Rozena belongs to a growing family of file less malware. Its executable is disguised with Microsoft Office Word Document's icon that lure its victim to open it.
Upon execution, it creates a file in Windows Temporary folder with a filename Hi6kI7hcxZwUI. From where it will spawn a PowerShell script via command line. Then it contact its command and control server's IP, 18.104.22.168:443, in Brazil, which is hard coded in the PowerShell script. Rozena Signatures are as follows.
Rozena Sample Download