modiloader | 9911f9c939737fb6e26a49ef08ebcb85281cf6b850b85ff00bf49f81a0e46a4c

Analysis

max time kernel
124s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-10-2022 04:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9911f9c939737fb6e26a49ef08ebcb85281cf6b850b85ff00bf49f81a0e46a4c.exe
Size

952KB
MD5

4244160422a6e2f2e2ccae5437de4466
SHA1

1f5b19d4781f3e2e108e6b24b8578a39205d1812
SHA256

9911f9c939737fb6e26a49ef08ebcb85281cf6b850b85ff00bf49f81a0e46a4c
SHA512

649d29ad7989b58b9b904fd41da311e0c9cee631c3fd0762fa1cd6b5d88e08bc68d770dbe1af6579b2b8683b98770570a2045aa0e5f82fade915cc9bf58a8593
SSDEEP

24576:CyQCv11PbnjANYPAj81OUo6w7tNTa9W8AoqiVNW:CIP6sOUzM

Score

10^/10

modiloader warzonerat infostealer persistence rat trojan

Malware Config

Extracted

Family

warzonerat

stub.ignorelist.com:10140

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

ModiLoader Second Stage 63 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4980-132-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-134-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-135-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-137-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-136-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-139-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-138-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-141-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-143-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-142-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-140-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-145-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-144-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-147-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-146-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-149-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-148-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-150-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-151-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-153-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-152-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-154-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-156-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-155-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-157-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-158-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-159-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-161-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-162-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-163-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-160-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-165-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-166-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-167-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-168-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-164-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-170-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-171-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-172-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-169-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-173-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-174-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-175-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-176-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-177-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-178-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-179-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-180-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-181-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-183-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-182-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-184-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-185-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-186-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-187-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-188-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-190-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-191-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-189-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-192-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-193-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-194-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-195-0x0000000002740000-0x00000000027A4000-memory.dmp	modiloader_stage2

Warzone RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1452-288-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral2/memory/1452-289-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9911f9c939737fb6e26a49ef08ebcb85281cf6b850b85ff00bf49f81a0e46a4c.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kpgqpzjx = "C:\\Users\\Public\\Libraries\\xjzpqgpK.url"	9911f9c939737fb6e26a49ef08ebcb85281cf6b850b85ff00bf49f81a0e46a4c.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

9911f9c939737fb6e26a49ef08ebcb85281cf6b850b85ff00bf49f81a0e46a4c.exe

description	pid	process	target process
PID 4980 set thread context of 1452	4980	9911f9c939737fb6e26a49ef08ebcb85281cf6b850b85ff00bf49f81a0e46a4c.exe	9911f9c939737fb6e26a49ef08ebcb85281cf6b850b85ff00bf49f81a0e46a4c.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

9911f9c939737fb6e26a49ef08ebcb85281cf6b850b85ff00bf49f81a0e46a4c.exe

description	pid	process	target process
PID 4980 wrote to memory of 1452	4980	9911f9c939737fb6e26a49ef08ebcb85281cf6b850b85ff00bf49f81a0e46a4c.exe	9911f9c939737fb6e26a49ef08ebcb85281cf6b850b85ff00bf49f81a0e46a4c.exe
PID 4980 wrote to memory of 1452	4980	9911f9c939737fb6e26a49ef08ebcb85281cf6b850b85ff00bf49f81a0e46a4c.exe	9911f9c939737fb6e26a49ef08ebcb85281cf6b850b85ff00bf49f81a0e46a4c.exe
PID 4980 wrote to memory of 1452	4980	9911f9c939737fb6e26a49ef08ebcb85281cf6b850b85ff00bf49f81a0e46a4c.exe	9911f9c939737fb6e26a49ef08ebcb85281cf6b850b85ff00bf49f81a0e46a4c.exe
PID 4980 wrote to memory of 1452	4980	9911f9c939737fb6e26a49ef08ebcb85281cf6b850b85ff00bf49f81a0e46a4c.exe	9911f9c939737fb6e26a49ef08ebcb85281cf6b850b85ff00bf49f81a0e46a4c.exe
PID 4980 wrote to memory of 1452	4980	9911f9c939737fb6e26a49ef08ebcb85281cf6b850b85ff00bf49f81a0e46a4c.exe	9911f9c939737fb6e26a49ef08ebcb85281cf6b850b85ff00bf49f81a0e46a4c.exe

C:\Users\Admin\AppData\Local\Temp\9911f9c939737fb6e26a49ef08ebcb85281cf6b850b85ff00bf49f81a0e46a4c.exe
"C:\Users\Admin\AppData\Local\Temp\9911f9c939737fb6e26a49ef08ebcb85281cf6b850b85ff00bf49f81a0e46a4c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4980

C:\Users\Admin\AppData\Local\Temp\9911f9c939737fb6e26a49ef08ebcb85281cf6b850b85ff00bf49f81a0e46a4c.exe
"C:\Users\Admin\AppData\Local\Temp\9911f9c939737fb6e26a49ef08ebcb85281cf6b850b85ff00bf49f81a0e46a4c.exe"
2⤵
PID:1452

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1452-227-0x0000000000000000-mapping.dmp

Download
memory/1452-288-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/1452-289-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/4980-132-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-134-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-135-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-137-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-136-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-139-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-138-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-141-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-143-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-142-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-140-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-145-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-144-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-147-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-146-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-149-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-148-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-150-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-151-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-153-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-152-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-154-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-156-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-155-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-157-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-158-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-159-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-161-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-162-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-163-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-160-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-165-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-166-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-167-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-168-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-164-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-170-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-171-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-172-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-169-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-173-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-174-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-175-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-176-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-177-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-178-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-179-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-180-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-181-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-183-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-182-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-184-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-185-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-186-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-187-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-188-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-190-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-191-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-189-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-192-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-193-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-194-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download
memory/4980-195-0x0000000002740000-0x00000000027A4000-memory.dmp

Filesize
400KB

Download