General
-
Target
2002017386_001B203150123110000107_TAXINVOICE.xlsm
-
Size
42KB
-
Sample
230127-fjn3page26
-
MD5
9567cc095b840a0156939bd14bd60d1b
-
SHA1
bc066fb87caf1ea2dd5e710210a40371f83945b5
-
SHA256
6dace0bce0139f7a90be79aaa73a97df7903fc31ddbed4ba16a7712e0d20a9d7
-
SHA512
434558080df7752ee37bf738f3e73abff7f1f19c43dd9f99f7d5623caedcb9fd70c798922798d0b00ee23bf8b824ce5c972602cb96f8bb7e9899e8bcd7554be6
-
SSDEEP
768:RZvptTvBssn/24oBIJYfTH+niSpFvDHz0v+nW6FFiKk/fGqtCAwgRy+nQ+1N:bvHvBTfoG1BnTz0v+hFFi3/eqE5gzQ+f
Behavioral task
behavioral1
Sample
2002017386_001B203150123110000107_TAXINVOICE.xlsm
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
2002017386_001B203150123110000107_TAXINVOICE.xlsm
Resource
win10v2004-20221111-en
Malware Config
Extracted
quasar
1.3.0.0
SUCCESS
41.185.97.216:4782
MUTEX_QAxMFzrXWG2cbIHPGK
-
encryption_key
JRUJdiIOmPJ5LlsFaVs9
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
cmd
-
subdirectory
SubDir
Targets
-
-
Target
2002017386_001B203150123110000107_TAXINVOICE.xlsm
-
Size
42KB
-
MD5
9567cc095b840a0156939bd14bd60d1b
-
SHA1
bc066fb87caf1ea2dd5e710210a40371f83945b5
-
SHA256
6dace0bce0139f7a90be79aaa73a97df7903fc31ddbed4ba16a7712e0d20a9d7
-
SHA512
434558080df7752ee37bf738f3e73abff7f1f19c43dd9f99f7d5623caedcb9fd70c798922798d0b00ee23bf8b824ce5c972602cb96f8bb7e9899e8bcd7554be6
-
SSDEEP
768:RZvptTvBssn/24oBIJYfTH+niSpFvDHz0v+nW6FFiKk/fGqtCAwgRy+nQ+1N:bvHvBTfoG1BnTz0v+hFFi3/eqE5gzQ+f
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Quasar payload
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets DLL path for service in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Modifies WinLogon
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-