vanillarat | 52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b

Analysis

Target

52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe
Size

203KB
MD5

c039a7cb6c12fad48b188d4fe86442b6
SHA1

38a34b238f84418d3b8a6854fb48ff0c934d117e
SHA256

52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b
SHA512

5a6a3d3328ec25be4bd2f857cc6ef3ff4a0a6be1e78a98b61531503ce4f5f3dd6f9a662f9ae55930518299cd99dc5fd24adcfee2416984bfb95727588553c5ba

Score

10^/10

vanillarat rat

VanillaRat
VanillaRat is an advanced remote administration tool coded in C#.
rat vanillarat

Vanilla Rat Payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/4948-134-0x0000000000400000-0x0000000000422000-memory.dmp	vanillarat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3636 set thread context of 4948	3636	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe	85

Suspicious behavior: EnumeratesProcesses 3 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3636	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3636 wrote to memory of 4948	3636	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe	85
PID 3636 wrote to memory of 4948	3636	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe	85
PID 3636 wrote to memory of 4948	3636	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe	85
PID 3636 wrote to memory of 4948	3636	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe	85
PID 3636 wrote to memory of 4948	3636	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe	85
PID 3636 wrote to memory of 4948	3636	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe	85
PID 3636 wrote to memory of 4948	3636	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe	85
PID 3636 wrote to memory of 4948	3636	52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe	85

C:\Users\Admin\AppData\Local\Temp\52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe
"C:\Users\Admin\AppData\Local\Temp\52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Users\Admin\AppData\Local\Temp\52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe
  "C:\Users\Admin\AppData\Local\Temp\52a41e55271ca30947e10b702e063215a09ad5029eecd6279c3f4f00383f525b.exe"
  2⤵
  PID:4948

memory/3636-130-0x0000000000620000-0x000000000065C000-memory.dmp

Filesize
240KB

Download
memory/3636-131-0x000000000AD60000-0x000000000B304000-memory.dmp

Filesize
5.6MB

Download
memory/3636-132-0x000000000A990000-0x000000000AA22000-memory.dmp

Filesize
584KB

Download
memory/4948-134-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4948-135-0x0000000005110000-0x000000000511A000-memory.dmp

Filesize
40KB

Download