vanillarat | 53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3

Analysis

max time kernel
149s
max time network
45s
platform
windows7_x64
resource
win7-20220414-en
submitted
02-05-2022 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe
Size

258KB
MD5

3e12aad4f4408afe6575ca90a6da61fc
SHA1

445f1a34c24a71eb86f1bc8a8fd71759248cbf73
SHA256

53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3
SHA512

304b11841b5424001095b18003a90f236f0ec1b27ed595c5d1f180fb24f1888e02e96ff1a3658fa54ea3d6409504db596457abe14b880d0120d79ed46e32d3e1

Score

10^/10

vanillarat rat

Malware Config

Signatures

VanillaRat
VanillaRat is an advanced remote administration tool coded in C#.
rat vanillarat

Vanilla Rat Payload 6 IoCs

rat

resource	yara_rule
behavioral1/memory/1296-94-0x0000000000400000-0x0000000000422000-memory.dmp	vanillarat
behavioral1/memory/1296-93-0x0000000000400000-0x0000000000422000-memory.dmp	vanillarat
behavioral1/memory/1296-95-0x0000000000400000-0x0000000000422000-memory.dmp	vanillarat
behavioral1/memory/1296-96-0x000000000041DC1E-mapping.dmp	vanillarat
behavioral1/memory/1296-98-0x0000000000400000-0x0000000000422000-memory.dmp	vanillarat
behavioral1/memory/1296-100-0x0000000000400000-0x0000000000422000-memory.dmp	vanillarat

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1752 set thread context of 1180	1752	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	28
PID 1180 set thread context of 1984	1180	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	29
PID 1984 set thread context of 1160	1984	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	30
PID 1160 set thread context of 1296	1160	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	31

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 1180	1752	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	28
PID 1752 wrote to memory of 1180	1752	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	28
PID 1752 wrote to memory of 1180	1752	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	28
PID 1752 wrote to memory of 1180	1752	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	28
PID 1752 wrote to memory of 1180	1752	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	28
PID 1752 wrote to memory of 1180	1752	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	28
PID 1752 wrote to memory of 1180	1752	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	28
PID 1752 wrote to memory of 1180	1752	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	28
PID 1752 wrote to memory of 1180	1752	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	28
PID 1180 wrote to memory of 1984	1180	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	29
PID 1180 wrote to memory of 1984	1180	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	29
PID 1180 wrote to memory of 1984	1180	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	29
PID 1180 wrote to memory of 1984	1180	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	29
PID 1180 wrote to memory of 1984	1180	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	29
PID 1180 wrote to memory of 1984	1180	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	29
PID 1180 wrote to memory of 1984	1180	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	29
PID 1180 wrote to memory of 1984	1180	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	29
PID 1180 wrote to memory of 1984	1180	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	29
PID 1984 wrote to memory of 1160	1984	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	30
PID 1984 wrote to memory of 1160	1984	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	30
PID 1984 wrote to memory of 1160	1984	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	30
PID 1984 wrote to memory of 1160	1984	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	30
PID 1984 wrote to memory of 1160	1984	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	30
PID 1984 wrote to memory of 1160	1984	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	30
PID 1984 wrote to memory of 1160	1984	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	30
PID 1984 wrote to memory of 1160	1984	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	30
PID 1984 wrote to memory of 1160	1984	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	30
PID 1160 wrote to memory of 1296	1160	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	31
PID 1160 wrote to memory of 1296	1160	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	31
PID 1160 wrote to memory of 1296	1160	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	31
PID 1160 wrote to memory of 1296	1160	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	31
PID 1160 wrote to memory of 1296	1160	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	31
PID 1160 wrote to memory of 1296	1160	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	31
PID 1160 wrote to memory of 1296	1160	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	31
PID 1160 wrote to memory of 1296	1160	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	31
PID 1160 wrote to memory of 1296	1160	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	31

C:\Users\Admin\AppData\Local\Temp\53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe
"C:\Users\Admin\AppData\Local\Temp\53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Users\Admin\AppData\Local\Temp\53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe
  "C:\Users\Admin\AppData\Local\Temp\53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1180
- - C:\Users\Admin\AppData\Local\Temp\53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe
    "C:\Users\Admin\AppData\Local\Temp\53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1984
  - - C:\Users\Admin\AppData\Local\Temp\53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe
      "C:\Users\Admin\AppData\Local\Temp\53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1160
    - - C:\Users\Admin\AppData\Local\Temp\53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe"
        5⤵
        
        PID:1296

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1160-84-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1160-89-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1160-87-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1160-80-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1160-79-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1160-82-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1160-83-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1180-58-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1180-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1180-67-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1180-62-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1180-61-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1180-60-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1180-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1296-91-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1296-94-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1296-101-0x00000000750C1000-0x00000000750C3000-memory.dmp

Filesize
8KB

Download
memory/1296-100-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1296-98-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1296-95-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1296-90-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1296-93-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1752-56-0x0000000000620000-0x000000000062A000-memory.dmp

Filesize
40KB

Download
memory/1752-55-0x0000000000500000-0x0000000000508000-memory.dmp

Filesize
32KB

Download
memory/1752-54-0x0000000001310000-0x0000000001356000-memory.dmp

Filesize
280KB

Download
memory/1984-76-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1984-68-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1984-71-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1984-72-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1984-73-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1984-69-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1984-78-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads