Overview

overview

10

Static

static

quote- AWT...07.exe

windows7-x64

10

quote- AWT...07.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    quote- AWT - 2019.15.07.exe

  • Size

    1.0MB

  • Sample

    221121-k2saaace32

  • MD5

    27b06589ccae405f375812b6a183ab5e

  • SHA1

    8931c80fe91ffdd323de07e7763e2c110bb08aef

  • SHA256

    3ed398f02316edd3a2fd9afad8b4748f4b056ab659a8f22a8f4bbec361e9d19c

  • SHA512

    bf7e2433c6c6bb02cc5a8968316da3a2d7d5d658e3031d1b133f7719346235d24ceb5ef16629d90e49c1e6231490a8c903d7e59db2ee445ad01b122d28bba39f

  • SSDEEP

    24576:U1ZIJHZxeAaa3RSGKzso/vq5oOqLM2xl/f8h:U1ZIEosq5c/K

Score
10/10
modiloaderwarzoneratcollectioninfostealerpersistenceratspywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://drive.google.com/uc?export=download&id=1iwCmj6HoDUOEdb-0NHv0DhGLWvcNSVfr

Extracted

Family

warzonerat

C2

nightmare4666.ddns.net:2442

Targets

    • Target

      quote- AWT - 2019.15.07.exe

    • Size

      1.0MB

    • MD5

      27b06589ccae405f375812b6a183ab5e

    • SHA1

      8931c80fe91ffdd323de07e7763e2c110bb08aef

    • SHA256

      3ed398f02316edd3a2fd9afad8b4748f4b056ab659a8f22a8f4bbec361e9d19c

    • SHA512

      bf7e2433c6c6bb02cc5a8968316da3a2d7d5d658e3031d1b133f7719346235d24ceb5ef16629d90e49c1e6231490a8c903d7e59db2ee445ad01b122d28bba39f

    • SSDEEP

      24576:U1ZIJHZxeAaa3RSGKzso/vq5oOqLM2xl/f8h:U1ZIEosq5c/K

    Score
    10/10
    modiloaderwarzoneratcollectioninfostealerpersistenceratspywarestealertrojan

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • ModiLoader Second Stage

    • Warzone RAT payload

      rat

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks