vanillarat | 58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415

General

Target

58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe
Size

211KB
MD5

e131bc56ad911665e9a7e7d570732307
SHA1

c768f7657768c18503740791bdb71a25179a7db5
SHA256

58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415
SHA512

4c4a518332dd9571e0f1c3b9304435f8028576b1fb6780e1aaa5484956afd4fe53cda1a855247fada79660c3cfd8f0469a4c936e95fac4e3d244cbb5112314b2

Score

10^/10

vanillarat rat

Malware Config

Signatures

VanillaRat
VanillaRat is an advanced remote administration tool coded in C#.
rat vanillarat

Vanilla Rat Payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/4520-138-0x0000000000400000-0x0000000000422000-memory.dmp	vanillarat

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4752 set thread context of 2708	4752	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe	85
PID 2708 set thread context of 4520	2708	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe	86

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4752	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe
4752	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4752	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 3716	4752	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe	84
PID 4752 wrote to memory of 3716	4752	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe	84
PID 4752 wrote to memory of 3716	4752	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe	84
PID 4752 wrote to memory of 2708	4752	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe	85
PID 4752 wrote to memory of 2708	4752	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe	85
PID 4752 wrote to memory of 2708	4752	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe	85
PID 4752 wrote to memory of 2708	4752	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe	85
PID 4752 wrote to memory of 2708	4752	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe	85
PID 4752 wrote to memory of 2708	4752	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe	85
PID 4752 wrote to memory of 2708	4752	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe	85
PID 4752 wrote to memory of 2708	4752	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe	85
PID 2708 wrote to memory of 4520	2708	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe	86
PID 2708 wrote to memory of 4520	2708	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe	86
PID 2708 wrote to memory of 4520	2708	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe	86
PID 2708 wrote to memory of 4520	2708	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe	86
PID 2708 wrote to memory of 4520	2708	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe	86
PID 2708 wrote to memory of 4520	2708	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe	86
PID 2708 wrote to memory of 4520	2708	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe	86
PID 2708 wrote to memory of 4520	2708	58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe	86

C:\Users\Admin\AppData\Local\Temp\58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe
"C:\Users\Admin\AppData\Local\Temp\58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Users\Admin\AppData\Local\Temp\58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe
  "C:\Users\Admin\AppData\Local\Temp\58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe"
  2⤵
  PID:3716
- C:\Users\Admin\AppData\Local\Temp\58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe
  "C:\Users\Admin\AppData\Local\Temp\58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Users\Admin\AppData\Local\Temp\58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe
    "C:\Users\Admin\AppData\Local\Temp\58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe"
    3⤵
    PID:4520

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\58df18acac2d0ff6349bfb7cff0d5d033454b2a944d1e7ec9da8ebb88b2c1415.exe.log

Filesize
410B

MD5
24cfd42a8de70b38ed70e1f8cf4eda1c

SHA1
e447168fd38da9175084b36a06c3e9bbde99064c

SHA256
93b740416114e346878801c73e8a8670ff1390d3fa009424b88fafe614a3c5cd

SHA512
5c2daf5328ba99d750e9d0362e84f3a79b7fc8395aa8aa2bc1a01b266583fe1f8352bf0619f985aa72223412d14afa054537739b4941610a1d0f96e7fee2a875

Download Submit
memory/2708-135-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4520-138-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4520-139-0x0000000004F30000-0x0000000004F3A000-memory.dmp

Filesize
40KB

Download
memory/4752-130-0x00000000009D0000-0x0000000000A0A000-memory.dmp

Filesize
232KB

Download
memory/4752-131-0x0000000005A30000-0x0000000005FD4000-memory.dmp

Filesize
5.6MB

Download
memory/4752-132-0x0000000005480000-0x0000000005512000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing