vanillarat | 58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415

General

Target

58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe
Size

211KB
MD5

e131bc56ad911665e9a7e7d570732307
SHA1

c768f7657768c18503740791bdb71a25179a7db5
SHA256

58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415
SHA512

4c4a518332dd9571e0f1c3b9304435f8028576b1fb6780e1aaa5484956afd4fe53cda1a855247fada79660c3cfd8f0469a4c936e95fac4e3d244cbb5112314b2

Score

10^/10

vanillarat rat

Malware Config

Signatures

VanillaRat
VanillaRat is an advanced remote administration tool coded in C#.
rat vanillarat

Vanilla Rat Payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1980-72-0x0000000000400000-0x0000000000422000-memory.dmp	vanillarat
behavioral1/memory/1980-73-0x0000000000400000-0x0000000000422000-memory.dmp	vanillarat
behavioral1/memory/1980-71-0x0000000000400000-0x0000000000422000-memory.dmp	vanillarat
behavioral1/memory/1980-74-0x000000000041DC1E-mapping.dmp	vanillarat
behavioral1/memory/1980-76-0x0000000000400000-0x0000000000422000-memory.dmp	vanillarat
behavioral1/memory/1980-78-0x0000000000400000-0x0000000000422000-memory.dmp	vanillarat

Suspicious use of SetThreadContext 2 IoCs

Processes:

58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe

description	pid	process	target process
PID 1792 set thread context of 2036	1792	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe
PID 2036 set thread context of 1980	2036	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe

C:\Users\Admin\AppData\Local\Temp\58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe
"C:\Users\Admin\AppData\Local\Temp\58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1792

C:\Users\Admin\AppData\Local\Temp\58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe
"C:\Users\Admin\AppData\Local\Temp\58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Local\Temp\58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe
"C:\Users\Admin\AppData\Local\Temp\58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe"
3⤵
PID:1980

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1792-55-0x00000000001C0000-0x00000000001C8000-memory.dmp

Filesize
32KB

Download
memory/1792-56-0x00000000001F0000-0x00000000001FA000-memory.dmp

Filesize
40KB

Download
memory/1792-54-0x0000000000B80000-0x0000000000BBA000-memory.dmp

Filesize
232KB

Download
memory/1980-72-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1980-79-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download
memory/1980-78-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1980-76-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1980-74-0x000000000041DC1E-mapping.dmp

Download
memory/1980-68-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1980-71-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1980-73-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1980-69-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2036-60-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2036-67-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2036-65-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2036-63-0x0000000000423B7E-mapping.dmp

Download
memory/2036-62-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2036-61-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2036-58-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2036-57-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

description	pid	process	target process
PID 1792 wrote to memory of 2036	1792	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe
PID 1792 wrote to memory of 2036	1792	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe
PID 1792 wrote to memory of 2036	1792	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe
PID 1792 wrote to memory of 2036	1792	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe
PID 1792 wrote to memory of 2036	1792	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe
PID 1792 wrote to memory of 2036	1792	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe
PID 1792 wrote to memory of 2036	1792	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe
PID 1792 wrote to memory of 2036	1792	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe
PID 1792 wrote to memory of 2036	1792	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe
PID 2036 wrote to memory of 1980	2036	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe
PID 2036 wrote to memory of 1980	2036	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe
PID 2036 wrote to memory of 1980	2036	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe
PID 2036 wrote to memory of 1980	2036	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe
PID 2036 wrote to memory of 1980	2036	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe
PID 2036 wrote to memory of 1980	2036	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe
PID 2036 wrote to memory of 1980	2036	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe
PID 2036 wrote to memory of 1980	2036	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe
PID 2036 wrote to memory of 1980	2036	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads