zharkbot | 55b6b8489894a7769451a1a45f5662ae2e0f9f1057077643c15699aa43d39eed | Triage

Sharing

General

Target

注文仕様書.vbs
Size

562KB
Sample

240924-k2b83aycnq
MD5

5548cba2f4acdafa93152fcec4f27ac8
SHA1

fc3227f824be04c73fa9e864f5bf34676bbcad8c
SHA256

55b6b8489894a7769451a1a45f5662ae2e0f9f1057077643c15699aa43d39eed
SHA512

5fbed2a9a76a798cb057b61a1b895e72da32d93954f368be1b29a89d77e4a8b1e480675b53b95626f04ce937875c716bbd1d6072ebe27e7a2bd3fbf149f3aacf
SSDEEP

1536:kmmmmmmmmmmmmmmmmmmyFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF1:k5oTl

Score

10^/10

zharkbot botnet defense_evasion discovery execution persistence

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Credentials

Protocol: ftp
Host:
ftp.desckvbrat.com.br
Port:
21
Username:
desckvbrat1
Password:
developerpro21578Jp@@

Targets

- Target
  
  注文仕様書.vbs
- Size
  
  562KB
- MD5
  
  5548cba2f4acdafa93152fcec4f27ac8
- SHA1
  
  fc3227f824be04c73fa9e864f5bf34676bbcad8c
- SHA256
  
  55b6b8489894a7769451a1a45f5662ae2e0f9f1057077643c15699aa43d39eed
- SHA512
  
  5fbed2a9a76a798cb057b61a1b895e72da32d93954f368be1b29a89d77e4a8b1e480675b53b95626f04ce937875c716bbd1d6072ebe27e7a2bd3fbf149f3aacf
- SSDEEP
  
  1536:kmmmmmmmmmmmmmmmmmmyFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF1:k5oTl
Score

10^/10

execution zharkbot botnet defense_evasion discovery persistence
- Detects ZharkBot payload
  ZharkBot is a botnet written C++.
- ZharkBot
  ZharkBot is a botnet written C++.
  botnet zharkbot
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Indicator Removal

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

zharkbotbotnetdefense_evasiondiscoveryexecutionpersistence