Overview

overview

10

Static

static

10

shark_botnet_c2.zip

windows7-x64

7

shark_botnet_c2.zip

windows10-2004-x64

1

WinDivert.dll

windows7-x64

1

WinDivert.dll

windows10-2004-x64

1

WinDivert64.sys

windows7-x64

1

WinDivert64.sys

windows10-2004-x64

1

barrier.cpp

windows7-x64

3

barrier.cpp

windows10-2004-x64

3

desktop.ini

windows7-x64

1

desktop.ini

windows10-2004-x64

1

sharkbotnetc2.exe

windows7-x64

7

sharkbotnetc2.exe

windows10-2004-x64

8

���k�Yv.pyc

windows7-x64

���k�Yv.pyc

windows10-2004-x64

xmmintrin.h

windows7-x64

3

xmmintrin.h

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    shark_botnet_c2.zip

  • Size

    6.8MB

  • Sample

    241115-ygvfsstrep

  • MD5

    bf52fb2803cc805f797b2f00ceb4260d

  • SHA1

    6724edfefaaa0ac387d6f7bfae9ad6280eb6908a

  • SHA256

    ba9ada271c0e3bb2c53762c41a19f414811f8b3079e107adbb64edbed4b45b53

  • SHA512

    396880f658cb8b7289332db46b88a89a89dd3613295b5fb6919a1919607438b70054a2909cebf5f9f563485701f3176ecf4de6c7da728d4eba5775bdb06573c6

  • SSDEEP

    196608:wPjxTGiNv++tfZT1dKp+nK6kbQ3sxInFWt:wZNvttfZTiUtkU3scO

Score
10/10
blankgrabbercollectioncredential_accessdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationspywarestealerupx

Malware Config

Targets

    • Target

      shark_botnet_c2.zip

    • Size

      6.8MB

    • MD5

      bf52fb2803cc805f797b2f00ceb4260d

    • SHA1

      6724edfefaaa0ac387d6f7bfae9ad6280eb6908a

    • SHA256

      ba9ada271c0e3bb2c53762c41a19f414811f8b3079e107adbb64edbed4b45b53

    • SHA512

      396880f658cb8b7289332db46b88a89a89dd3613295b5fb6919a1919607438b70054a2909cebf5f9f563485701f3176ecf4de6c7da728d4eba5775bdb06573c6

    • SSDEEP

      196608:wPjxTGiNv++tfZT1dKp+nK6kbQ3sxInFWt:wZNvttfZTiUtkU3scO

    Score
    7/10
    discoveryupx

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops desktop.ini file(s)

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

    • Target

      WinDivert.dll

    • Size

      15KB

    • MD5

      1b1284100327d972e017f565dbecf80e

    • SHA1

      5b4f0c122a80478973eb6f9cb3bbcaf186295aea

    • SHA256

      9444a6e6b66f13f666f9c60d1935824f61c7256e35a8cf0440e29baa7fbe42c7

    • SHA512

      4ccb9e233a3573f6eded0efa8fa54ed929818394cdf2153623d902c749d37751da6f489354aa50968e53d42d5ce339f6368dedb7858a4ff43a1927b4338954a4

    • SSDEEP

      384:EHGiP0PYf9pHuGvATXlQRNq/EbUKxcneWuDlE:E9MQf90GvQXlQvAEcehD

    Score
    1/10
    behavioral3behavioral4

    • Target

      WinDivert64.sys

    • Size

      37KB

    • MD5

      3bd5ac2e9d96e680f5dbdd183a58c47d

    • SHA1

      83b08cb5e61c7b37bd710ea01196a26fc8f38610

    • SHA256

      208c092fe77f161c5a313b916d73fa7f6d10dd289bab8bb5dfb3d59aacb27f25

    • SHA512

      6cccd7971f423f72f5dbd01a83a2d27bb2bde63c4d1f5e127d77cfa0df85c289a2c3cd95c110ce38b58b9ea9a49aad18ae50f352ac6b21740d0294f771fbcb78

    • SSDEEP

      768:R5VorUqgJs3/KtdrbYiZdNSRUYjbMUYOUaCdHUZ9fdCrYc:vVorUn9cRUuILLd07fdCU

    Score
    1/10
    behavioral5behavioral6

    • Target

      barrier.cpp

    • Size

      3KB

    • MD5

      46f37f1e167237945d5a68c3a63119ee

    • SHA1

      2bdc80e3a52349f54f8311b0debaf563b8e2f36e

    • SHA256

      537b87663d4c7caed98005590827fc6f1fdf6d1f137efa5f01f85c4c89caeb76

    • SHA512

      807443d45d83c3408929ad9a79f3fd1c4802702f72e558a6832506f2e8bdd443ea00e75b47642fd0d4d80006ff9bfc27f2792f0f3babdeaaba8c8606d066335e

    Score
    3/10
    behavioral7behavioral8

    • Target

      desktop.ini

    • Size

      46B

    • MD5

      872114925d7c336f1b6bf220d3b2e6b7

    • SHA1

      fdd8879ec71e545ba283215ce0c46178e496b513

    • SHA256

      39a3309d74d55301f37ff757eb6f945ac86b310ac09198434f95d5e246aa5310

    • SHA512

      dd5e003efa3f2b36395e79272d6b0d889471d0c8c5c076b7a1218acf7c00ee4c9660e4d1f49ed51a151d37dfd6fa29bd17d60e6508948b8bf4af39f33c135915

    Score
    1/10
    behavioral10behavioral9

    • Target

      sharkbotnetc2.exe

    • Size

      6.9MB

    • MD5

      54797b3e8dac7850a1985866ae500b0d

    • SHA1

      faf0cba6cf510d7bf907a3802506c778381d58a9

    • SHA256

      5e745e0b505d56d135db62d1fb40168905eb7492b75eaa58a8fcea7f9f6e602b

    • SHA512

      787741afee2c9795ac05ce35862aa37a656cfd96edee4324997fbd62cc143559dded94cd08732ce981938dcf3375d77754cd3efb45f719fadec6a9338fdf6ae2

    • SSDEEP

      196608:4aV1FiHB6ylnlPzf+JiJCsmFMvcn6hVvv:AHBRlnlPSa7mmvc+H

    Score
    8/10
    upxcollectioncredential_accessdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationspywarestealer

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Drops file in Drivers directory

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

      collection

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion

    • Enumerates processes with tasklist

      discovery

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral11behavioral12

    • Target

      ���k�Yv.pyc

    • Size

      1KB

    • MD5

      4a7b2f4a7ac88dc0b126b2ab3f657b95

    • SHA1

      4ed6aeef872bc205657a5f210d0c2ddb28298031

    • SHA256

      04903284cdc5e2893beb2a3926b9def334f24b33188fa3c2aa375cd94f4fe790

    • SHA512

      9a4f4e37da5c8887a323e55183cee7c54208136261eee81587ad1e663772eda1ce347e6d0c4781fb890d2d221e326a4d39663d6c4c00d1d052cded73ea6272dd

    Score
    1/10
    behavioral13behavioral14

    • Target

      xmmintrin.h

    • Size

      106KB

    • MD5

      04b4174745d9f46d48080aefb7d04c2c

    • SHA1

      478f97abfaba53478b15648f4ed51b0f3f1a4799

    • SHA256

      874f9651d758cfe659021e41794f8e8fede3cbe87caf7a997e58d38eef2b3af3

    • SHA512

      169c8152de3eba1351250e4d08191ee6ead0587734d202aba42356a70d44889f55c1875a5e7e5d15287c7dc1e697db65f049b02702b2fc7ec47e50092aa586a9

    • SSDEEP

      1536:CO0BIl1Fexvtw97q78Nhr9aNhr9QeatQr6qUqYHUqTwE4wxcdFNZFEngbNSKrbsK:mpJC0

    Score
    3/10
    behavioral15behavioral16

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Obfuscated Files or Information

1
T1027

Command Obfuscation

1
T1027.010

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Browser Information Discovery

1
T1217

Process Discovery

1
T1057

Query Registry

1
T1012

System Information Discovery

4
T1082

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

Lateral Movement

Collection

Clipboard Data

1
T1115

Data from Local System

2
T1005

Command and Control

Exfiltration

Impact

Tasks