modiloader | dbef52a6ea1fc86e3517505ff1c47ecd57c5f17b09e846f8806f22b52dbbea60

General

Target

d2a4fd38881cf31c8c57a6d0b5ff7efe.bin
Size

363KB
Sample

230517-b5kvyadd38
MD5

53197bbe788807b174656072abe90e9e
SHA1

b881b7daa04fd06ef1e7fe9629b1fe55f8342812
SHA256

dbef52a6ea1fc86e3517505ff1c47ecd57c5f17b09e846f8806f22b52dbbea60
SHA512

93a3600f54a79e0cdf5d788851d72eb875c1b513c59954e905dfd3230b74e7ac6cdb23d1304e21caaabb63ae45c7b005dcd8e389ae4fe6343a9ba0f6f9dcaf30
SSDEEP

6144:4EyRkL7kggKBzHTY5xKb06FwsSWBdX1/qrTJZMvomXMFDUwpjD1Z9PtuqbdVluSt:4jk3kggYrUxPCdSEdX10YAUwjD1Z9sAz

Score

10^/10

Malware Config

Extracted

Family

warzonerat

C2

nightmare4666.ddns.net:3443

Targets

- Target
  
  07ca371727b256539e6316faebc1b9d671bd4be195082e4e3db38e5e2d396194.exe
- Size
  
  754KB
- MD5
  
  d2a4fd38881cf31c8c57a6d0b5ff7efe
- SHA1
  
  8d50451c1af8f540f08e9ad9dc9c82f28e12fd39
- SHA256
  
  07ca371727b256539e6316faebc1b9d671bd4be195082e4e3db38e5e2d396194
- SHA512
  
  519b8e506c285a6c3f941c9fe95371be8e940c405a5ac16e6d3ea7e76a9d69a930de9aa77910a5030dadf552ed3a8e4ba5b0760f9cc7285abe3e0325993d4523
- SSDEEP
  
  12288:tVxfM/PNmfig4qXnWy1ZsY2mTS7gazVb8N0K1WqLjPjAj:/iEfB4Q9+VIEWjPi
Score

10^/10

modiloader trojan warzonerat infostealer persistence rat
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- ModiLoader Second Stage
- Warzone RAT payload
  rat
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

ModiLoader, DBatLoader

WarzoneRat, AveMaria

ModiLoader Second Stage

Warzone RAT payload

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2