General

  • Target

    Quote request (Iberia Express Aircraft).exe

  • Size

    287KB

  • Sample

    230223-px7avsfh33

  • MD5

    117d45a1a70dba08bd9f49c581717d62

  • SHA1

    5d9f304c36677dbc50e225c53ed2daef0718f4bf

  • SHA256

    bc7dad4c86fbdbe3bc632b5aa8c75b3719ec38aa70ec63bb55845752efd01350

  • SHA512

    fc99cd865b933c5bba311cef2b1a71cbc4e6867c45cc4d6daaec751117b0335fde103253d354d49d99e336badfc97ae6dea6028a9e6d751bfef1261e7bc2aae1

  • SSDEEP

    6144:2icFyL6SgUo3Mv97fqEJHvbR02vN79QD8CchMehu:pP6I9TPPbRFV9UeY

Malware Config

Targets

    • Target

      Quote request (Iberia Express Aircraft).exe

    • Size

      287KB

    • MD5

      117d45a1a70dba08bd9f49c581717d62

    • SHA1

      5d9f304c36677dbc50e225c53ed2daef0718f4bf

    • SHA256

      bc7dad4c86fbdbe3bc632b5aa8c75b3719ec38aa70ec63bb55845752efd01350

    • SHA512

      fc99cd865b933c5bba311cef2b1a71cbc4e6867c45cc4d6daaec751117b0335fde103253d354d49d99e336badfc97ae6dea6028a9e6d751bfef1261e7bc2aae1

    • SSDEEP

      6144:2icFyL6SgUo3Mv97fqEJHvbR02vN79QD8CchMehu:pP6I9TPPbRFV9UeY

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks