General

  • Target

    3fa4e2db3d9404f713f1f79a4eb79dda148325407408ef9d9a605479377295c8.vbs

  • Size

    562KB

  • Sample

    240924-bm9fksvhph

  • MD5

    ca8ac9a5b0023d32bcd76c65512a6cd3

  • SHA1

    25291ca6801339de6d51840f921f6955d7d8f7af

  • SHA256

    3fa4e2db3d9404f713f1f79a4eb79dda148325407408ef9d9a605479377295c8

  • SHA512

    e1e7a3dbc7df71aa2a09e280eb018ef228b14380677cb469ac8d31e125fdbf973246a8f0e99e0ebea288c57b88f574217252ce1b151d8288b24575ac7b0f206f

  • SSDEEP

    1536:kmmmmmmmmmmmmmmmmmmyFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFc:k5o1W

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.desckvbrat.com.br
  • Port:
    21
  • Username:
    desckvbrat1
  • Password:
    developerpro21578Jp@@

Targets

    • Target

      3fa4e2db3d9404f713f1f79a4eb79dda148325407408ef9d9a605479377295c8.vbs

    • Size

      562KB

    • MD5

      ca8ac9a5b0023d32bcd76c65512a6cd3

    • SHA1

      25291ca6801339de6d51840f921f6955d7d8f7af

    • SHA256

      3fa4e2db3d9404f713f1f79a4eb79dda148325407408ef9d9a605479377295c8

    • SHA512

      e1e7a3dbc7df71aa2a09e280eb018ef228b14380677cb469ac8d31e125fdbf973246a8f0e99e0ebea288c57b88f574217252ce1b151d8288b24575ac7b0f206f

    • SSDEEP

      1536:kmmmmmmmmmmmmmmmmmmyFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFc:k5o1W

    • Detects ZharkBot payload

      ZharkBot is a botnet written C++.

    • ZharkBot

      ZharkBot is a botnet written C++.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks