modiloader | 1ec80487df001c0f6d41a90bbe2451242977a6f36a276d6eefa8aef0f593ab6b

General

Target

RFQ#8086A_461A_0000086_300_3550_2021.exe
Size

983KB
MD5

da76723b187edc1913d3151d6ba0dd78
SHA1

57b7bd782126186cb0cd40919a5a88e2283b978b
SHA256

1ec80487df001c0f6d41a90bbe2451242977a6f36a276d6eefa8aef0f593ab6b
SHA512

e76d2500f8381e135e7b1c4b47ae2360ded8135f4092b121d9f347127ffa9ed550979e0e532b726f0d3811e23e019b0f8fb3788c38ea2e36ca637cbc96819d2a

Score

10^/10

modiloader warzonerat infostealer persistence rat trojan

Malware Config

Extracted

Family

warzonerat

C2

xchilogs.duckdns.org:23411

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/704-17-0x0000000000890000-0x00000000009E4000-memory.dmp	warzonerat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RFQ#8086A_461A_0000086_300_3550_2021.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Obyeke = "C:\\Users\\Public\\Libraries\\ekeybO.url"	RFQ#8086A_461A_0000086_300_3550_2021.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

RFQ#8086A_461A_0000086_300_3550_2021.exe

description	pid	process	target process
PID 2004 wrote to memory of 704	2004	RFQ#8086A_461A_0000086_300_3550_2021.exe	ieinstal.exe
PID 2004 wrote to memory of 704	2004	RFQ#8086A_461A_0000086_300_3550_2021.exe	ieinstal.exe
PID 2004 wrote to memory of 704	2004	RFQ#8086A_461A_0000086_300_3550_2021.exe	ieinstal.exe
PID 2004 wrote to memory of 704	2004	RFQ#8086A_461A_0000086_300_3550_2021.exe	ieinstal.exe
PID 2004 wrote to memory of 704	2004	RFQ#8086A_461A_0000086_300_3550_2021.exe	ieinstal.exe
PID 2004 wrote to memory of 704	2004	RFQ#8086A_461A_0000086_300_3550_2021.exe	ieinstal.exe
PID 2004 wrote to memory of 704	2004	RFQ#8086A_461A_0000086_300_3550_2021.exe	ieinstal.exe
PID 2004 wrote to memory of 704	2004	RFQ#8086A_461A_0000086_300_3550_2021.exe	ieinstal.exe
PID 2004 wrote to memory of 704	2004	RFQ#8086A_461A_0000086_300_3550_2021.exe	ieinstal.exe
PID 2004 wrote to memory of 704	2004	RFQ#8086A_461A_0000086_300_3550_2021.exe	ieinstal.exe
PID 2004 wrote to memory of 704	2004	RFQ#8086A_461A_0000086_300_3550_2021.exe	ieinstal.exe
PID 2004 wrote to memory of 704	2004	RFQ#8086A_461A_0000086_300_3550_2021.exe	ieinstal.exe
PID 2004 wrote to memory of 704	2004	RFQ#8086A_461A_0000086_300_3550_2021.exe	ieinstal.exe
PID 2004 wrote to memory of 704	2004	RFQ#8086A_461A_0000086_300_3550_2021.exe	ieinstal.exe
PID 2004 wrote to memory of 704	2004	RFQ#8086A_461A_0000086_300_3550_2021.exe	ieinstal.exe
PID 2004 wrote to memory of 704	2004	RFQ#8086A_461A_0000086_300_3550_2021.exe	ieinstal.exe
PID 2004 wrote to memory of 704	2004	RFQ#8086A_461A_0000086_300_3550_2021.exe	ieinstal.exe
PID 2004 wrote to memory of 704	2004	RFQ#8086A_461A_0000086_300_3550_2021.exe	ieinstal.exe
PID 2004 wrote to memory of 704	2004	RFQ#8086A_461A_0000086_300_3550_2021.exe	ieinstal.exe

C:\Users\Admin\AppData\Local\Temp\RFQ#8086A_461A_0000086_300_3550_2021.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ#8086A_461A_0000086_300_3550_2021.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2004

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
2⤵
PID:704

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/704-6-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/704-7-0x0000000000000000-mapping.dmp

Download
memory/704-8-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/704-10-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/704-16-0x0000000010670000-0x00000000107C6000-memory.dmp

Filesize
1.3MB

Download
memory/704-17-0x0000000000890000-0x00000000009E4000-memory.dmp

Filesize
1.3MB

Download
memory/1088-5-0x000007FEF7B20000-0x000007FEF7D9A000-memory.dmp

Filesize
2.5MB

Download
memory/2004-2-0x0000000076641000-0x0000000076643000-memory.dmp

Filesize
8KB

Download
memory/2004-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2004-4-0x00000000002A0000-0x00000000002BA000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads