General

  • Target

    REQUEST FOR OFFER (University of Parma)·pdf.exe

  • Size

    429KB

  • Sample

    230227-ppg11add71

  • MD5

    7a77752b8928c265fab078746f2c0a00

  • SHA1

    8864e85a6bd4ffb603792deb5ac32cd0573c63e8

  • SHA256

    1618cd5f5490038c34e179710ad15803a6549955b22a9d83b4f60eeccb7f2975

  • SHA512

    9f92cff471e5bc71af2ffd4bbd7f7fa654f541540e94504a91339bb2a1c0ab5acfecbb53d9fde4589ee416a004e64ee76a429d21102532d629f1ba1784945ee2

  • SSDEEP

    6144:Z6d+tN+sW5H9IR/vOF4wnXLjr5i63MhBLmDpW2oD1HCD+5073mQFkA8pdxf:5XOdz4U393iaW1i6ZQF78Nf

Malware Config

Extracted

Family

warzonerat

C2

forcema002.duckdns.org:8234

Targets

    • Target

      REQUEST FOR OFFER (University of Parma)·pdf.exe

    • Size

      429KB

    • MD5

      7a77752b8928c265fab078746f2c0a00

    • SHA1

      8864e85a6bd4ffb603792deb5ac32cd0573c63e8

    • SHA256

      1618cd5f5490038c34e179710ad15803a6549955b22a9d83b4f60eeccb7f2975

    • SHA512

      9f92cff471e5bc71af2ffd4bbd7f7fa654f541540e94504a91339bb2a1c0ab5acfecbb53d9fde4589ee416a004e64ee76a429d21102532d629f1ba1784945ee2

    • SSDEEP

      6144:Z6d+tN+sW5H9IR/vOF4wnXLjr5i63MhBLmDpW2oD1HCD+5073mQFkA8pdxf:5XOdz4U393iaW1i6ZQF78Nf

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks