General
-
Target
RICHIESTA DI OFFERTA (Università di Parma) 9-02-23·pdf.zip
-
Size
550KB
-
Sample
230209-nqfznaad7z
-
MD5
1a6f87a988d2bd49e33f0c53247aa8a0
-
SHA1
a6ca988a949bf4950ddad7e7ed5406202d690377
-
SHA256
6c08bec143e6f1474f75b50131897374c9db23c51c15c09457f607136ba02982
-
SHA512
bb3e37ec801a90afe56364ba3383a2831aa2b9aa553808355124719c8e060b5510be2fffd42dbf1f2c4b5c1b91caeb7f0c3e2f9db91be965ad33ae769a8c2ec8
-
SSDEEP
12288:MqABEcbVJ2sERQe0m+78v2oCCSyvrJ8MgS7LVqdEEVS6F:MTBPV8sgQey8v66uqh6EAfF
Static task
static1
Behavioral task
behavioral1
Sample
REQUEST FOR OFFER (University of Parma) 9-02-23·pdf.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
REQUEST FOR OFFER (University of Parma) 9-02-23·pdf.exe
Resource
win10v2004-20220901-en
Malware Config
Targets
-
-
Target
REQUEST FOR OFFER (University of Parma) 9-02-23·pdf.exe
-
Size
564KB
-
MD5
cae675beb80ed1fae88d407271ed397e
-
SHA1
ddf46550655ca7c075496821d90fb7f5706ee9d7
-
SHA256
5a70453a6b4f6a5dfd956507dcb364fa07bd6517f87ee23ed6d703f7ec1f6599
-
SHA512
cd616b5497a16f5dcd172844ea6652e0d37f4549ce37a9928c125e8776f5c4eddb0ea930a3169ec8fa551121b194edef3a2d8adbd6d3adfa84bd08f143e48835
-
SSDEEP
12288:GkyEGBEcfVj2sEjQS0Y+N8v2ocCSivrlicgs7LVpr6O:eHBbVKsIQSY8vcKGshx6O
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-