Overview

overview

10

Static

static

OQPO450015...DF.exe

windows7_x64

10

OQPO450015...DF.exe

windows10_x64

10

Analysis

  • max time kernel
    40s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    15-07-2021 19:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    OQPO4500150211Rev0.PDF.exe

  • Size

    529KB

  • MD5

    f6b25b3de51b2a8bdfbbd795c9f21e9e

  • SHA1

    8138784d3e0bfa23175e3e90d499e3fa8733e79e

  • SHA256

    9a2cb3f989deb6155e1cc129c68a31b678940db7a477c60bb0ea2d4d88aa22bc

  • SHA512

    328915066292ceeab06b925f8e93861ce9bf7118b0e15228ed6440291a5bfef92292694f56ac958a72beccd4f1c07a795023da527dffdced1c419c94b9d175fd

Score
10/10
modiloaderwarzoneratinfostealerpersistencerattrojan

Malware Config

Extracted

Family

warzonerat

C2

blacice24.hopto.org:5032

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT Payload 1 IoCs
    rat
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\OQPO4500150211Rev0.PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\OQPO4500150211Rev0.PDF.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1644
    • C:\Program Files (x86)\internet explorer\ieinstal.exe
      "C:\Program Files (x86)\internet explorer\ieinstal.exe"
      2⤵
        PID:1868

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1644-60-0x00000000766D1000-0x00000000766D3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1644-61-0x00000000003E0000-0x00000000003FA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/1644-64-0x0000000000220000-0x0000000000221000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1644-66-0x0000000004270000-0x00000000042AA000-memory.dmp
      Filesize

      232KB

      Download
    • memory/1868-69-0x0000000000000000-mapping.dmp
      Download
    • memory/1868-72-0x00000000000D0000-0x00000000000D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1868-71-0x0000000000090000-0x0000000000091000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1868-74-0x0000000010670000-0x00000000107C6000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/1868-73-0x0000000000180000-0x0000000000181000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1868-75-0x0000000001E20000-0x0000000001F74000-memory.dmp
      Filesize

      1.3MB

      Download