Malware Analysis Report

2025-08-11 01:38

Sample ID 230224-paa9xada9w
Target Nueva Licitación·pdf.exe
SHA256 e1ac514b5cc907df4f0a6ed89cb6f17827302f89fd4cb95d8f8606b4d2e54d5b
Tags
warzonerat infostealer persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e1ac514b5cc907df4f0a6ed89cb6f17827302f89fd4cb95d8f8606b4d2e54d5b

Threat Level: Known bad

The file Nueva Licitación·pdf.exe was found to be: Known bad.

Malicious Activity Summary

warzonerat infostealer persistence rat

WarzoneRat, AveMaria

Drops startup file

Checks QEMU agent file

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

NSIS installer

Suspicious use of WriteProcessMemory

NTFS ADS

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-24 12:07

Signatures

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-24 12:07

Reported

2023-02-24 12:09

Platform

win7-20230220-en

Max time kernel

27s

Max time network

30s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Nueva Licitación·pdf.exe"

Signatures

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\Nueva Licitación·pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Nueva Licitación·pdf.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsj6C0F.tmp\System.dll

MD5 0063d48afe5a0cdc02833145667b6641
SHA1 e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256 ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA512 71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

C:\Users\Admin\AppData\Local\Temp\nsj6C0F.tmp\System.dll

MD5 0063d48afe5a0cdc02833145667b6641
SHA1 e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256 ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA512 71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

\Users\Admin\AppData\Local\Temp\nsj6C0F.tmp\System.dll

MD5 0063d48afe5a0cdc02833145667b6641
SHA1 e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256 ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA512 71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-24 12:07

Reported

2023-02-24 12:09

Platform

win10v2004-20230220-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Nueva Licitación·pdf.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Checks QEMU agent file

Description Indicator Process Target
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\Nueva Licitación·pdf.exe N/A
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\Nueva Licitación·pdf.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat C:\Users\Admin\AppData\Local\Temp\Nueva Licitación·pdf.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start C:\Users\Admin\AppData\Local\Temp\Nueva Licitación·pdf.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows 8 update = "C:\\Users\\Admin\\Documents\\Windows8.exe" C:\Users\Admin\AppData\Local\Temp\Nueva Licitación·pdf.exe N/A

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nueva Licitación·pdf.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nueva Licitación·pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nueva Licitación·pdf.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 392 set thread context of 4968 N/A C:\Users\Admin\AppData\Local\Temp\Nueva Licitación·pdf.exe C:\Users\Admin\AppData\Local\Temp\Nueva Licitación·pdf.exe

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\Documents\Documents:ApplicationData C:\Users\Admin\AppData\Local\Temp\Nueva Licitación·pdf.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nueva Licitación·pdf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Nueva Licitación·pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Nueva Licitación·pdf.exe"

C:\Users\Admin\AppData\Local\Temp\Nueva Licitación·pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Nueva Licitación·pdf.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath C:\

C:\Users\Admin\Documents\Windows8.exe

"C:\Users\Admin\Documents\Windows8.exe"

Network

Country Destination Domain Proto
US 20.42.73.27:443 tcp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
NL 173.223.113.131:80 tcp
US 8.8.8.8:53 drive.google.com udp
NL 142.251.36.46:443 drive.google.com tcp
US 8.8.8.8:53 46.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 doc-00-8g-docs.googleusercontent.com udp
NL 142.250.179.193:443 doc-00-8g-docs.googleusercontent.com tcp
US 8.8.8.8:53 193.179.250.142.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsu87D4.tmp\System.dll

MD5 0063d48afe5a0cdc02833145667b6641
SHA1 e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256 ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA512 71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

C:\Users\Admin\AppData\Local\Temp\nsu87D4.tmp\System.dll

MD5 0063d48afe5a0cdc02833145667b6641
SHA1 e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256 ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA512 71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

C:\Users\Admin\AppData\Local\Temp\nsu87D4.tmp\System.dll

MD5 0063d48afe5a0cdc02833145667b6641
SHA1 e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256 ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA512 71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

memory/4968-149-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4968-162-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4968-165-0x0000000001660000-0x0000000007119000-memory.dmp

memory/4968-166-0x0000000000400000-0x0000000001654000-memory.dmp

memory/3136-167-0x0000000002CB0000-0x0000000002CE6000-memory.dmp

memory/3136-172-0x0000000005900000-0x0000000005F28000-memory.dmp

C:\Users\Admin\Documents\Windows8.exe

MD5 e139e86d62fbf7c936d7243f18161b95
SHA1 ec350ff61126352132c96bbbf3e19f6670998aca
SHA256 e1ac514b5cc907df4f0a6ed89cb6f17827302f89fd4cb95d8f8606b4d2e54d5b
SHA512 d7357101df9a778e2302b2b6f1d12779428001613d17ad672747d84f2fe3f312703593405553376cdbb04210792131cdeb01935f503fd0822ae0e73554c708a0

memory/3136-176-0x00000000056E0000-0x0000000005702000-memory.dmp

memory/3136-179-0x00000000052C0000-0x00000000052D0000-memory.dmp

memory/3136-178-0x0000000005880000-0x00000000058E6000-memory.dmp

memory/3136-181-0x0000000005FA0000-0x0000000006006000-memory.dmp

C:\Users\Admin\Documents\Windows8.exe

MD5 e139e86d62fbf7c936d7243f18161b95
SHA1 ec350ff61126352132c96bbbf3e19f6670998aca
SHA256 e1ac514b5cc907df4f0a6ed89cb6f17827302f89fd4cb95d8f8606b4d2e54d5b
SHA512 d7357101df9a778e2302b2b6f1d12779428001613d17ad672747d84f2fe3f312703593405553376cdbb04210792131cdeb01935f503fd0822ae0e73554c708a0

memory/3136-177-0x00000000052C0000-0x00000000052D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ui4s3m2e.p3q.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4968-175-0x0000000001660000-0x0000000007119000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Archilochian\Steffans\Mastras188\Mfl.Mil54

MD5 827bf2670868763c1efb414a81704260
SHA1 887e1b09617570f55a715e916d26af6f40c433b8
SHA256 3df0b3fa4190d8a63cfbde83b45e166b64cc1ff2a1d627e4ca2d7737e7d020af
SHA512 483c6bed293892cfd93550e008391097b08fe7ce248eeacd539adcd3f157dfbad2ec09aee1837d5e5e189cf0cc276c05507e79a45e37a7382f46719f7a474f3e

memory/4968-192-0x0000000000400000-0x0000000001654000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Archilochian\Victuals\Protevangelium\Aquatinta\Timoteus\Plovjern.Lax113

MD5 9d9a2bddb2619eefda32b51f6dced7e1
SHA1 fb5c7dec1e01b3cd4399c2af8d3148f1be082926
SHA256 e54b3b3f11ac93036a7ada30d2986d7bd322807970efd1c5944aee4c330da6ba
SHA512 1d48e4b1d5730ea139cc2a449542c9d873ab8abc27d6e4b79b65d81f4230cee4ba741af810a8638eaa2d3d2879e43c7e3974e0e783217eba762208a82e13ac2d

C:\Users\Admin\AppData\Local\Temp\nsyC07E.tmp\System.dll

MD5 0063d48afe5a0cdc02833145667b6641
SHA1 e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256 ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA512 71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

C:\Users\Admin\AppData\Local\Temp\nsyC07E.tmp\System.dll

MD5 0063d48afe5a0cdc02833145667b6641
SHA1 e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256 ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA512 71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

C:\Users\Admin\AppData\Local\Temp\nsyC07E.tmp\System.dll

MD5 0063d48afe5a0cdc02833145667b6641
SHA1 e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256 ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA512 71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

memory/3136-204-0x00000000065B0000-0x00000000065CE000-memory.dmp