Description
Zharkbot is a C++ downloader with extensive anti-analysis and anti-sandbox features. It uses in-line string encryption and API calls, making static and emulation analysis challenging. The malware performs sandbox detection by checking for specific usernames and hypervisors. It installs itself in the TEMP directory as 'explert.exe' and establishes persistence via the RUNONCE registry key. Zharkbot builds its C2 data and communicates with the server at solutionhub.cc:443/socket/. The analysis reveals the malware's build version as 1.2.5B and provides insights into its installation, persistence, and network communication methods.
Date
| Published | Created | Modified |
|---|---|---|
| Sept. 3, 2024, 8:09 a.m. | Sept. 3, 2024, 8:09 a.m. | Sept. 3, 2024, 8:42 a.m. |
Indicators
1aa0622a744ec4d28a561bac60ec5e907476587efbadfde546d2b145be4b8109
https://solutionhub.cc:443/socket/
Attack Patterns
Zharkbot
Amadey - S1025
T1053.005
T1059.003
T1547.001
T1012
T1497
T1071.001
T1082
T1140
T1027