bdd6b44177a1ecf8df7cb9d1f8eff3be7b66f1df8c31e71c9e880822d03f34fbf5dc922a63064d096fe9e00961020a70d50f0d0399ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Plymouth

Filesize
56KB

MD5
e371a4eed9e3fc4738cd2332743a6b48

SHA1
a942b830b65a494e502deb6af48abfe88e53373e

SHA256
f69928281be28923e2052bac547c37a8986286386bc10dc2143e58617ef2920b

SHA512
cd2b2662173ab7dd7ed0e35bda5b098c27d0df41bb10f47b05fec71783949ee5e4b5968a99132417cbd061a054c56e25d2075b0db719035c140229c8e57d7077

Download Submit
memory/1200-35-0x0000000004880000-0x00000000048C5000-memory.dmp

Filesize
276KB

Download
memory/1200-36-0x0000000004880000-0x00000000048C5000-memory.dmp

Filesize
276KB

Download
memory/1200-37-0x0000000004880000-0x00000000048C5000-memory.dmp

Filesize
276KB

Download
memory/1200-38-0x0000000004880000-0x00000000048C5000-memory.dmp

Filesize
276KB

Download
memory/1200-39-0x0000000004880000-0x00000000048C5000-memory.dmp

Filesize
276KB

Download