MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1aa0622a744ec4d28a561bac60ec5e907476587efbadfde546d2b145be4b8109. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ZharkBot


Vendor detections: 14


Intelligence 14 IOCs YARA 8 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1aa0622a744ec4d28a561bac60ec5e907476587efbadfde546d2b145be4b8109
SHA3-384 hash: 2b0deb7b693f5b97f0ee1586df71ec4b24f8007b334fd95718c8229ccb055750ff92a86537ab1248d3b8531170f0c9fc
SHA1 hash: 2f73b04baf17c3a9f9d21f6f324d64306a10682c
MD5 hash: 848abdbd09c052799a0e0180b59f6fee
humanhash: thirteen-cold-jig-butter
File name:848abdbd09c052799a0e0180b59f6fee
Download: download sample
Signature ZharkBot
Create hunting rule
File size:331'776 bytes
First seen:2024-07-24 07:24:20 UTC
Last seen:2024-07-24 08:24:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 89d186e701948ed4026afa52bc6342f0 (3 x ZharkBot, 1 x LummaStealer, 1 x CryptBot)
ssdeep 6144:/DiElZeVJ9/+pPQHe5wocklXck9UBd4MvQhdaAadaH8CaTnlmIa+w4Iqr6KGus24:/DiETMgqkKBJm5+fnHYftcv7vQG6zIs
Threatray 6 similar samples on MalwareBazaar
TLSH T165648D21BA41C031DAB114705B38BBF6992DEE344F6416F7A3D4097BAE702D2A735B63
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4504/4/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter zbetcheckin
Tags:32 exe ZharkBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
376
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
185.196.10.57/selectex-file-host/lobo.exe
Verdict:
Malicious activity
Analysis date:
2024-07-24 09:56:11 UTC
Tags:
loader botnet zharkbot
Link:
https://app.any.run/tasks/d2621cd6-109d-4712-ac93-287e0531a29f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.31754.30579.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a0ac546f74caeb2f89ad6b
Tags:
Execution Infostealer Network Stealth Trojan
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a file in the %temp% subdirectories
Launching a process
Creating a process with a hidden window
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Setting a single autorun event
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
epmicrosoft_visual_cc fingerprint lolbin microsoft_visual_cc shell32 wscript
Link:
https://www.filescan.io/uploads/66a0ac519149fd55f98faeae/reports/74e61edb-9dcc-4b46-ab6a-604ef53ec503/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/1aa0622a744ec4d28a561bac60ec5e907476587efbadfde546d2b145be4b8109
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b9bda22a-7b5d-48f4-83c2-d90d27da4fa2
Result
Threat name:
ScreenConnect Tool, PureLog Stealer, Red
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1479881
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to hide user accounts
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Xmrig
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1479881 Sample: RPHbzz3JqY.exe Startdate: 24/07/2024 Architecture: WINDOWS Score: 100 102 Sigma detected: Xmrig 2->102 104 Malicious sample detected (through community Yara rule) 2->104 106 Antivirus / Scanner detection for submitted sample 2->106 108 12 other signatures 2->108 9 explert.exe 25 2->9         started        14 RPHbzz3JqY.exe 1 4 2->14         started        16 Cerker.exe 2->16         started        18 8 other processes 2->18 process3 dnsIp4 96 185.196.10.57 SIMPLECARRIERCH Switzerland 9->96 98 185.216.214.218 SERVERDISCOUNTERserverdiscountercomDE Germany 9->98 100 188.114.96.3 CLOUDFLARENETUS European Union 9->100 72 C:\ProgramData\yt3cew8k69RKLpgTFur2iz2M.exe, PE32 9->72 dropped 86 17 other malicious files 9->86 dropped 136 Creates an undocumented autostart registry key 9->136 20 IIZS2TRqf69aZbLAX3cf3edn.exe 18 9 9->20         started        24 HM3SOlbpH71yEXUIEAOeIiGX.exe 9->24         started        26 FRaqbC8wSA1XvpFVjCRGryWt.exe 9->26         started        32 14 other processes 9->32 74 C:\Users\user\AppData\Local\...\explert.exe, PE32 14->74 dropped 76 C:\Users\user\...\explert.exe:Zone.Identifier, ASCII 14->76 dropped 138 Creates multiple autostart registry keys 14->138 140 Contains functionality to inject code into remote processes 14->140 142 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->142 144 Uses schtasks.exe or at.exe to add and modify task schedules 14->144 28 explert.exe 14->28         started        30 schtasks.exe 1 14->30         started        78 C:\Users\user\AppData\...\sys_updater.exe, PE32 16->78 dropped 80 C:\Users\user\AppData\...\sys_updater.exe, PE32 18->80 dropped 82 C:\Users\user\AppData\...\sys_updater.exe, PE32+ 18->82 dropped 84 C:\Users\user\AppData\...\sys_updater.exe, PE32 18->84 dropped 88 3 other malicious files 18->88 dropped 146 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 18->146 file5 signatures6 process7 file8 64 C:\Users\user\AppData\...\sys_updater.exe, PE32+ 20->64 dropped 66 C:\Users\user\AppData\Local\Temp\gtxkvh.exe, PE32 20->66 dropped 118 Multi AV Scanner detection for dropped file 20->118 120 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 20->120 122 Writes to foreign memory regions 20->122 132 2 other signatures 20->132 34 gtxkvh.exe 20->34         started        38 AddInProcess.exe 20->38         started        41 AddInProcess.exe 20->41         started        68 C:\Users\user\AppData\Roaming\d3d9.dll, PE32 24->68 dropped 124 Antivirus detection for dropped file 24->124 126 Machine Learning detection for dropped file 24->126 128 Allocates memory in foreign processes 24->128 43 MSBuild.exe 24->43         started        45 conhost.exe 24->45         started        130 Contains functionality to hide user accounts 26->130 47 conhost.exe 30->47         started        49 conhost.exe 32->49         started        signatures9 process10 dnsIp11 60 C:\Users\user\AppData\...\sys_updater.exe, PE32 34->60 dropped 62 C:\Users\user\AppData\Local\...\Cerker.exe, PE32 34->62 dropped 110 Creates an undocumented autostart registry key 34->110 112 Creates multiple autostart registry keys 34->112 51 Cerker.exe 34->51         started        56 schtasks.exe 34->56         started        92 212.47.253.124 OnlineSASFR France 38->92 114 Query firmware table information (likely to detect VMs) 38->114 94 146.59.154.106 OVHFR Norway 41->94 116 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 43->116 file12 signatures13 process14 dnsIp15 90 188.114.97.3 CLOUDFLARENETUS European Union 51->90 70 C:\Users\user\AppData\...\sys_updater.exe, PE32 51->70 dropped 134 Creates an undocumented autostart registry key 51->134 58 conhost.exe 56->58         started        file16 signatures17 process18
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1aa0622a744ec4d28a561bac60ec5e907476587efbadfde546d2b145be4b8109
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1aa0622a744ec4d28a561bac60ec5e907476587efbadfde546d2b145be4b8109/
Threat name:
Win32.Infostealer.Tinba
Create hunting rule
Status:
Malicious
First seen:
2024-07-23 20:11:12 UTC
File Type:
PE (Exe)
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dkqgektuj3cnfcswdowgb3c6sb2hmwd67ow73zkg2kyulpslqeeq._file
Verdict:
malicious
Similar samples:
0a18067c173a7c4bdc24b8d3a847814b30733cecfdcc305c431a3d1fcc322536
ZharkBot
1526d5952d7956238a435ebb8737abdd40736309ffd533cdd21105ae9fd1ceef
ZharkBot
dcff0ce8faf0bc8555c4213eecf50f8e98a72b9cac87676239afd9eb5d7ed8f6
ZharkBot
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/240724-h8y1asvamk/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/94a0e26d-87d2-49fd-ae76-76ca986f9d6a
Unpacked files
SH256 hash:
1aa0622a744ec4d28a561bac60ec5e907476587efbadfde546d2b145be4b8109
MD5 hash:
848abdbd09c052799a0e0180b59f6fee
SHA1 hash:
2f73b04baf17c3a9f9d21f6f324d64306a10682c
Link:
https://www.unpac.me/results/22f24476-2498-4d5c-ae22-d7438c50fcd2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1aa0622a744ec4d28a561bac60ec5e907476587efbadfde546d2b145be4b8109

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ZharkBot

Executable exe 1aa0622a744ec4d28a561bac60ec5e907476587efbadfde546d2b145be4b8109

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3064620/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CoInitializeSecurity
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::CreateProcessA
KERNEL32.dll::OpenProcess
KERNEL32.dll::VirtualAllocEx
KERNEL32.dll::WriteProcessMemory
KERNEL32.dll::CloseHandle
WININET.dll::InternetCloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileA
KERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameA
ADVAPI32.dll::GetUserNameA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA

Comments


Avatar
zbet commented on 2024-07-24 07:24:21 UTC

url : hxxp://185.196.10.57/selectex-file-host/lobo.exe