Extracted

Extracted

• • Target

    arsematt.vbs

  • Size

    561KB

  • MD5

    67f78666481d600810d29e397f06abb9

  • SHA1

    958e7e831631e69e60fed3b949ba06a0eebc8b96

  • SHA256

    cfdbbae8d680f413878e6fac771ab74d077df472d0a145e2994bdf599106a8cc

  • SHA512

    3b53e2986196095ca2749ffdb3e07b5a98da5ace672f8984bca68f02bdf29c5db24ae3a76383644a071ebc8536c971b585d657a1828b4a445d7c89ef919ecd52

  • SSDEEP

    1536:kmmmmmmmmmmmmmmmmmmyFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFl:4aD

  Score

  10^/10

  zharkbotbotnetdefense_evasiondiscoveryexecutionpersistence

  • Detects ZharkBot payload

    ZharkBot is a botnet written C++.

  • ZharkBot

    ZharkBot is a botnet written C++.

    botnetzharkbot

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Adds Run key to start application

    persistence

  • Indicator Removal: File Deletion

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion

  • Legitimate hosting services abused for malware hosting/C2

  • Suspicious use of SetThreadContext

  behavioral1behavioral2