Overview

overview

10

Static

static

Order conf...22.exe

windows7-x64

10

Order conf...22.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Order confirmation reference no. FXEPS62022.exe

  • Size

    662KB

  • Sample

    221122-h4p7ladg44

  • MD5

    143bcb812ed5583a70d2a5c425ed0b81

  • SHA1

    09f4a1032067ec2c4c12206b67f4348fa8fc8432

  • SHA256

    0154435a9ca1ab793fb98c95b9fc1cef9b64cb6e54e7b0af6cc358018476ee11

  • SHA512

    0f7c552d17e9e0e6a9cacffaa9492d21e651e34ab80b52dc397b96827030fb9a64bd00ff791b6a4b722b3d82f8faa4797d0b225cbb0781f18adf974888935383

  • SSDEEP

    12288:xDjeLlJcFNDJJCTbtCkQHvGMJfGb8/4OQk5dHj8h:xDiT6pyJmGMJfGw/LQk38h

Score
10/10
modiloaderwarzoneratinfostealerpersistencerattrojan

Malware Config

Extracted

Family

warzonerat

C2

bestsuccess.ddns.net:2442

Targets

    • Target

      Order confirmation reference no. FXEPS62022.exe

    • Size

      662KB

    • MD5

      143bcb812ed5583a70d2a5c425ed0b81

    • SHA1

      09f4a1032067ec2c4c12206b67f4348fa8fc8432

    • SHA256

      0154435a9ca1ab793fb98c95b9fc1cef9b64cb6e54e7b0af6cc358018476ee11

    • SHA512

      0f7c552d17e9e0e6a9cacffaa9492d21e651e34ab80b52dc397b96827030fb9a64bd00ff791b6a4b722b3d82f8faa4797d0b225cbb0781f18adf974888935383

    • SSDEEP

      12288:xDjeLlJcFNDJJCTbtCkQHvGMJfGb8/4OQk5dHj8h:xDiT6pyJmGMJfGw/LQk38h

    Score
    10/10
    modiloadertrojanwarzoneratinfostealerpersistencerat

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • ModiLoader Second Stage

    • Warzone RAT payload

      rat

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks