Overview

overview

10

Static

static

Revised Enquiry.exe

windows7-x64

10

Revised Enquiry.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Revised Enquiry.exe

  • Size

    793KB

  • Sample

    221122-kr54dsbc7s

  • MD5

    9a8aed85e68f62b931e430cdf467d84a

  • SHA1

    9928c00afdb391518123911181af30bf054cf56c

  • SHA256

    430af6efaf235407de033571f6b459e9f3af6d9ea67a0febe1829c86af5dceb0

  • SHA512

    8f643eaa2455f3fbca39869888987ad3e21b974073978d9eb82d93bf4c49726d4acb579280de90fcf3a3d215dfeba1cd494f76447b563b17e6959b233d51539f

  • SSDEEP

    12288:VV2cbnbazcd5JluSVVvkYhrN+k3t+kXPqTdTB2O4rwSMpxwhxStY5:V4cnOcd53uSVVJRsk3QWq5oOqLM2xS+5

Score
10/10
modiloaderwarzoneratinfostealerpersistencerattrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://drive.google.com/uc?export=download&id=1VYeqnIRBP80Vu3udEWt23pq_2mnbwUeG

Extracted

Family

warzonerat

C2

victorycolum.ddns.net:8585

Targets

    • Target

      Revised Enquiry.exe

    • Size

      793KB

    • MD5

      9a8aed85e68f62b931e430cdf467d84a

    • SHA1

      9928c00afdb391518123911181af30bf054cf56c

    • SHA256

      430af6efaf235407de033571f6b459e9f3af6d9ea67a0febe1829c86af5dceb0

    • SHA512

      8f643eaa2455f3fbca39869888987ad3e21b974073978d9eb82d93bf4c49726d4acb579280de90fcf3a3d215dfeba1cd494f76447b563b17e6959b233d51539f

    • SSDEEP

      12288:VV2cbnbazcd5JluSVVvkYhrN+k3t+kXPqTdTB2O4rwSMpxwhxStY5:V4cnOcd53uSVVJRsk3QWq5oOqLM2xS+5

    Score
    10/10
    modiloaderwarzoneratinfostealerpersistencerattrojan

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • ModiLoader Second Stage

    • Warzone RAT payload

      rat

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks