modiloader | 28a1e5b98c9b890026a9712ceabf90bc227750f5616d9d4b19f5c404d864db1f | Triage

Submit
Reports

Overview

overview

Static

static

3

TheWarz-Crack.exe

windows7-x64

TheWarz-Crack.exe

windows10-2004-x64

Sharing

General

Target

VirusShare_15498158598632df42dd416de292d24e
Size

1.1MB
Sample

240607-w8vjrsda29
MD5

15498158598632df42dd416de292d24e
SHA1

3c82c22b8910963da6aaed0a7f4449b222cd2dbc
SHA256

28a1e5b98c9b890026a9712ceabf90bc227750f5616d9d4b19f5c404d864db1f
SHA512

1303c1b586d60a0a55ece624f9eeef94c48f19a8f941f85d8f530fd7a538435586c40442e10531e5a99f1e31ee30ee39e58e0e03dc84f9ae115d6725c999741c
SSDEEP

24576:iYYKN5HuJM5g8Y1BpzS9ZX2Is/GTUsak+M2dnH3trXmp1bG2:iR+HDFYJS9AI0GwmWUp1L

Score

10^/10

modiloader njrat thewarz-crack-1 evasion persistence trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

TheWarz-Crack.exe

Resource

win7-20240221-en

modiloader njrat thewarz-crack-1 evasion persistence trojan

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

TheWarz-Crack.exe

Resource

win10v2004-20240226-en

modiloader njrat evasion persistence trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

TheWarz-Crack-1

C2

103.22.181.199:1177

Mutex

4ff3a911dbfff7e34d508efdb7eca614

Attributes

reg_key
4ff3a911dbfff7e34d508efdb7eca614
splitter
|'|'|

Targets

- Target
  
  TheWarz-Crack.exe
- Size
  
  1.2MB
- MD5
  
  6b035800be70ccbedd9154a9ae57d03b
- SHA1
  
  c7de2eba384c891723b4a17753ee00129f5fe973
- SHA256
  
  e621a036413f70d0a00dbe48de5773dceea1429dc1864aebe90cb277583690de
- SHA512
  
  1b41dc9bf8c040ca33d26da8986f346ff6be02bf2197b78c96b2c6dbb45ba19bf4b31d8eeb4e715c78507b78ea6d2b05d039fb28e11ec8750fc5080a42c318d7
- SSDEEP
  
  24576:yzjh/FIFRPOUS01XpN4wEpv7I+CqSfhvuwGHEqPb2LxBxf3y:CKFNSEpN4NpvcAyBudHTCFq
Score

10^/10

modiloader njrat thewarz-crack-1 evasion persistence trojan
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- ModiLoader Second Stage
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Create or Modify System Process

Windows Service

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

modiloadernjratthewarz-crack-1evasionpersistencetrojan

behavioral2

modiloadernjratevasionpersistencetrojan

© 2018-2024

Terms | Privacy