modiloader | a08cd110a928227dd4b3b42b1801bc1c907dd042bea8494ac701142c5eb345da

Analysis

max time kernel
143s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2023 13:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PAYMENTADICE565OUTBOUNDex.exe
Size

948KB
MD5

268ad9d551b4173c3bfd39eef6ad76b9
SHA1

6ca84e053936508354a7805f36b1fd7e25f6970e
SHA256

a08cd110a928227dd4b3b42b1801bc1c907dd042bea8494ac701142c5eb345da
SHA512

03f5fd63552e49d6fb2ad05596429fb2352c7384d084da7f45df04cf70eb4886d77871cb7f4321f65b62c1ec18d232ed372046d609ae559b303bd941c5567ef9
SSDEEP

12288:5DQy2c+bp9/95hiFFCt2AvQBPNIkry/wNQZqLfLYUj2Msx2AWwoo+5dHg:5cnbp9mIzvQBa1/wNQULfLYUyVxHjohM

Score

10^/10

modiloader warzonerat infostealer persistence rat trojan

Malware Config

Extracted

Family

warzonerat

donelpacino.ddns.net:4545

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral2/memory/2284-134-0x00000000022C0000-0x00000000022F0000-memory.dmp	modiloader_stage2

Warzone RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/2284-141-0x0000000004FC0000-0x0000000005128000-memory.dmp	warzonerat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qxpwiwfh = "C:\\Users\\Public\\Qxpwiwfh.url"	PAYMENTADICE565OUTBOUNDex.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	33	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	36	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

C:\Users\Admin\AppData\Local\Temp\PAYMENTADICE565OUTBOUNDex.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENTADICE565OUTBOUNDex.exe"
1⤵
- Adds Run key to start application
PID:2284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2284-134-0x00000000022C0000-0x00000000022F0000-memory.dmp

Filesize
192KB

Download
memory/2284-136-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/2284-137-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2284-141-0x0000000004FC0000-0x0000000005128000-memory.dmp

Filesize
1.4MB

Download