Extracted

• • Target

    Invoice_33534.exe

  • Size

    1.0MB

  • MD5

    f3d71b2f2cb58cb53275424e8c7d1512

  • SHA1

    17515b510cf67f9649b44c63005db115104b8603

  • SHA256

    beac9e77c0debad8d2f0dadab7dac28bcdc279a3a086f70d16a01ba3b807669a

  • SHA512

    e84429c2c1f85955bb492855cfd2bf783827e65b3cd7d418995c6d2711089f587ac49b1eee8eae383aa6e92820eb72b5a9deeb8eaa9b08a8436506bc99c29087

  • SSDEEP

    12288:gHtnHTCmuSCKh6VV2PpLCcGRKiSjrgLM4+krMukWpQCd6goi6XzMn1Vxhc5TJq:gHpBuSTOVMpLtG+j0au76gH66YT

  Score

  10^/10

  modiloadertrojanwarzoneratinfostealerpersistencerat

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat

  • ModiLoader Second Stage

  • Warzone RAT payload

    rat

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2