Extracted

• • Target

    ca5fa091df6519461da15755e36a4d4ed795581388db81b9f834d20700eeaaeb.exe

  • Size

    2.2MB

  • MD5

    cdd45a122734f4f14ae8c4741cd79eab

  • SHA1

    97c84316d2a17e3deae6c134076f873d60cd8ce4

  • SHA256

    ca5fa091df6519461da15755e36a4d4ed795581388db81b9f834d20700eeaaeb

  • SHA512

    bed5c5d5916e49c0de6fd33a395f583ef72d40c91079ad1de349d68c20a1e6ab6403633b5efdeb02a454a59ebf7558e63a5d809d963c37d3230387524fb282fa

  • SSDEEP

    49152:US8kak8/G2ejlDcpoaPGum5Z8MwtE5d8qdoFZ:UUak88cpogPmUCsJZ

  Score

  10^/10

  modiloadertrojanwarzoneratinfostealerpersistencerat

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat

  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

  • Detects executables containing SQL queries to confidential data stores. Observed in infostealers

  • Detects executables embedding command execution via IExecuteCommand COM object

  • ModiLoader Second Stage

  • Warzone RAT payload

    rat

  • Creates new service(s)

    persistence

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2