zharkbot | 596a00476cdbd7a3f93ec08a71f1a356e4289da5017132ee631368d4b2251e23 | Triage

Sharing

General

Target

AT000005112563923.vbs
Size

681KB
Sample

240919-nhpxlawapa
MD5

9bd642cb865da2fbc2268da38596d491
SHA1

1b3752ed0e4910bc214b1229beb9bafccd426e21
SHA256

596a00476cdbd7a3f93ec08a71f1a356e4289da5017132ee631368d4b2251e23
SHA512

d0eb2d2ef74e79f142073b1d65a754ec986df42c462e7a2349e82f46c37275ed73570a709561e4f10c951379961f88e191adfab0872a91c3510eb57ae200a383
SSDEEP

1536:9SSSSSSSSSSSSSSSSSSSSSSSx22222222222222222222222222222222222222p:e0iA2Seis

Score

10^/10

zharkbot botnet defense_evasion discovery execution persistence

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Credentials

Protocol: ftp
Host:
ftp.desckvbrat.com.br
Port:
21
Username:
desckvbrat1
Password:
developerpro21578Jp@@

Targets

- Target
  
  AT000005112563923.vbs
- Size
  
  681KB
- MD5
  
  9bd642cb865da2fbc2268da38596d491
- SHA1
  
  1b3752ed0e4910bc214b1229beb9bafccd426e21
- SHA256
  
  596a00476cdbd7a3f93ec08a71f1a356e4289da5017132ee631368d4b2251e23
- SHA512
  
  d0eb2d2ef74e79f142073b1d65a754ec986df42c462e7a2349e82f46c37275ed73570a709561e4f10c951379961f88e191adfab0872a91c3510eb57ae200a383
- SSDEEP
  
  1536:9SSSSSSSSSSSSSSSSSSSSSSSx22222222222222222222222222222222222222p:e0iA2Seis
Score

10^/10

execution zharkbot botnet defense_evasion discovery persistence
- Detects ZharkBot payload
  ZharkBot is a botnet written C++.
- ZharkBot
  ZharkBot is a botnet written C++.
  botnet zharkbot
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Indicator Removal

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

zharkbotbotnetdefense_evasiondiscoveryexecutionpersistence