Extracted

• • Target

    PO 1081467.exe

  • Size

    1.0MB

  • MD5

    9be239bb9b61a39be91d8d0964410908

  • SHA1

    cd32a23c30e0e44c6aa57b650274deabdc446403

  • SHA256

    7cefa86b7d549456294279b027e5226e771a760fb551b5ee869feaac28f85f8a

  • SHA512

    c3d104640bd2b101462acb8238b1e41d740d7749681e88b6a9e4fab0df00f43d114dcda99f8546e88f780f359109d28861ac4ae14319595a7ead76f2786e2cb7

  • SSDEEP

    24576:VXHj0BF3GDjNZdtxDLCXJfxRjGJfFzVTyj+v4G:VX+cMNCfDTyj+v4G

  Score

  10^/10

  modiloadertrojanwarzoneratcollectioninfostealerpersistenceratspywarestealer

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat

  • ModiLoader Second Stage

  • Warzone RAT payload

    rat

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2