modiloader | f6e135f152463447adc3db1b0de4534d762e21699b17fea4fc66cd2dbf937345

General

Target

order confirmation reference no. FXEPS6S100523 .exe
Size

804KB
Sample

230502-gbc6wshg52
MD5

abc22566e1c69dc36e74310dedf0ba9d
SHA1

e79b1e5426cb99f868722639b954388db77786ff
SHA256

f6e135f152463447adc3db1b0de4534d762e21699b17fea4fc66cd2dbf937345
SHA512

99d4d313a4c47603f56c62c9d5924adae04df8945feb6b7b6cccdf7076552c2903a5fce214d15cc354bcdd547c43a52fa373b4b3fbdba0703d52dbfdb69be770
SSDEEP

12288:0u+e4v0ma0dwwcQNHRh+ZXiwBdbPmWvy5dHnlllllllllllllllllllllllllll7:0uRQq0iwcmhEffeWKnzhxN2rn4P9h

Score

10^/10

Malware Config

Extracted

Family

warzonerat

C2

nightmare4666.ddns.net:3443

Targets

- Target
  
  order confirmation reference no. FXEPS6S100523 .exe
- Size
  
  804KB
- MD5
  
  abc22566e1c69dc36e74310dedf0ba9d
- SHA1
  
  e79b1e5426cb99f868722639b954388db77786ff
- SHA256
  
  f6e135f152463447adc3db1b0de4534d762e21699b17fea4fc66cd2dbf937345
- SHA512
  
  99d4d313a4c47603f56c62c9d5924adae04df8945feb6b7b6cccdf7076552c2903a5fce214d15cc354bcdd547c43a52fa373b4b3fbdba0703d52dbfdb69be770
- SSDEEP
  
  12288:0u+e4v0ma0dwwcQNHRh+ZXiwBdbPmWvy5dHnlllllllllllllllllllllllllll7:0uRQq0iwcmhEffeWKnzhxN2rn4P9h
Score

10^/10

modiloader trojan warzonerat infostealer persistence rat
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- ModiLoader Second Stage
- Warzone RAT payload
  rat
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

ModiLoader, DBatLoader

WarzoneRat, AveMaria

ModiLoader Second Stage

Warzone RAT payload

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2