modiloader | 3fba186854c95d8ea3f1e7bb2b5770c8f3f7d7ca6d7b75646ed2446944c92693

General

Target

New-Order-Scan-120422-and-Company Profile02.exe
Size

1.0MB
MD5

afe3cdc677856c27d51bff6da749e991
SHA1

1c1368a5000e71a791b7b6b56281b8e0055b7928
SHA256

3fba186854c95d8ea3f1e7bb2b5770c8f3f7d7ca6d7b75646ed2446944c92693
SHA512

17621932f6d15c10a8e23b63445385d40d143395036f3e3df4eff2c81a918a808545f0c800a26d13a7531a0acb7c596aee17db73f350308446566ec0fb6ddf1b

Score

10^/10

modiloader warzonerat infostealer persistence rat trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

ModiLoader Second Stage 38 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2032-70-0x00000000048E0000-0x000000000492A000-memory.dmp	modiloader_stage2
behavioral1/memory/2032-71-0x00000000048E0000-0x000000000492A000-memory.dmp	modiloader_stage2
behavioral1/memory/2032-72-0x00000000048E0000-0x000000000492A000-memory.dmp	modiloader_stage2
behavioral1/memory/2032-73-0x00000000048E0000-0x000000000492A000-memory.dmp	modiloader_stage2
behavioral1/memory/2032-76-0x00000000048E0000-0x000000000492A000-memory.dmp	modiloader_stage2
behavioral1/memory/2032-77-0x00000000048E0000-0x000000000492A000-memory.dmp	modiloader_stage2
behavioral1/memory/2032-75-0x00000000048E0000-0x000000000492A000-memory.dmp	modiloader_stage2
behavioral1/memory/2032-74-0x00000000048E0000-0x000000000492A000-memory.dmp	modiloader_stage2
behavioral1/memory/2032-80-0x00000000048E0000-0x000000000492A000-memory.dmp	modiloader_stage2
behavioral1/memory/2032-81-0x00000000048E0000-0x000000000492A000-memory.dmp	modiloader_stage2
behavioral1/memory/2032-79-0x00000000048E0000-0x000000000492A000-memory.dmp	modiloader_stage2
behavioral1/memory/2032-78-0x00000000048E0000-0x000000000492A000-memory.dmp	modiloader_stage2
behavioral1/memory/2032-84-0x00000000048E0000-0x000000000492A000-memory.dmp	modiloader_stage2
behavioral1/memory/2032-85-0x00000000048E0000-0x000000000492A000-memory.dmp	modiloader_stage2
behavioral1/memory/2032-83-0x00000000048E0000-0x000000000492A000-memory.dmp	modiloader_stage2
behavioral1/memory/2032-82-0x00000000048E0000-0x000000000492A000-memory.dmp	modiloader_stage2
behavioral1/memory/2032-88-0x00000000048E0000-0x000000000492A000-memory.dmp	modiloader_stage2
behavioral1/memory/2032-89-0x00000000048E0000-0x000000000492A000-memory.dmp	modiloader_stage2
behavioral1/memory/2032-87-0x00000000048E0000-0x000000000492A000-memory.dmp	modiloader_stage2
behavioral1/memory/2032-86-0x00000000048E0000-0x000000000492A000-memory.dmp	modiloader_stage2
behavioral1/memory/2032-90-0x00000000048E0000-0x000000000492A000-memory.dmp	modiloader_stage2
behavioral1/memory/2032-91-0x00000000048E0000-0x000000000492A000-memory.dmp	modiloader_stage2
behavioral1/memory/2032-92-0x00000000048E0000-0x000000000492A000-memory.dmp	modiloader_stage2
behavioral1/memory/2032-95-0x00000000048E0000-0x000000000492A000-memory.dmp	modiloader_stage2
behavioral1/memory/2032-94-0x00000000048E0000-0x000000000492A000-memory.dmp	modiloader_stage2
behavioral1/memory/2032-93-0x00000000048E0000-0x000000000492A000-memory.dmp	modiloader_stage2
behavioral1/memory/2032-105-0x00000000048E0000-0x000000000492A000-memory.dmp	modiloader_stage2
behavioral1/memory/2032-106-0x00000000048E0000-0x000000000492A000-memory.dmp	modiloader_stage2
behavioral1/memory/2032-104-0x00000000048E0000-0x000000000492A000-memory.dmp	modiloader_stage2
behavioral1/memory/2032-103-0x00000000048E0000-0x000000000492A000-memory.dmp	modiloader_stage2
behavioral1/memory/2032-102-0x00000000048E0000-0x000000000492A000-memory.dmp	modiloader_stage2
behavioral1/memory/2032-113-0x00000000048E0000-0x000000000492A000-memory.dmp	modiloader_stage2
behavioral1/memory/2032-114-0x00000000048E0000-0x000000000492A000-memory.dmp	modiloader_stage2
behavioral1/memory/2032-115-0x00000000048E0000-0x000000000492A000-memory.dmp	modiloader_stage2
behavioral1/memory/2032-120-0x00000000048E0000-0x000000000492A000-memory.dmp	modiloader_stage2
behavioral1/memory/2032-121-0x00000000048E0000-0x000000000492A000-memory.dmp	modiloader_stage2
behavioral1/memory/2032-122-0x00000000048E0000-0x000000000492A000-memory.dmp	modiloader_stage2
behavioral1/memory/2032-123-0x00000000048E0000-0x000000000492A000-memory.dmp	modiloader_stage2

Warzone RAT Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1928-118-0x0000000001E50000-0x0000000001FA9000-memory.dmp	warzonerat
behavioral1/memory/1928-117-0x0000000010670000-0x00000000107CB000-memory.dmp	warzonerat
behavioral1/memory/1928-119-0x0000000001E50000-0x0000000001FA9000-memory.dmp	warzonerat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

New-Order-Scan-120422-and-Company Profile02.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\Jqnmiohaat = "C:\\Users\\Public\\Libraries\\taahoimnqJ.url"	New-Order-Scan-120422-and-Company Profile02.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

New-Order-Scan-120422-and-Company Profile02.exe

description	pid	process	target process
PID 2032 wrote to memory of 1928	2032	New-Order-Scan-120422-and-Company Profile02.exe	DpiScaling.exe
PID 2032 wrote to memory of 1928	2032	New-Order-Scan-120422-and-Company Profile02.exe	DpiScaling.exe
PID 2032 wrote to memory of 1928	2032	New-Order-Scan-120422-and-Company Profile02.exe	DpiScaling.exe
PID 2032 wrote to memory of 1928	2032	New-Order-Scan-120422-and-Company Profile02.exe	DpiScaling.exe
PID 2032 wrote to memory of 1928	2032	New-Order-Scan-120422-and-Company Profile02.exe	DpiScaling.exe
PID 2032 wrote to memory of 1928	2032	New-Order-Scan-120422-and-Company Profile02.exe	DpiScaling.exe
PID 2032 wrote to memory of 1928	2032	New-Order-Scan-120422-and-Company Profile02.exe	DpiScaling.exe
PID 2032 wrote to memory of 1928	2032	New-Order-Scan-120422-and-Company Profile02.exe	DpiScaling.exe
PID 2032 wrote to memory of 1928	2032	New-Order-Scan-120422-and-Company Profile02.exe	DpiScaling.exe
PID 2032 wrote to memory of 1928	2032	New-Order-Scan-120422-and-Company Profile02.exe	DpiScaling.exe
PID 2032 wrote to memory of 1928	2032	New-Order-Scan-120422-and-Company Profile02.exe	DpiScaling.exe
PID 2032 wrote to memory of 1928	2032	New-Order-Scan-120422-and-Company Profile02.exe	DpiScaling.exe
PID 2032 wrote to memory of 1928	2032	New-Order-Scan-120422-and-Company Profile02.exe	DpiScaling.exe
PID 2032 wrote to memory of 1928	2032	New-Order-Scan-120422-and-Company Profile02.exe	DpiScaling.exe
PID 2032 wrote to memory of 1928	2032	New-Order-Scan-120422-and-Company Profile02.exe	DpiScaling.exe
PID 2032 wrote to memory of 1928	2032	New-Order-Scan-120422-and-Company Profile02.exe	DpiScaling.exe

C:\Users\Admin\AppData\Local\Temp\New-Order-Scan-120422-and-Company Profile02.exe
"C:\Users\Admin\AppData\Local\Temp\New-Order-Scan-120422-and-Company Profile02.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\DpiScaling.exe
C:\Windows\System32\DpiScaling.exe
2⤵
PID:1928

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1928-97-0x0000000000000000-mapping.dmp

Download
memory/1928-119-0x0000000001E50000-0x0000000001FA9000-memory.dmp

Filesize
1.3MB

Download
memory/1928-117-0x0000000010670000-0x00000000107CB000-memory.dmp

Filesize
1.4MB

Download
memory/1928-118-0x0000000001E50000-0x0000000001FA9000-memory.dmp

Filesize
1.3MB

Download
memory/1928-100-0x0000000010670000-0x00000000107CB000-memory.dmp

Filesize
1.4MB

Download
memory/2032-91-0x00000000048E0000-0x000000000492A000-memory.dmp

Filesize
296KB

Download
memory/2032-95-0x00000000048E0000-0x000000000492A000-memory.dmp

Filesize
296KB

Download
memory/2032-75-0x00000000048E0000-0x000000000492A000-memory.dmp

Filesize
296KB

Download
memory/2032-74-0x00000000048E0000-0x000000000492A000-memory.dmp

Filesize
296KB

Download
memory/2032-80-0x00000000048E0000-0x000000000492A000-memory.dmp

Filesize
296KB

Download
memory/2032-81-0x00000000048E0000-0x000000000492A000-memory.dmp

Filesize
296KB

Download
memory/2032-79-0x00000000048E0000-0x000000000492A000-memory.dmp

Filesize
296KB

Download
memory/2032-78-0x00000000048E0000-0x000000000492A000-memory.dmp

Filesize
296KB

Download
memory/2032-84-0x00000000048E0000-0x000000000492A000-memory.dmp

Filesize
296KB

Download
memory/2032-85-0x00000000048E0000-0x000000000492A000-memory.dmp

Filesize
296KB

Download
memory/2032-83-0x00000000048E0000-0x000000000492A000-memory.dmp

Filesize
296KB

Download
memory/2032-82-0x00000000048E0000-0x000000000492A000-memory.dmp

Filesize
296KB

Download
memory/2032-88-0x00000000048E0000-0x000000000492A000-memory.dmp

Filesize
296KB

Download
memory/2032-89-0x00000000048E0000-0x000000000492A000-memory.dmp

Filesize
296KB

Download
memory/2032-87-0x00000000048E0000-0x000000000492A000-memory.dmp

Filesize
296KB

Download
memory/2032-86-0x00000000048E0000-0x000000000492A000-memory.dmp

Filesize
296KB

Download
memory/2032-90-0x00000000048E0000-0x000000000492A000-memory.dmp

Filesize
296KB

Download
memory/2032-54-0x0000000075221000-0x0000000075223000-memory.dmp

Filesize
8KB

Download
memory/2032-92-0x00000000048E0000-0x000000000492A000-memory.dmp

Filesize
296KB

Download
memory/2032-77-0x00000000048E0000-0x000000000492A000-memory.dmp

Filesize
296KB

Download
memory/2032-94-0x00000000048E0000-0x000000000492A000-memory.dmp

Filesize
296KB

Download
memory/2032-93-0x00000000048E0000-0x000000000492A000-memory.dmp

Filesize
296KB

Download
memory/2032-76-0x00000000048E0000-0x000000000492A000-memory.dmp

Filesize
296KB

Download
memory/2032-99-0x0000000010670000-0x00000000107CB000-memory.dmp

Filesize
1.4MB

Download
memory/2032-73-0x00000000048E0000-0x000000000492A000-memory.dmp

Filesize
296KB

Download
memory/2032-105-0x00000000048E0000-0x000000000492A000-memory.dmp

Filesize
296KB

Download
memory/2032-106-0x00000000048E0000-0x000000000492A000-memory.dmp

Filesize
296KB

Download
memory/2032-104-0x00000000048E0000-0x000000000492A000-memory.dmp

Filesize
296KB

Download
memory/2032-103-0x00000000048E0000-0x000000000492A000-memory.dmp

Filesize
296KB

Download
memory/2032-102-0x00000000048E0000-0x000000000492A000-memory.dmp

Filesize
296KB

Download
memory/2032-113-0x00000000048E0000-0x000000000492A000-memory.dmp

Filesize
296KB

Download
memory/2032-114-0x00000000048E0000-0x000000000492A000-memory.dmp

Filesize
296KB

Download
memory/2032-115-0x00000000048E0000-0x000000000492A000-memory.dmp

Filesize
296KB

Download
memory/2032-72-0x00000000048E0000-0x000000000492A000-memory.dmp

Filesize
296KB

Download
memory/2032-71-0x00000000048E0000-0x000000000492A000-memory.dmp

Filesize
296KB

Download
memory/2032-70-0x00000000048E0000-0x000000000492A000-memory.dmp

Filesize
296KB

Download
memory/2032-120-0x00000000048E0000-0x000000000492A000-memory.dmp

Filesize
296KB

Download
memory/2032-121-0x00000000048E0000-0x000000000492A000-memory.dmp

Filesize
296KB

Download
memory/2032-122-0x00000000048E0000-0x000000000492A000-memory.dmp

Filesize
296KB

Download
memory/2032-123-0x00000000048E0000-0x000000000492A000-memory.dmp

Filesize
296KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads