Extracted

Extracted

• • Target

    DocuSign01210021100.vbs

  • Size

    117KB

  • MD5

    09b37aa6f30c0b1d83529d21212f416c

  • SHA1

    c1d1d0159bc1a8bb36c4a078ea653531707d27c0

  • SHA256

    b28413ca3c1fa5b50a96d5e9afc5e365efd8ac6be834e82b25c5bf323284f774

  • SHA512

    b87bd64f420b21ac3f68f1aa069c0569a3e685f29f55b86527a020a8ee91e0f4b3c0f1b368ed4d63240608dc59dff8b8cff191a2812833f36b9f298ae803de7b

  • SSDEEP

    1536:pwwwwwwwwQ+xgv0zmbqGwwwwwwwwwwwwwwwwwr:iu

  Score

  10^/10

  executionzharkbotbotnetdefense_evasiondiscoverypersistence

  • Detects ZharkBot payload

    ZharkBot is a botnet written C++.

  • ZharkBot

    ZharkBot is a botnet written C++.

    botnetzharkbot

  • Zharkbot family

    zharkbot

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Adds Run key to start application

    persistence

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Hide Artifacts: Hidden Window

    Windows that would typically be displayed when an application carries out an operation can be hidden.

    defense_evasion

  • Indicator Removal: File Deletion

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion

  • Legitimate hosting services abused for malware hosting/C2

  • Suspicious use of SetThreadContext

  behavioral1behavioral2