General
-
Target
Ausschreibung (ETH Zürich) CH0824-2023-02-23·.exe
-
Size
287KB
-
Sample
230223-kpbf1afc37
-
MD5
fc9afb4b234dd6aaad71a89261867049
-
SHA1
ae6fcb43d6d152865ed9b689f2f21a5eb45defb4
-
SHA256
fe4020d80a71155f6d6f490b3ff6d5699cf839c815da0e077b476ab0ba6b375b
-
SHA512
5e9eb9e4618703d0a68c851c801a06c3736709b9e31a39365d72b573b28841313e36744310eea2ed79711702ff6e5f2df8ac9c9182bc75feec7af14262e17456
-
SSDEEP
6144:xicFyL+j3bJdUdTSu7NZoK4lq5nxfrh3RJWWvDYZtoKcxo48hyWZdXFjbz:MPEbnUd2uxCKDXLMexH6yudVT
Static task
static1
Behavioral task
behavioral1
Sample
Ausschreibung (ETH Zürich) CH0824-2023-02-23·.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Ausschreibung (ETH Zürich) CH0824-2023-02-23·.exe
Resource
win10v2004-20230220-en
Malware Config
Targets
-
-
Target
Ausschreibung (ETH Zürich) CH0824-2023-02-23·.exe
-
Size
287KB
-
MD5
fc9afb4b234dd6aaad71a89261867049
-
SHA1
ae6fcb43d6d152865ed9b689f2f21a5eb45defb4
-
SHA256
fe4020d80a71155f6d6f490b3ff6d5699cf839c815da0e077b476ab0ba6b375b
-
SHA512
5e9eb9e4618703d0a68c851c801a06c3736709b9e31a39365d72b573b28841313e36744310eea2ed79711702ff6e5f2df8ac9c9182bc75feec7af14262e17456
-
SSDEEP
6144:xicFyL+j3bJdUdTSu7NZoK4lq5nxfrh3RJWWvDYZtoKcxo48hyWZdXFjbz:MPEbnUd2uxCKDXLMexH6yudVT
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-