modiloader | 570bcfa9b64556d3229ed6616817cd5f1857a8b6e0a7a8f347a3c853a991e081 | Triage

Submit
Reports

Overview

overview

Static

static

CamScanner...sx.exe

windows7-x64

1

CamScanner...sx.exe

windows10-2004-x64

Sharing

General

Target

CamScanner-Tender_L2-UAE001930-gwyoyqlbopdd.xlsx.bin.zip
Size

501KB
Sample

220802-swmrlshegr
MD5

9622614e82c54aef575c6a133ca541c3
SHA1

9dc36cfbf5a2918383205cd8da874f15ce939fd2
SHA256

570bcfa9b64556d3229ed6616817cd5f1857a8b6e0a7a8f347a3c853a991e081
SHA512

d2ced13d2929da8b2bbf17455cd4cf5a764e32a382347c7d2331d87c7c14b6b1c3f8a92cae2eaf824c511eb183cdb74c1990f1b739a38ee881247f063d0e768f

Score

10^/10

modiloader warzonerat collection infostealer persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

CamScanner-Tender_L2-UAE001930-gwyoyqlbopdd.xlsx.exe

Resource

win7-20220718-en

windows7-x64

0 signatures

150 seconds

Behavioral task

behavioral2

Sample

CamScanner-Tender_L2-UAE001930-gwyoyqlbopdd.xlsx.exe

Resource

win10v2004-20220721-en

modiloader warzonerat collection infostealer persistence rat spyware stealer trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

warzonerat

C2

pentester01.duckdns.org:53078

Targets

- Target
  
  CamScanner-Tender_L2-UAE001930-gwyoyqlbopdd.xlsx.bin
- Size
  
  943KB
- MD5
  
  6751cb0d76292c6f8a95ad189e3d466b
- SHA1
  
  f7d7019833509a4055d3003292bae60720072d20
- SHA256
  
  cd63a354530a4199f3819cb8a2dc1567bb98ed75f8a155d240304e42ea8bfbc9
- SHA512
  
  1372b333c5519174c9c36f8dae90dc41f97767d41521df97b0088cb504060233d96de028ec5b2f742704cd1baae8057faab9b7ce5a8874850b8740ef7b9ec8f9
Score

10^/10

modiloader warzonerat collection infostealer persistence rat spyware stealer trojan
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- ModiLoader Second Stage
- Warzone RAT payload
  rat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

modiloaderwarzoneratcollectioninfostealerpersistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy