Today > vulnerabilities   -   You can now download lists of IOCs here!

Zharkbot Strings

Sept. 3, 2024, 8:42 a.m.

Tags
persistence
anti-analysis
amadey
downloader
2024-09-03
anti-sandbox
string encryption
c2 communication
zharkbot
External References
Description

Zharkbot is a C++ downloader with extensive anti-analysis and anti-sandbox features. It uses in-line string encryption and API calls, making static and emulation analysis challenging. The malware performs sandbox detection by checking for specific usernames and hypervisors. It installs itself in the TEMP directory as 'explert.exe' and establishes persistence via the RUNONCE registry key. Zharkbot builds its C2 data and communicates with the server at solutionhub.cc:443/socket/. The analysis reveals the malware's build version as 1.2.5B and provides insights into its installation, persistence, and network communication methods.

Date

Published: Sept. 3, 2024, 8:09 a.m.

Created: Sept. 3, 2024, 8:09 a.m.

Modified: Sept. 3, 2024, 8:42 a.m.

Indicators

1aa0622a744ec4d28a561bac60ec5e907476587efbadfde546d2b145be4b8109

https://solutionhub.cc:443/socket/

Download all indicators here!

Attack Patterns

Zharkbot

Amadey - S1025

T1053.005

T1059.003

T1547.001

T1012

T1497

T1071.001

T1082

T1140

T1027