modiloader | 6a7e30b0b06fede9fe359ac41d1dfeec965e3a82074ace3c50855ec0a7ad6b62 | Triage

Submit
Reports

Overview

overview

Static

static

PO-495883.exe

windows7-x64

1

PO-495883.exe

windows10-2004-x64

Sharing

General

Target

8fc330b75eb3ab1f09832acec6354d22
Size

638KB
Sample

220802-zflb6sccbp
MD5

8fc330b75eb3ab1f09832acec6354d22
SHA1

d8925a4d1492da1812410e78d2f475cf63c54d45
SHA256

6a7e30b0b06fede9fe359ac41d1dfeec965e3a82074ace3c50855ec0a7ad6b62
SHA512

711266acd8187524f658fe319fc7526148b8d7158e0a8606d9f9308e565dd01e937e1c3f26cd65c878e8e29328a6ae72af1ffaa4b45f85c76e26fd619f180d86

Score

10^/10

modiloader warzonerat collection infostealer persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

PO-495883.exe

Resource

win7-20220718-en

windows7-x64

0 signatures

150 seconds

Behavioral task

behavioral2

Sample

PO-495883.exe

Resource

win10v2004-20220721-en

modiloader warzonerat collection infostealer persistence rat spyware stealer trojan

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

warzonerat

C2

172.93.165.166:5200

Targets

- Target
  
  PO-495883.exe
- Size
  
  797KB
- MD5
  
  b5950c57864a66b92295b15ab6bab4c8
- SHA1
  
  1b41aa33af12da022df703ac2ff3a4da25ab1099
- SHA256
  
  15e443d0845a4ad84fb9480596cc5949ce2f3a709bdc56ac4a77c031fb1aa8e7
- SHA512
  
  dd738d0e76137553a1b87a94c0629f549cdb363ef15eb50bbf6034ce57a4a6343c50db08469fc13e39f210511e19cb9416f1a5ab91d495bc6645076b93126f37
Score

10^/10

modiloader warzonerat collection infostealer persistence rat spyware stealer trojan
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- ModiLoader Second Stage
- Warzone RAT payload
  rat
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

modiloaderwarzoneratcollectioninfostealerpersistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy