Remittance_Advice.vbs

General
Target

Remittance_Advice.vbs

Size

875B

Sample

210723-9j6xnyejc2

Score
10 /10
MD5

fc4a8faf57b167de212a02466d0f5435

SHA1

8b83c8dad3b1168c37729b8c6551e7ac4d0071af

SHA256

84199bedc07e09ccb967692a43de715611625dc247ceea48ea2f4a7109bc5287

SHA512

855874d54ef794939a9c2da096dda06168f34cdb17500d762a4bbdaeb0e5ad687da86791150b83381e3617ff5ff88fb124c7b2d76c5f120b997d91206b7d18f0

Malware Config

Extracted

Language ps1
Deobfuscated
URLs
exe.dropper

https://www.maan2u.com/a/ALL.txt

Extracted

Family warzonerat
C2

192..3.146.165:3543

Targets
Target

Remittance_Advice.vbs

MD5

fc4a8faf57b167de212a02466d0f5435

Filesize

875B

Score
10 /10
SHA1

8b83c8dad3b1168c37729b8c6551e7ac4d0071af

SHA256

84199bedc07e09ccb967692a43de715611625dc247ceea48ea2f4a7109bc5287

SHA512

855874d54ef794939a9c2da096dda06168f34cdb17500d762a4bbdaeb0e5ad687da86791150b83381e3617ff5ff88fb124c7b2d76c5f120b997d91206b7d18f0

Tags

Signatures

  • WarzoneRat, AveMaria

    Description

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    Tags

  • suricata: ET MALWARE PE EXE or DLL Windows file download Text

    Tags

  • Blocklisted process makes network request

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Tasks

                        static1

                        behavioral1

                        10/10