modiloader | 2a62b0901586adcfed9a57c10d5cdd13b53db183d52c9e3ab296df05d634b146 | Triage

Submit
Reports

Overview

overview

Static

static

3

RFQ projec...n).exe

windows7-x64

RFQ projec...n).exe

windows10-2004-x64

Sharing

General

Target

RFQ project UzMTO (Uzbekistan).exe
Size

882KB
Sample

230511-xq85waab37
MD5

737378c901a202e36a7cf0496c40becf
SHA1

8409b35c0c7ee39b7cd68f7471bb6d9373648379
SHA256

2a62b0901586adcfed9a57c10d5cdd13b53db183d52c9e3ab296df05d634b146
SHA512

a79dbb6bba8878dfc22fe4d907ddb39dad848bd5e836400847c21312630ba445d93840da6b858a617e37fb3421bf79cfcbb4c1984d108b0f2b82870f6d7985f6
SSDEEP

12288:zBTU8A8RppNfqVu3TZLt78lFC927150Pbkttml5OHN6dPfh:zJ8+fNfVTZOlFbsKImHQdn

Score

10^/10

modiloader warzonerat collection infostealer persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

RFQ project UzMTO (Uzbekistan).exe

Resource

win7-20230220-en

modiloader trojan

windows7-x64

5 signatures

150 seconds

Behavioral task

behavioral2

Sample

RFQ project UzMTO (Uzbekistan).exe

Resource

win10v2004-20230220-en

modiloader warzonerat collection infostealer persistence rat trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

warzonerat

C2

nojonxn.duckdns.org:5200

Targets

- Target
  
  RFQ project UzMTO (Uzbekistan).exe
- Size
  
  882KB
- MD5
  
  737378c901a202e36a7cf0496c40becf
- SHA1
  
  8409b35c0c7ee39b7cd68f7471bb6d9373648379
- SHA256
  
  2a62b0901586adcfed9a57c10d5cdd13b53db183d52c9e3ab296df05d634b146
- SHA512
  
  a79dbb6bba8878dfc22fe4d907ddb39dad848bd5e836400847c21312630ba445d93840da6b858a617e37fb3421bf79cfcbb4c1984d108b0f2b82870f6d7985f6
- SSDEEP
  
  12288:zBTU8A8RppNfqVu3TZLt78lFC927150Pbkttml5OHN6dPfh:zJ8+fNfVTZOlFbsKImHQdn
Score

10^/10

modiloader trojan warzonerat collection infostealer persistence rat
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- ModiLoader Second Stage
- Warzone RAT payload
  rat
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

modiloadertrojan

behavioral2

modiloaderwarzoneratcollectioninfostealerpersistencerattrojan

© 2018-2024

Terms | Privacy