General
-
Target
AT000005112563923.html
-
Size
335KB
-
Sample
240919-nv6qwaxcmq
-
MD5
46e2e4f986de87356f85431a7dd20ab4
-
SHA1
0ec25cd81cb6b908d76e42e30f181f06c770d137
-
SHA256
c19ca3264f8f5c4d8194c8844f77951693bfec24ee2af41fadcc2b396ff4f30b
-
SHA512
dbeaa42fef22b0cb057ada4055f0c6b4a6962d5a7039e85dc74d8864fa3e14c24a0ae75dae84c22f6fc0bc0fbb95be25ee06a688a65a5094ecea9e596d3e4a74
-
SSDEEP
6144:PP1WE6z4vp8Xi5bC3n3pwnj/8EFNs0HqDM3C61lJRczCfCPZQfy4rIt2ASuzU:FWnUvyi50kNsNYC61nRcGfChV84Y
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=
Extracted
Protocol: ftp- Host:
ftp.desckvbrat.com.br - Port:
21 - Username:
desckvbrat1 - Password:
developerpro21578Jp@@
Targets
-
-
Target
AT000005112563923.html
-
Size
335KB
-
MD5
46e2e4f986de87356f85431a7dd20ab4
-
SHA1
0ec25cd81cb6b908d76e42e30f181f06c770d137
-
SHA256
c19ca3264f8f5c4d8194c8844f77951693bfec24ee2af41fadcc2b396ff4f30b
-
SHA512
dbeaa42fef22b0cb057ada4055f0c6b4a6962d5a7039e85dc74d8864fa3e14c24a0ae75dae84c22f6fc0bc0fbb95be25ee06a688a65a5094ecea9e596d3e4a74
-
SSDEEP
6144:PP1WE6z4vp8Xi5bC3n3pwnj/8EFNs0HqDM3C61lJRczCfCPZQfy4rIt2ASuzU:FWnUvyi50kNsNYC61nRcGfChV84Y
Score10/10-
Detects ZharkBot payload
ZharkBot is a botnet written C++.
-
ZharkBot
ZharkBot is a botnet written C++.
-
Blocklisted process makes network request
-
Adds Run key to start application
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-