General
-
Target
REQUEST FOR OFFER (University of Parma)·pdf.exe
-
Size
429KB
-
Sample
230227-ppg11add71
-
MD5
7a77752b8928c265fab078746f2c0a00
-
SHA1
8864e85a6bd4ffb603792deb5ac32cd0573c63e8
-
SHA256
1618cd5f5490038c34e179710ad15803a6549955b22a9d83b4f60eeccb7f2975
-
SHA512
9f92cff471e5bc71af2ffd4bbd7f7fa654f541540e94504a91339bb2a1c0ab5acfecbb53d9fde4589ee416a004e64ee76a429d21102532d629f1ba1784945ee2
-
SSDEEP
6144:Z6d+tN+sW5H9IR/vOF4wnXLjr5i63MhBLmDpW2oD1HCD+5073mQFkA8pdxf:5XOdz4U393iaW1i6ZQF78Nf
Static task
static1
Behavioral task
behavioral1
Sample
REQUEST FOR OFFER (University of Parma)·pdf.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
REQUEST FOR OFFER (University of Parma)·pdf.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
warzonerat
forcema002.duckdns.org:8234
Targets
-
-
Target
REQUEST FOR OFFER (University of Parma)·pdf.exe
-
Size
429KB
-
MD5
7a77752b8928c265fab078746f2c0a00
-
SHA1
8864e85a6bd4ffb603792deb5ac32cd0573c63e8
-
SHA256
1618cd5f5490038c34e179710ad15803a6549955b22a9d83b4f60eeccb7f2975
-
SHA512
9f92cff471e5bc71af2ffd4bbd7f7fa654f541540e94504a91339bb2a1c0ab5acfecbb53d9fde4589ee416a004e64ee76a429d21102532d629f1ba1784945ee2
-
SSDEEP
6144:Z6d+tN+sW5H9IR/vOF4wnXLjr5i63MhBLmDpW2oD1HCD+5073mQFkA8pdxf:5XOdz4U393iaW1i6ZQF78Nf
Score10/10-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-