Overview

overview

10

Static

static

1

PO 1081467.exe

windows7-x64

10

PO 1081467.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PO 1081467.tar.gz

  • Size

    460KB

  • Sample

    230419-kkanxahd62

  • MD5

    94cc962fb7f1b147580733d5d17afb83

  • SHA1

    50705226291ed22bd92ff71bd6f3d4fc2957de20

  • SHA256

    0f63b06b2514ed768a7e7901500b919a34852762868a87211d53c29ef802a0ee

  • SHA512

    f470e406310e26f7b9132a8e6789cadcb67205dbde9f99009f8033ea49caeb655009f0cb1ab1ab725ee6399f6aa982901c787328d6add84d9007e6fa96540837

  • SSDEEP

    12288:WHMTtYm/qcKHmTbRZbmE2pT4x3bJNZT4XhIx/S+GX:d8cKHmTb7mE2ex37eXw/z8

Score
10/10
modiloaderwarzoneratcollectioninfostealerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

warzonerat

C2

donelpacino.ddns.net:4545

Targets

    • Target

      PO 1081467.exe

    • Size

      1.0MB

    • MD5

      9be239bb9b61a39be91d8d0964410908

    • SHA1

      cd32a23c30e0e44c6aa57b650274deabdc446403

    • SHA256

      7cefa86b7d549456294279b027e5226e771a760fb551b5ee869feaac28f85f8a

    • SHA512

      c3d104640bd2b101462acb8238b1e41d740d7749681e88b6a9e4fab0df00f43d114dcda99f8546e88f780f359109d28861ac4ae14319595a7ead76f2786e2cb7

    • SSDEEP

      24576:VXHj0BF3GDjNZdtxDLCXJfxRjGJfFzVTyj+v4G:VX+cMNCfDTyj+v4G

    Score
    10/10
    modiloadertrojanwarzoneratcollectioninfostealerpersistenceratspywarestealer

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • ModiLoader Second Stage

    • Warzone RAT payload

      rat

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks