modiloader | bd7bd4e9769bc9eee10b868717dc3223fa3ea0d3d23cc2c2c2a007297e4fbef8 | Triage

Submit
Reports

Overview

overview

Static

static

1

RFQ Supply...em.exe

windows7-x64

RFQ Supply...em.exe

windows10-2004-x64

Sharing

General

Target

RFQ Supply of MBBR System.cab
Size

336KB
Sample

230416-vpetjaaf88
MD5

dc35d40c822c3f11e2dced52a12d51da
SHA1

8e1037bf6f97849baeea977bd492ecee706e8868
SHA256

bd7bd4e9769bc9eee10b868717dc3223fa3ea0d3d23cc2c2c2a007297e4fbef8
SHA512

db202fe3403258f6f6d83a019d0afb28fd6f71cbb55d230ef033a14609b18036e5f97adc33dbae2c27a0d55eecef8e5f8724315ddeaf7979fe944286b477def9
SSDEEP

6144:EwJjsG237i3VUPcHRLQhrcnZlQr0lsTftuvnsPkDHIjNjxdQmEZa4:Ew523iLQhrcZlQPJO1DihsmEZa4

Score

10^/10

modiloader warzonerat collection infostealer persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

RFQ Supply of MBBR System.exe

Resource

win7-20230220-en

modiloader trojan

windows7-x64

2 signatures

150 seconds

Behavioral task

behavioral2

Sample

RFQ Supply of MBBR System.exe

Resource

win10v2004-20230220-en

modiloader warzonerat collection infostealer persistence rat trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

warzonerat

C2

emberluck.duckdns.org:5200

Targets

- Target
  
  RFQ Supply of MBBR System.exe
- Size
  
  852KB
- MD5
  
  abb2978493e6fd629c09f12a1cf3622d
- SHA1
  
  4fc4df1eb4775835429635304bcbb1b0540ae8a2
- SHA256
  
  6bba225c9fe529b2ad0f6228f264f79c466e26dbb627041a82dc4a6adea2d4a9
- SHA512
  
  9cdba7f3bc1d7a48f025f0f028949eb667cd29567476267ff19149fed8358f45c9bf5d8f5df78bd77a113b7a6f403caaadc5fde9c0d3e54d21dffec99dd98fa3
- SSDEEP
  
  12288:7/xKWyItRI5UhLaB0AiBN4Gyk2VvQuueiF7GTv+KSKPiVVZtjGybm:7IWIUhLaB0nUGykShfnKN/DG/
Score

10^/10

modiloader trojan warzonerat collection infostealer persistence rat
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- ModiLoader Second Stage
- Warzone RAT payload
  rat
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

modiloadertrojan

behavioral2

modiloaderwarzoneratcollectioninfostealerpersistencerattrojan

© 2018-2024

Terms | Privacy