Overview

overview

10

Static

static

25.exe

windows7_x64

10

25.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    25.exe

  • Size

    769KB

  • Sample

    220525-s3715abfe7

  • MD5

    9e9770e3e6841fb84f3a6a09319e00d5

  • SHA1

    6cd473a89a6318aa8bc06fca2b309ec090c2196e

  • SHA256

    90653158d2956b7a08a653a03fcadb97b5d8efabdab5d044dc688fa3ab470ab5

  • SHA512

    87f273bf336d9342195f339908b544a503b8929cb513a8dc8a519a2ffd3b2d42120065f4a2603ec0f27bf4760fea7a922c2102c83a9b7fd0506116358889cc35

Score
10/10
modiloaderwarzoneratinfostealerpersistencerattrojan

Malware Config

Extracted

Family

warzonerat

C2

91.207.57.115:5079

Targets

    • Target

      25.exe

    • Size

      769KB

    • MD5

      9e9770e3e6841fb84f3a6a09319e00d5

    • SHA1

      6cd473a89a6318aa8bc06fca2b309ec090c2196e

    • SHA256

      90653158d2956b7a08a653a03fcadb97b5d8efabdab5d044dc688fa3ab470ab5

    • SHA512

      87f273bf336d9342195f339908b544a503b8929cb513a8dc8a519a2ffd3b2d42120065f4a2603ec0f27bf4760fea7a922c2102c83a9b7fd0506116358889cc35

    Score
    10/10
    modiloaderwarzoneratinfostealerpersistencerattrojan

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • ModiLoader Second Stage

    • Warzone RAT Payload

      rat

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks