General
-
Target
Tax INVOICE AD7689.zip
-
Size
358KB
-
Sample
230228-p2gwrsba5z
-
MD5
155dad6d81d461b10df706e8daa506e4
-
SHA1
77b09c45d655253ede140df9de61711e1c0e9c77
-
SHA256
92346febb699d0374c8bb58419eb995ed3c7b1471c7d84c2878aaf5bcfb65b7a
-
SHA512
50db4b3c0531f6afd185376ec25cd1f0d53e0bb8bc8a23b6bcb10aa0cc8004f5d44399fe8109ff71d59296e5d439d6c630bd29c6c977590391c6e5eee2c8b5f1
-
SSDEEP
6144:NKhkFQ8SozTZM6MSwtpqhRmC9Rasgh9HyXQDQJSyRCev5473mQFkA8betI:VTpbMSwjqDdor8RRCmNQF78kI
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE AD7689.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
INVOICE AD7689.exe
Resource
win10v2004-20230221-en
Malware Config
Targets
-
-
Target
INVOICE AD7689.exe
-
Size
434KB
-
MD5
3228e37e1064ee364adf4a7ace129369
-
SHA1
4437a6c0968b930fe0d9af50431a03fd4c37b20a
-
SHA256
3c25f8107bbe56af541ee4f41300922672784dd83553f1ff423c49fc3537692f
-
SHA512
0a04096006894cf275dc29a7955e73c6a2d6b61aaacb639761b291423772152659f22357b9b3ba998de35e1573c42564a0c151518b9eb4bfdd3f7440f13af0a4
-
SSDEEP
6144:s6d+tN+sr/ZM6MSwtpqhVmCBRaGgh9HEX0DQJSyXCev5073mQFkA8pdx9:gXdbMSwjqblor2dXCmZQF78N9
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-