General

  • Target

    REQUEST FOR OFFER (University of Parma) 9-02-23·pdf.exe

  • Size

    564KB

  • Sample

    230209-m6vmbahg58

  • MD5

    cae675beb80ed1fae88d407271ed397e

  • SHA1

    ddf46550655ca7c075496821d90fb7f5706ee9d7

  • SHA256

    5a70453a6b4f6a5dfd956507dcb364fa07bd6517f87ee23ed6d703f7ec1f6599

  • SHA512

    cd616b5497a16f5dcd172844ea6652e0d37f4549ce37a9928c125e8776f5c4eddb0ea930a3169ec8fa551121b194edef3a2d8adbd6d3adfa84bd08f143e48835

  • SSDEEP

    12288:GkyEGBEcfVj2sEjQS0Y+N8v2ocCSivrlicgs7LVpr6O:eHBbVKsIQSY8vcKGshx6O

Malware Config

Targets

    • Target

      REQUEST FOR OFFER (University of Parma) 9-02-23·pdf.exe

    • Size

      564KB

    • MD5

      cae675beb80ed1fae88d407271ed397e

    • SHA1

      ddf46550655ca7c075496821d90fb7f5706ee9d7

    • SHA256

      5a70453a6b4f6a5dfd956507dcb364fa07bd6517f87ee23ed6d703f7ec1f6599

    • SHA512

      cd616b5497a16f5dcd172844ea6652e0d37f4549ce37a9928c125e8776f5c4eddb0ea930a3169ec8fa551121b194edef3a2d8adbd6d3adfa84bd08f143e48835

    • SSDEEP

      12288:GkyEGBEcfVj2sEjQS0Y+N8v2ocCSivrlicgs7LVpr6O:eHBbVKsIQSY8vcKGshx6O

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks