General

  • Target

    Tax INVOICE AD7689.zip

  • Size

    358KB

  • Sample

    230228-p2gwrsba5z

  • MD5

    155dad6d81d461b10df706e8daa506e4

  • SHA1

    77b09c45d655253ede140df9de61711e1c0e9c77

  • SHA256

    92346febb699d0374c8bb58419eb995ed3c7b1471c7d84c2878aaf5bcfb65b7a

  • SHA512

    50db4b3c0531f6afd185376ec25cd1f0d53e0bb8bc8a23b6bcb10aa0cc8004f5d44399fe8109ff71d59296e5d439d6c630bd29c6c977590391c6e5eee2c8b5f1

  • SSDEEP

    6144:NKhkFQ8SozTZM6MSwtpqhRmC9Rasgh9HyXQDQJSyRCev5473mQFkA8betI:VTpbMSwjqDdor8RRCmNQF78kI

Malware Config

Targets

    • Target

      INVOICE AD7689.exe

    • Size

      434KB

    • MD5

      3228e37e1064ee364adf4a7ace129369

    • SHA1

      4437a6c0968b930fe0d9af50431a03fd4c37b20a

    • SHA256

      3c25f8107bbe56af541ee4f41300922672784dd83553f1ff423c49fc3537692f

    • SHA512

      0a04096006894cf275dc29a7955e73c6a2d6b61aaacb639761b291423772152659f22357b9b3ba998de35e1573c42564a0c151518b9eb4bfdd3f7440f13af0a4

    • SSDEEP

      6144:s6d+tN+sr/ZM6MSwtpqhVmCBRaGgh9HEX0DQJSyXCev5073mQFkA8pdx9:gXdbMSwjqblor2dXCmZQF78N9

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks