General

  • Target

    Ausschreibung (ETH Zürich) CH0824-2023-02-23·.exe

  • Size

    287KB

  • Sample

    230223-kqs3fafc64

  • MD5

    fc9afb4b234dd6aaad71a89261867049

  • SHA1

    ae6fcb43d6d152865ed9b689f2f21a5eb45defb4

  • SHA256

    fe4020d80a71155f6d6f490b3ff6d5699cf839c815da0e077b476ab0ba6b375b

  • SHA512

    5e9eb9e4618703d0a68c851c801a06c3736709b9e31a39365d72b573b28841313e36744310eea2ed79711702ff6e5f2df8ac9c9182bc75feec7af14262e17456

  • SSDEEP

    6144:xicFyL+j3bJdUdTSu7NZoK4lq5nxfrh3RJWWvDYZtoKcxo48hyWZdXFjbz:MPEbnUd2uxCKDXLMexH6yudVT

Malware Config

Targets

    • Target

      Ausschreibung (ETH Zürich) CH0824-2023-02-23·.exe

    • Size

      287KB

    • MD5

      fc9afb4b234dd6aaad71a89261867049

    • SHA1

      ae6fcb43d6d152865ed9b689f2f21a5eb45defb4

    • SHA256

      fe4020d80a71155f6d6f490b3ff6d5699cf839c815da0e077b476ab0ba6b375b

    • SHA512

      5e9eb9e4618703d0a68c851c801a06c3736709b9e31a39365d72b573b28841313e36744310eea2ed79711702ff6e5f2df8ac9c9182bc75feec7af14262e17456

    • SSDEEP

      6144:xicFyL+j3bJdUdTSu7NZoK4lq5nxfrh3RJWWvDYZtoKcxo48hyWZdXFjbz:MPEbnUd2uxCKDXLMexH6yudVT

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Modifies Windows Firewall

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Modifies WinLogon

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks