General

  • Target

    RICHIESTA DI OFFERTA (Università di Parma) 9-02-23·pdf.zip

  • Size

    550KB

  • Sample

    230209-nqfznaad7z

  • MD5

    1a6f87a988d2bd49e33f0c53247aa8a0

  • SHA1

    a6ca988a949bf4950ddad7e7ed5406202d690377

  • SHA256

    6c08bec143e6f1474f75b50131897374c9db23c51c15c09457f607136ba02982

  • SHA512

    bb3e37ec801a90afe56364ba3383a2831aa2b9aa553808355124719c8e060b5510be2fffd42dbf1f2c4b5c1b91caeb7f0c3e2f9db91be965ad33ae769a8c2ec8

  • SSDEEP

    12288:MqABEcbVJ2sERQe0m+78v2oCCSyvrJ8MgS7LVqdEEVS6F:MTBPV8sgQey8v66uqh6EAfF

Malware Config

Targets

    • Target

      REQUEST FOR OFFER (University of Parma) 9-02-23·pdf.exe

    • Size

      564KB

    • MD5

      cae675beb80ed1fae88d407271ed397e

    • SHA1

      ddf46550655ca7c075496821d90fb7f5706ee9d7

    • SHA256

      5a70453a6b4f6a5dfd956507dcb364fa07bd6517f87ee23ed6d703f7ec1f6599

    • SHA512

      cd616b5497a16f5dcd172844ea6652e0d37f4549ce37a9928c125e8776f5c4eddb0ea930a3169ec8fa551121b194edef3a2d8adbd6d3adfa84bd08f143e48835

    • SSDEEP

      12288:GkyEGBEcfVj2sEjQS0Y+N8v2ocCSivrlicgs7LVpr6O:eHBbVKsIQSY8vcKGshx6O

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks