vanillarat | b9d6e34118727762237c58edda33894c5753b3e2a44c6d8e235ac50163438c77

General

Target

b9d6e34118727762237c58edda33894c5753b3e2a44c6d8e235ac50163438c77.exe
Size

192KB
MD5

09d7244e1160ae4ce2cc24275ae60ef4
SHA1

55dd40229b9fba7feaada4d61ecbb240855aee9a
SHA256

b9d6e34118727762237c58edda33894c5753b3e2a44c6d8e235ac50163438c77
SHA512

4805593b1984fb28b365bdacea1f6a95dada12735c2d7876c472edd29d118414a8a2282fc7879f29b7acae160fc9abcaefa88eda7477deccc0e3f0521f09da02

Score

10^/10

vanillarat rat

VanillaRat
VanillaRat is an advanced remote administration tool coded in C#.
rat vanillarat

Vanilla Rat Payload 6 IoCs

rat

resource	yara_rule
behavioral1/memory/1096-60-0x0000000000400000-0x0000000000422000-memory.dmp	vanillarat
behavioral1/memory/1096-61-0x0000000000400000-0x0000000000422000-memory.dmp	vanillarat
behavioral1/memory/1096-62-0x0000000000400000-0x0000000000422000-memory.dmp	vanillarat
behavioral1/memory/1096-63-0x000000000041DC1E-mapping.dmp	vanillarat
behavioral1/memory/1096-65-0x0000000000400000-0x0000000000422000-memory.dmp	vanillarat
behavioral1/memory/1096-67-0x0000000000400000-0x0000000000422000-memory.dmp	vanillarat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1808 set thread context of 1096	1808	b9d6e34118727762237c58edda33894c5753b3e2a44c6d8e235ac50163438c77.exe	28

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 1096	1808	b9d6e34118727762237c58edda33894c5753b3e2a44c6d8e235ac50163438c77.exe	28
PID 1808 wrote to memory of 1096	1808	b9d6e34118727762237c58edda33894c5753b3e2a44c6d8e235ac50163438c77.exe	28
PID 1808 wrote to memory of 1096	1808	b9d6e34118727762237c58edda33894c5753b3e2a44c6d8e235ac50163438c77.exe	28
PID 1808 wrote to memory of 1096	1808	b9d6e34118727762237c58edda33894c5753b3e2a44c6d8e235ac50163438c77.exe	28
PID 1808 wrote to memory of 1096	1808	b9d6e34118727762237c58edda33894c5753b3e2a44c6d8e235ac50163438c77.exe	28
PID 1808 wrote to memory of 1096	1808	b9d6e34118727762237c58edda33894c5753b3e2a44c6d8e235ac50163438c77.exe	28
PID 1808 wrote to memory of 1096	1808	b9d6e34118727762237c58edda33894c5753b3e2a44c6d8e235ac50163438c77.exe	28
PID 1808 wrote to memory of 1096	1808	b9d6e34118727762237c58edda33894c5753b3e2a44c6d8e235ac50163438c77.exe	28
PID 1808 wrote to memory of 1096	1808	b9d6e34118727762237c58edda33894c5753b3e2a44c6d8e235ac50163438c77.exe	28

C:\Users\Admin\AppData\Local\Temp\b9d6e34118727762237c58edda33894c5753b3e2a44c6d8e235ac50163438c77.exe
"C:\Users\Admin\AppData\Local\Temp\b9d6e34118727762237c58edda33894c5753b3e2a44c6d8e235ac50163438c77.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Users\Admin\AppData\Local\Temp\b9d6e34118727762237c58edda33894c5753b3e2a44c6d8e235ac50163438c77.exe
  "C:\Users\Admin\AppData\Local\Temp\b9d6e34118727762237c58edda33894c5753b3e2a44c6d8e235ac50163438c77.exe"
  2⤵
  PID:1096

memory/1096-57-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1096-58-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1096-60-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1096-61-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1096-62-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1096-65-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1096-67-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1096-68-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download
memory/1808-54-0x0000000000830000-0x000000000086A000-memory.dmp

Filesize
232KB

Download
memory/1808-55-0x00000000001F0000-0x00000000001F6000-memory.dmp

Filesize
24KB

Download
memory/1808-56-0x0000000000210000-0x000000000021A000-memory.dmp

Filesize
40KB

Download