vanillarat | 53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3

General

Target

53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe
Size

258KB
MD5

3e12aad4f4408afe6575ca90a6da61fc
SHA1

445f1a34c24a71eb86f1bc8a8fd71759248cbf73
SHA256

53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3
SHA512

304b11841b5424001095b18003a90f236f0ec1b27ed595c5d1f180fb24f1888e02e96ff1a3658fa54ea3d6409504db596457abe14b880d0120d79ed46e32d3e1

Score

10^/10

vanillarat rat

Malware Config

Signatures

VanillaRat
VanillaRat is an advanced remote administration tool coded in C#.
rat vanillarat

Vanilla Rat Payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1296-94-0x0000000000400000-0x0000000000422000-memory.dmp	vanillarat
behavioral1/memory/1296-93-0x0000000000400000-0x0000000000422000-memory.dmp	vanillarat
behavioral1/memory/1296-95-0x0000000000400000-0x0000000000422000-memory.dmp	vanillarat
behavioral1/memory/1296-96-0x000000000041DC1E-mapping.dmp	vanillarat
behavioral1/memory/1296-98-0x0000000000400000-0x0000000000422000-memory.dmp	vanillarat
behavioral1/memory/1296-100-0x0000000000400000-0x0000000000422000-memory.dmp	vanillarat

Suspicious use of SetThreadContext 4 IoCs

Processes:

53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe

description	pid	process	target process
PID 1752 set thread context of 1180	1752	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe
PID 1180 set thread context of 1984	1180	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe
PID 1984 set thread context of 1160	1984	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe
PID 1160 set thread context of 1296	1160	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe

C:\Users\Admin\AppData\Local\Temp\53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe
"C:\Users\Admin\AppData\Local\Temp\53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1752

C:\Users\Admin\AppData\Local\Temp\53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe
"C:\Users\Admin\AppData\Local\Temp\53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1180

C:\Users\Admin\AppData\Local\Temp\53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe
"C:\Users\Admin\AppData\Local\Temp\53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Admin\AppData\Local\Temp\53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe
"C:\Users\Admin\AppData\Local\Temp\53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1160

C:\Users\Admin\AppData\Local\Temp\53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe
"C:\Users\Admin\AppData\Local\Temp\53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe"
5⤵
PID:1296

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1160-84-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1160-89-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1160-87-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1160-80-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1160-79-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1160-82-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1160-83-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1160-85-0x0000000000423B7E-mapping.dmp

Download
memory/1180-58-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1180-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1180-67-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1180-62-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1180-63-0x000000000042FB0E-mapping.dmp

Download
memory/1180-61-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1180-60-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1180-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1296-91-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1296-94-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1296-101-0x00000000750C1000-0x00000000750C3000-memory.dmp

Filesize
8KB

Download
memory/1296-100-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1296-98-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1296-96-0x000000000041DC1E-mapping.dmp

Download
memory/1296-95-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1296-90-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1296-93-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1752-56-0x0000000000620000-0x000000000062A000-memory.dmp

Filesize
40KB

Download
memory/1752-55-0x0000000000500000-0x0000000000508000-memory.dmp

Filesize
32KB

Download
memory/1752-54-0x0000000001310000-0x0000000001356000-memory.dmp

Filesize
280KB

Download
memory/1984-76-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1984-68-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1984-71-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1984-72-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1984-73-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1984-69-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1984-74-0x0000000000429B7E-mapping.dmp

Download
memory/1984-78-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

description	pid	process	target process
PID 1752 wrote to memory of 1180	1752	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe
PID 1752 wrote to memory of 1180	1752	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe
PID 1752 wrote to memory of 1180	1752	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe
PID 1752 wrote to memory of 1180	1752	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe
PID 1752 wrote to memory of 1180	1752	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe
PID 1752 wrote to memory of 1180	1752	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe
PID 1752 wrote to memory of 1180	1752	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe
PID 1752 wrote to memory of 1180	1752	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe
PID 1752 wrote to memory of 1180	1752	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe
PID 1180 wrote to memory of 1984	1180	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe
PID 1180 wrote to memory of 1984	1180	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe
PID 1180 wrote to memory of 1984	1180	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe
PID 1180 wrote to memory of 1984	1180	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe
PID 1180 wrote to memory of 1984	1180	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe
PID 1180 wrote to memory of 1984	1180	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe
PID 1180 wrote to memory of 1984	1180	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe
PID 1180 wrote to memory of 1984	1180	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe
PID 1180 wrote to memory of 1984	1180	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe
PID 1984 wrote to memory of 1160	1984	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe
PID 1984 wrote to memory of 1160	1984	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe
PID 1984 wrote to memory of 1160	1984	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe
PID 1984 wrote to memory of 1160	1984	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe
PID 1984 wrote to memory of 1160	1984	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe
PID 1984 wrote to memory of 1160	1984	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe
PID 1984 wrote to memory of 1160	1984	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe
PID 1984 wrote to memory of 1160	1984	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe
PID 1984 wrote to memory of 1160	1984	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe
PID 1160 wrote to memory of 1296	1160	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe
PID 1160 wrote to memory of 1296	1160	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe
PID 1160 wrote to memory of 1296	1160	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe
PID 1160 wrote to memory of 1296	1160	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe
PID 1160 wrote to memory of 1296	1160	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe
PID 1160 wrote to memory of 1296	1160	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe
PID 1160 wrote to memory of 1296	1160	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe
PID 1160 wrote to memory of 1296	1160	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe
PID 1160 wrote to memory of 1296	1160	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe	53c91d4d304d2063c2020291e3ab11312b3e2e7bad3c99f8fb01b1a5776465a3.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads