Overview

overview

10

Static

static

Remittance_Advice.vbs

windows7_x64

10

Remittance_Advice.vbs

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Remittance_Advice.vbs

  • Size

    875B

  • Sample

    210723-9j6xnyejc2

  • MD5

    fc4a8faf57b167de212a02466d0f5435

  • SHA1

    8b83c8dad3b1168c37729b8c6551e7ac4d0071af

  • SHA256

    84199bedc07e09ccb967692a43de715611625dc247ceea48ea2f4a7109bc5287

  • SHA512

    855874d54ef794939a9c2da096dda06168f34cdb17500d762a4bbdaeb0e5ad687da86791150b83381e3617ff5ff88fb124c7b2d76c5f120b997d91206b7d18f0

Score
10/10
warzoneratinfostealerratsuricata

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://www.maan2u.com/a/ALL.txt

Extracted

Family

warzonerat

C2

192..3.146.165:3543

Targets

    • Target

      Remittance_Advice.vbs

    • Size

      875B

    • MD5

      fc4a8faf57b167de212a02466d0f5435

    • SHA1

      8b83c8dad3b1168c37729b8c6551e7ac4d0071af

    • SHA256

      84199bedc07e09ccb967692a43de715611625dc247ceea48ea2f4a7109bc5287

    • SHA512

      855874d54ef794939a9c2da096dda06168f34cdb17500d762a4bbdaeb0e5ad687da86791150b83381e3617ff5ff88fb124c7b2d76c5f120b997d91206b7d18f0

    Score
    10/10
    warzoneratinfostealerratsuricata

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • suricata: ET MALWARE PE EXE or DLL Windows file download Text

      suricata

    • Blocklisted process makes network request

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks