vanillarat | 0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e

Analysis

max time kernel
152s
max time network
49s
platform
windows7_x64
resource
win7-20220414-en
submitted
02-05-2022 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe
Size

282KB
MD5

0344bf2e7a272c184e0399ccd77b980c
SHA1

262e95e1fa85e7b46517c983bd552ad3df5f7c1b
SHA256

0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e
SHA512

b0d105f5bf1e89d7425c07e021e58bbc514ddfec6f2b0d854f4f660195848c5c9df151ae111d0fb5255a87eb54c94e140d553e84ef4b95e72b5275d858a8195f

Score

10^/10

vanillarat rat

Malware Config

Signatures

VanillaRat
VanillaRat is an advanced remote administration tool coded in C#.
rat vanillarat

Vanilla Rat Payload 6 IoCs

rat

resource	yara_rule
behavioral1/memory/1120-104-0x0000000000400000-0x0000000000422000-memory.dmp	vanillarat
behavioral1/memory/1120-105-0x0000000000400000-0x0000000000422000-memory.dmp	vanillarat
behavioral1/memory/1120-106-0x0000000000400000-0x0000000000422000-memory.dmp	vanillarat
behavioral1/memory/1120-107-0x000000000041DC1E-mapping.dmp	vanillarat
behavioral1/memory/1120-109-0x0000000000400000-0x0000000000422000-memory.dmp	vanillarat
behavioral1/memory/1120-111-0x0000000000400000-0x0000000000422000-memory.dmp	vanillarat

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2008 set thread context of 1208	2008	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	27
PID 1208 set thread context of 276	1208	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	28
PID 276 set thread context of 1808	276	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	30
PID 1808 set thread context of 1776	1808	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	31
PID 1776 set thread context of 1120	1776	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	32

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
276	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	276	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 1208	2008	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	27
PID 2008 wrote to memory of 1208	2008	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	27
PID 2008 wrote to memory of 1208	2008	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	27
PID 2008 wrote to memory of 1208	2008	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	27
PID 2008 wrote to memory of 1208	2008	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	27
PID 2008 wrote to memory of 1208	2008	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	27
PID 2008 wrote to memory of 1208	2008	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	27
PID 2008 wrote to memory of 1208	2008	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	27
PID 2008 wrote to memory of 1208	2008	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	27
PID 1208 wrote to memory of 276	1208	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	28
PID 1208 wrote to memory of 276	1208	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	28
PID 1208 wrote to memory of 276	1208	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	28
PID 1208 wrote to memory of 276	1208	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	28
PID 1208 wrote to memory of 276	1208	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	28
PID 1208 wrote to memory of 276	1208	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	28
PID 1208 wrote to memory of 276	1208	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	28
PID 1208 wrote to memory of 276	1208	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	28
PID 1208 wrote to memory of 276	1208	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	28
PID 276 wrote to memory of 1716	276	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	29
PID 276 wrote to memory of 1716	276	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	29
PID 276 wrote to memory of 1716	276	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	29
PID 276 wrote to memory of 1716	276	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	29
PID 276 wrote to memory of 1808	276	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	30
PID 276 wrote to memory of 1808	276	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	30
PID 276 wrote to memory of 1808	276	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	30
PID 276 wrote to memory of 1808	276	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	30
PID 276 wrote to memory of 1808	276	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	30
PID 276 wrote to memory of 1808	276	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	30
PID 276 wrote to memory of 1808	276	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	30
PID 276 wrote to memory of 1808	276	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	30
PID 276 wrote to memory of 1808	276	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	30
PID 1808 wrote to memory of 1776	1808	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	31
PID 1808 wrote to memory of 1776	1808	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	31
PID 1808 wrote to memory of 1776	1808	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	31
PID 1808 wrote to memory of 1776	1808	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	31
PID 1808 wrote to memory of 1776	1808	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	31
PID 1808 wrote to memory of 1776	1808	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	31
PID 1808 wrote to memory of 1776	1808	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	31
PID 1808 wrote to memory of 1776	1808	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	31
PID 1808 wrote to memory of 1776	1808	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	31
PID 1776 wrote to memory of 1120	1776	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	32
PID 1776 wrote to memory of 1120	1776	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	32
PID 1776 wrote to memory of 1120	1776	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	32
PID 1776 wrote to memory of 1120	1776	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	32
PID 1776 wrote to memory of 1120	1776	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	32
PID 1776 wrote to memory of 1120	1776	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	32
PID 1776 wrote to memory of 1120	1776	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	32
PID 1776 wrote to memory of 1120	1776	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	32
PID 1776 wrote to memory of 1120	1776	0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe	32

C:\Users\Admin\AppData\Local\Temp\0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe
"C:\Users\Admin\AppData\Local\Temp\0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Local\Temp\0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe
  "C:\Users\Admin\AppData\Local\Temp\0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1208
- - C:\Users\Admin\AppData\Local\Temp\0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe
    "C:\Users\Admin\AppData\Local\Temp\0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:276
  - - C:\Users\Admin\AppData\Local\Temp\0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe
      "C:\Users\Admin\AppData\Local\Temp\0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe"
      4⤵
      PID:1716
  - - C:\Users\Admin\AppData\Local\Temp\0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe
      "C:\Users\Admin\AppData\Local\Temp\0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1808
    - - C:\Users\Admin\AppData\Local\Temp\0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1776
      - C:\Users\Admin\AppData\Local\Temp\0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0e9179dbbdcb9a49cefbdc6d709f54d07205bd7cdb1d1aa295654f3a54da8d8e.exe"
        6⤵
        
        PID:1120

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/276-78-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/276-68-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/276-69-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/276-76-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/276-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/276-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/276-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1120-109-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1120-101-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1120-104-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1120-105-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1120-111-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1120-102-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1120-106-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1120-112-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download
memory/1208-58-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1208-57-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1208-60-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1208-61-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1208-65-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1208-62-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1208-67-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1776-98-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1776-100-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1776-90-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1776-91-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1776-93-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1776-94-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1776-95-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1808-87-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1808-89-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1808-84-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1808-83-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1808-82-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1808-80-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1808-79-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2008-54-0x00000000000C0000-0x000000000010C000-memory.dmp

Filesize
304KB

Download
memory/2008-56-0x0000000000540000-0x000000000054A000-memory.dmp

Filesize
40KB

Download
memory/2008-55-0x00000000003D0000-0x00000000003D8000-memory.dmp

Filesize
32KB

Download