vanillarat | 52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b

General

Target

52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe
Size

203KB
MD5

c039a7cb6c12fad48b188d4fe86442b6
SHA1

38a34b238f84418d3b8a6854fb48ff0c934d117e
SHA256

52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b
SHA512

5a6a3d3328ec25be4bd2f857cc6ef3ff4a0a6be1e78a98b61531503ce4f5f3dd6f9a662f9ae55930518299cd99dc5fd24adcfee2416984bfb95727588553c5ba

Score

10^/10

vanillarat rat

Malware Config

Signatures

VanillaRat
VanillaRat is an advanced remote administration tool coded in C#.
rat vanillarat

Vanilla Rat Payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1992-60-0x0000000000400000-0x0000000000422000-memory.dmp	vanillarat
behavioral1/memory/1992-61-0x0000000000400000-0x0000000000422000-memory.dmp	vanillarat
behavioral1/memory/1992-62-0x0000000000400000-0x0000000000422000-memory.dmp	vanillarat
behavioral1/memory/1992-63-0x000000000041DC1E-mapping.dmp	vanillarat
behavioral1/memory/1992-65-0x0000000000400000-0x0000000000422000-memory.dmp	vanillarat
behavioral1/memory/1992-67-0x0000000000400000-0x0000000000422000-memory.dmp	vanillarat

Suspicious use of SetThreadContext 1 IoCs

Processes:

52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe

description	pid	process	target process
PID 960 set thread context of 1992	960	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe

pid	process
960	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe
960	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe
960	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe
960	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe
960	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe

description pid process

Token: SeDebugPrivilege 960 52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe

description	pid	process
Token: SeDebugPrivilege	960	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe

C:\Users\Admin\AppData\Local\Temp\52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe
"C:\Users\Admin\AppData\Local\Temp\52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960
- C:\Users\Admin\AppData\Local\Temp\52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe
  "C:\Users\Admin\AppData\Local\Temp\52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe"
  2⤵
  PID:2032
- C:\Users\Admin\AppData\Local\Temp\52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe
  "C:\Users\Admin\AppData\Local\Temp\52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe"
  2⤵
  PID:1716
- C:\Users\Admin\AppData\Local\Temp\52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe
  "C:\Users\Admin\AppData\Local\Temp\52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe"
  2⤵
  PID:1972
- C:\Users\Admin\AppData\Local\Temp\52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe
  "C:\Users\Admin\AppData\Local\Temp\52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe"
  2⤵
  PID:1992

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/960-54-0x0000000001070000-0x00000000010AC000-memory.dmp

Filesize
240KB

Download
memory/960-55-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/960-56-0x00000000002A0000-0x00000000002AA000-memory.dmp

Filesize
40KB

Download
memory/1992-58-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1992-60-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1992-61-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1992-57-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1992-62-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1992-63-0x000000000041DC1E-mapping.dmp

Download
memory/1992-65-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1992-67-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1992-68-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download

description	pid	process	target process
PID 960 wrote to memory of 2032	960	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe
PID 960 wrote to memory of 2032	960	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe
PID 960 wrote to memory of 2032	960	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe
PID 960 wrote to memory of 2032	960	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe
PID 960 wrote to memory of 1716	960	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe
PID 960 wrote to memory of 1716	960	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe
PID 960 wrote to memory of 1716	960	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe
PID 960 wrote to memory of 1716	960	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe
PID 960 wrote to memory of 1972	960	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe
PID 960 wrote to memory of 1972	960	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe
PID 960 wrote to memory of 1972	960	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe
PID 960 wrote to memory of 1972	960	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe
PID 960 wrote to memory of 1992	960	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe
PID 960 wrote to memory of 1992	960	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe
PID 960 wrote to memory of 1992	960	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe
PID 960 wrote to memory of 1992	960	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe
PID 960 wrote to memory of 1992	960	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe
PID 960 wrote to memory of 1992	960	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe
PID 960 wrote to memory of 1992	960	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe
PID 960 wrote to memory of 1992	960	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe
PID 960 wrote to memory of 1992	960	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads