modiloader | 9c9b7deb6e3b6b7154fb858a101eb57d65b57e364840213823ce5c8e0be1653e | Triage

Submit
Reports

Overview

overview

Static

static

Approved P...60.exe

windows7-x64

Approved P...60.exe

windows10-2004-x64

Sharing

General

Target

Approved PO - GF-A104-PO-060.exe
Size

879KB
Sample

221130-cqp2sacg5z
MD5

3c6e49db9ebf35e860a45cac78d9676e
SHA1

952c45b62ea3fe96418177055682b01904fcc238
SHA256

9c9b7deb6e3b6b7154fb858a101eb57d65b57e364840213823ce5c8e0be1653e
SHA512

9ccc7ebc6b2b4e6bf16a757797a5ccd112ea187d280278773df094cd05ad6b80b660f430d1b08eafa7ba101bb77deed33c6da507d2df10dc43f3c2981200834e
SSDEEP

24576:etHXTwz0bRreC/ctnNbnWnS/ronBocjc:etOoeCtSMnBNjc

Score

10^/10

modiloader warzonerat infostealer persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

Approved PO - GF-A104-PO-060.exe

Resource

win7-20220901-en

modiloader warzonerat infostealer persistence rat trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

Approved PO - GF-A104-PO-060.exe

Resource

win10v2004-20221111-en

modiloader warzonerat infostealer persistence rat trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

warzonerat

C2

chexfotii.ddns.net:4545

Targets

- Target
  
  Approved PO - GF-A104-PO-060.exe
- Size
  
  879KB
- MD5
  
  3c6e49db9ebf35e860a45cac78d9676e
- SHA1
  
  952c45b62ea3fe96418177055682b01904fcc238
- SHA256
  
  9c9b7deb6e3b6b7154fb858a101eb57d65b57e364840213823ce5c8e0be1653e
- SHA512
  
  9ccc7ebc6b2b4e6bf16a757797a5ccd112ea187d280278773df094cd05ad6b80b660f430d1b08eafa7ba101bb77deed33c6da507d2df10dc43f3c2981200834e
- SSDEEP
  
  24576:etHXTwz0bRreC/ctnNbnWnS/ronBocjc:etOoeCtSMnBNjc
Score

10^/10

modiloader warzonerat infostealer persistence rat trojan
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- ModiLoader Second Stage
- Warzone RAT payload
  rat
- Sets DLL path for service in the registry
  persistence
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Modifies WinLogon
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

modiloaderwarzoneratinfostealerpersistencerattrojan

behavioral2

modiloaderwarzoneratinfostealerpersistencerattrojan

© 2018-2024

Terms | Privacy