Overview

overview

10

Static

static

1

OM PO(s) #...21.exe

windows7-x64

10

OM PO(s) #...21.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    OM PO(s) # 32749219-21.exe

  • Size

    805KB

  • Sample

    230420-jlyxfsad41

  • MD5

    d3876665ddfbe8c1fbafc916fbaf9551

  • SHA1

    421e61bf617367290a652cb3b29e1b8c7305e4a9

  • SHA256

    552685bd9d5668183267fa60f76af8584611e11d439085d660ae54147ca5f355

  • SHA512

    39d032c2502b02019057e0b55242ad3b93408006579fe0a765a1fe7d42b283675ea7650348a58b63561741b60f640c515d6ea674422fe7fca8422eba246b920e

  • SSDEEP

    12288:Jwkt7fpbG7q2VrwFup9bAoxJHdDlvKRGXBveIcQgYRmfD+fJOAIW4Wh:JwkNnG/Pxxhp0MxmIcQg7DyF4Wh

Score
10/10
modiloaderwarzoneratcollectioninfostealerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

warzonerat

C2

nightmare4666.ddns.net:3443

Targets

    • Target

      OM PO(s) # 32749219-21.exe

    • Size

      805KB

    • MD5

      d3876665ddfbe8c1fbafc916fbaf9551

    • SHA1

      421e61bf617367290a652cb3b29e1b8c7305e4a9

    • SHA256

      552685bd9d5668183267fa60f76af8584611e11d439085d660ae54147ca5f355

    • SHA512

      39d032c2502b02019057e0b55242ad3b93408006579fe0a765a1fe7d42b283675ea7650348a58b63561741b60f640c515d6ea674422fe7fca8422eba246b920e

    • SSDEEP

      12288:Jwkt7fpbG7q2VrwFup9bAoxJHdDlvKRGXBveIcQgYRmfD+fJOAIW4Wh:JwkNnG/Pxxhp0MxmIcQg7DyF4Wh

    Score
    10/10
    modiloadertrojanwarzoneratcollectioninfostealerpersistenceratspywarestealer

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • ModiLoader Second Stage

    • Warzone RAT payload

      rat

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks