modiloader | e57273b7f448b8713bd164d86bfd24a01570a4f5902e09fd07d6df7088458cd1

Analysis

max time kernel
106s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Etahlplefwxouf.exe
Size

734KB
MD5

3ae8a915191e154e1d390f011d1403b0
SHA1

e36e2d035f0f4cfae0b43cde8bc276d9ea9ccb13
SHA256

e57273b7f448b8713bd164d86bfd24a01570a4f5902e09fd07d6df7088458cd1
SHA512

9bec68396187f51474809eb1c2a3fa1e9a21b3f8cadb33d6ad726b04afb41d6a3e6459832ec0ca13588265c748681dc1d9847883e1953b4f5f4157636cda882a
SSDEEP

12288:ARGCFg0BOWvJ4sFJzZDM94u2itVSX3x7FRS8H8VML2kjO9:AMiBOWvpPlLHitVSn52rmKk

Score

10^/10

modiloader warzonerat infostealer persistence rat trojan

Malware Config

Extracted

Family

warzonerat

su1d.nerdpol.ovh:2222

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

ModiLoader Second Stage 63 IoCs

resource	yara_rule
behavioral2/memory/2548-132-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-134-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-135-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-137-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-138-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-139-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-136-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-141-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-142-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-143-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-140-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-145-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-146-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-147-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-148-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-144-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-150-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-149-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-152-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-153-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-154-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-151-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-156-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-157-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-158-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-159-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-155-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-160-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-161-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-164-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-165-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-163-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-162-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-166-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-167-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-168-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-169-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-170-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-171-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-172-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-173-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-174-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-175-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-176-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-177-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-178-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-179-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-180-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-181-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-182-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-183-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-184-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-185-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-186-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-187-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-188-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-189-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-190-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-191-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-192-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-193-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-195-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2
behavioral2/memory/2548-194-0x0000000002E40000-0x0000000002E6B000-memory.dmp	modiloader_stage2

Warzone RAT payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/2780-325-0x0000000010670000-0x00000000107C6000-memory.dmp	warzonerat
behavioral2/memory/2780-326-0x0000000004020000-0x0000000004174000-memory.dmp	warzonerat
behavioral2/memory/2780-328-0x0000000004020000-0x0000000004174000-memory.dmp	warzonerat

Blocklisted process makes network request 1 IoCs

flow	pid	Process
18	2780	wscript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Etahlple = "C:\\Users\\Public\\Libraries\\elplhatE.url"	Etahlplefwxouf.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2548	Etahlplefwxouf.exe
2548	Etahlplefwxouf.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2780	2548	Etahlplefwxouf.exe	84
PID 2548 wrote to memory of 2780	2548	Etahlplefwxouf.exe	84
PID 2548 wrote to memory of 2780	2548	Etahlplefwxouf.exe	84
PID 2548 wrote to memory of 2780	2548	Etahlplefwxouf.exe	84
PID 2548 wrote to memory of 2780	2548	Etahlplefwxouf.exe	84
PID 2548 wrote to memory of 2780	2548	Etahlplefwxouf.exe	84
PID 2548 wrote to memory of 2780	2548	Etahlplefwxouf.exe	84
PID 2548 wrote to memory of 2780	2548	Etahlplefwxouf.exe	84
PID 2548 wrote to memory of 2780	2548	Etahlplefwxouf.exe	84
PID 2548 wrote to memory of 2780	2548	Etahlplefwxouf.exe	84
PID 2548 wrote to memory of 2780	2548	Etahlplefwxouf.exe	84
PID 2548 wrote to memory of 2780	2548	Etahlplefwxouf.exe	84
PID 2548 wrote to memory of 2780	2548	Etahlplefwxouf.exe	84
PID 2548 wrote to memory of 2780	2548	Etahlplefwxouf.exe	84
PID 2548 wrote to memory of 2780	2548	Etahlplefwxouf.exe	84
PID 2548 wrote to memory of 2780	2548	Etahlplefwxouf.exe	84
PID 2548 wrote to memory of 2780	2548	Etahlplefwxouf.exe	84

C:\Users\Admin\AppData\Local\Temp\Etahlplefwxouf.exe
"C:\Users\Admin\AppData\Local\Temp\Etahlplefwxouf.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\SysWOW64\wscript.exe
  C:\Windows\System32\wscript.exe
  2⤵
  - Blocklisted process makes network request
  PID:2780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2548-132-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-134-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-135-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-137-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-138-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-139-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-136-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-141-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-142-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-143-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-140-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-145-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-146-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-147-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-148-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-144-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-150-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-149-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-152-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-153-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-154-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-151-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-156-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-157-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-158-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-159-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-155-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-160-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-161-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-164-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-165-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-163-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-162-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-166-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-167-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-168-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-169-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-170-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-171-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-172-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-173-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-174-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-175-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-176-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-177-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-178-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-179-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-180-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-181-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-182-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-183-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-184-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-185-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-186-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-187-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-188-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-189-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-190-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-191-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-192-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-193-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-195-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2548-194-0x0000000002E40000-0x0000000002E6B000-memory.dmp

Filesize
172KB

Download
memory/2780-325-0x0000000010670000-0x00000000107C6000-memory.dmp

Filesize
1.3MB

Download
memory/2780-326-0x0000000004020000-0x0000000004174000-memory.dmp

Filesize
1.3MB

Download
memory/2780-327-0x00000000054A0000-0x0000000005640000-memory.dmp

Filesize
1.6MB

Download
memory/2780-328-0x0000000004020000-0x0000000004174000-memory.dmp

Filesize
1.3MB

Download