MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 596a00476cdbd7a3f93ec08a71f1a356e4289da5017132ee631368d4b2251e23. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ZharkBot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 596a00476cdbd7a3f93ec08a71f1a356e4289da5017132ee631368d4b2251e23
SHA3-384 hash: f7094ecceae919f05e4cf7e857ee93448917dd44c295bac57eb77399b6319742db9426903ebb2d02b601cd1c2a823280
SHA1 hash: 1b3752ed0e4910bc214b1229beb9bafccd426e21
MD5 hash: 9bd642cb865da2fbc2268da38596d491
humanhash: quiet-wisconsin-hamper-iowa
File name:AT000005112563923.vbs
Download: download sample
Signature ZharkBot
Create hunting rule
File size:698'318 bytes
First seen:2024-09-19 11:23:27 UTC
Last seen:2024-09-23 18:06:57 UTC
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 1536:9SSSSSSSSSSSSSSSSSSSSSSSx22222222222222222222222222222222222222p:e0iA2Seis
TLSH T1ADE4CF4766EF5509B1F76B58A97640780B277D299DBDC2AC01CCA45E0FE3A00CA61BF3
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika vba
Reporter cocaman
Tags:desckvbrat-com-br vbs ZharkBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
97
Origin country :
CH CH
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.24740.22398.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66ec09d577496a3b0d6ef118
Tags:
Encryption Execution Generic Infostealer Network Stealth Agent
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/66ec09d4d2758b8668baba09/reports/1281695f-e177-48da-9aaa-48de88365702/overview
Verdict:
Malicious
Labled as:
VBS/TrojanDownloader.Agent
Link:
https://www.hybrid-analysis.com/sample/596a00476cdbd7a3f93ec08a71f1a356e4289da5017132ee631368d4b2251e23
Result
Verdict:
UNKNOWN
Result
Threat name:
Zhark RAT
Create hunting rule
Detection:
malicious
Classification:
spre.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1513812
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Connects to many ports of the same IP (likely port scanning)
Creates autostart registry keys with suspicious values (likely registry only malware)
Found malware configuration
Found stalling execution ending in API Sleep call
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Copy file to startup via Powershell
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to download and execute files (via powershell)
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Yara detected Powershell download and execute
Yara detected Zhark RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1513812 Sample: AT000005112563923.vbs Startdate: 19/09/2024 Architecture: WINDOWS Score: 100 63 pastebin.com 2->63 65 testedsnakeoptic.com 2->65 67 6 other IPs or domains 2->67 95 Multi AV Scanner detection for domain / URL 2->95 97 Suricata IDS alerts for network traffic 2->97 99 Found malware configuration 2->99 103 15 other signatures 2->103 10 wscript.exe 1 2->10         started        13 cmd.exe 1 2->13         started        15 cmd.exe 2->15         started        signatures3 101 Connects to a pastebin service (likely for C&C) 63->101 process4 signatures5 109 VBScript performs obfuscated calls to suspicious functions 10->109 111 Suspicious powershell command line found 10->111 113 Wscript starts Powershell (via cmd or directly) 10->113 115 3 other signatures 10->115 17 powershell.exe 7 10->17         started        20 powershell.exe 12 13->20         started        22 conhost.exe 13->22         started        24 powershell.exe 15->24         started        26 conhost.exe 15->26         started        process6 signatures7 83 Suspicious powershell command line found 17->83 85 Self deletion via cmd or bat file 17->85 87 Tries to download and execute files (via powershell) 17->87 93 3 other signatures 17->93 28 powershell.exe 14 18 17->28         started        33 conhost.exe 17->33         started        89 Writes to foreign memory regions 20->89 91 Injects a PE file into a foreign processes 20->91 35 RegAsm.exe 6 20->35         started        37 conhost.exe 20->37         started        39 RegAsm.exe 24->39         started        41 conhost.exe 24->41         started        process8 dnsIp9 77 desckvbrat.com.br 191.252.83.213, 21, 49730, 49731 LocawebServicosdeInternetSABR Brazil 28->77 79 mehreencreation.com 180.149.241.246, 443, 49736 WEBWERKS-AS-INWebWerksIndiaPvtLtdIN India 28->79 81 api.pastecode.io 188.114.96.3, 443, 49732, 49735 CLOUDFLARENETUS European Union 28->81 61 C:\Users\user\AppData\Local\...\lmjeo.ps1, Unicode 28->61 dropped 127 Self deletion via cmd or bat file 28->127 43 powershell.exe 11 28->43         started        47 cmd.exe 10 28->47         started        49 powershell.exe 1 11 28->49         started        51 cmd.exe 1 28->51         started        129 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 35->129 file10 signatures11 process12 dnsIp13 75 pastebin.com 104.20.4.235, 443, 49743, 49750 CLOUDFLARENETUS United States 43->75 117 Writes to foreign memory regions 43->117 119 Injects a PE file into a foreign processes 43->119 53 RegAsm.exe 6 43->53         started        57 RegAsm.exe 43->57         started        59 RegAsm.exe 43->59         started        121 Suspicious powershell command line found 47->121 123 Wscript starts Powershell (via cmd or directly) 47->123 125 Creates autostart registry keys with suspicious values (likely registry only malware) 49->125 signatures14 process15 dnsIp16 69 leveledoperationalcert.com 104.21.2.222, 443, 49747, 49754 CLOUDFLARENETUS United States 53->69 71 testedsnakeoptic.com 172.67.165.181, 443, 49746, 49749 CLOUDFLARENETUS United States 53->71 73 solutionhub.cc 188.114.97.3, 443, 49748, 49756 CLOUDFLARENETUS European Union 53->73 105 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 53->105 107 Found stalling execution ending in API Sleep call 57->107 signatures17
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/596a00476cdbd7a3f93ec08a71f1a356e4289da5017132ee631368d4b2251e23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/596a00476cdbd7a3f93ec08a71f1a356e4289da5017132ee631368d4b2251e23/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2024-09-19 02:41:14 UTC
File Type:
Text (VBS)
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lfvaar3m3pl2h6j6ycfhd4ndk3scrhnfafytf3tdcnunjmrfdyrq._file
Result
Malware family:
zharkbot
Create hunting rule
Score:
  10/10
Tags:
family:zharkbot botnet defense_evasion discovery execution persistence
Link:
https://tria.ge/reports/240919-nhpxlawapa/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Indicator Removal: File Deletion
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Drops startup file
Blocklisted process makes network request
Detects ZharkBot payload
ZharkBot
Malware Config
Dropper Extraction:
https://drive.google.com/uc?export=download&id=
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/596a00476cdb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments