vanillarat | b9d6e34118727762237c58edda33894c5753b3e2a44c6d8e235ac50163438c77

Analysis

Target

b9d6e34118727762237c58edda33894c5753b3e2a44c6d8e235ac50163438c77.exe
Size

192KB
MD5

09d7244e1160ae4ce2cc24275ae60ef4
SHA1

55dd40229b9fba7feaada4d61ecbb240855aee9a
SHA256

b9d6e34118727762237c58edda33894c5753b3e2a44c6d8e235ac50163438c77
SHA512

4805593b1984fb28b365bdacea1f6a95dada12735c2d7876c472edd29d118414a8a2282fc7879f29b7acae160fc9abcaefa88eda7477deccc0e3f0521f09da02

Score

10^/10

vanillarat rat

VanillaRat
VanillaRat is an advanced remote administration tool coded in C#.
rat vanillarat

Vanilla Rat Payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/2900-134-0x0000000000400000-0x0000000000422000-memory.dmp	vanillarat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1476 set thread context of 2900	1476	b9d6e34118727762237c58edda33894c5753b3e2a44c6d8e235ac50163438c77.exe	82

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 2900	1476	b9d6e34118727762237c58edda33894c5753b3e2a44c6d8e235ac50163438c77.exe	82
PID 1476 wrote to memory of 2900	1476	b9d6e34118727762237c58edda33894c5753b3e2a44c6d8e235ac50163438c77.exe	82
PID 1476 wrote to memory of 2900	1476	b9d6e34118727762237c58edda33894c5753b3e2a44c6d8e235ac50163438c77.exe	82
PID 1476 wrote to memory of 2900	1476	b9d6e34118727762237c58edda33894c5753b3e2a44c6d8e235ac50163438c77.exe	82
PID 1476 wrote to memory of 2900	1476	b9d6e34118727762237c58edda33894c5753b3e2a44c6d8e235ac50163438c77.exe	82
PID 1476 wrote to memory of 2900	1476	b9d6e34118727762237c58edda33894c5753b3e2a44c6d8e235ac50163438c77.exe	82
PID 1476 wrote to memory of 2900	1476	b9d6e34118727762237c58edda33894c5753b3e2a44c6d8e235ac50163438c77.exe	82
PID 1476 wrote to memory of 2900	1476	b9d6e34118727762237c58edda33894c5753b3e2a44c6d8e235ac50163438c77.exe	82

C:\Users\Admin\AppData\Local\Temp\b9d6e34118727762237c58edda33894c5753b3e2a44c6d8e235ac50163438c77.exe
"C:\Users\Admin\AppData\Local\Temp\b9d6e34118727762237c58edda33894c5753b3e2a44c6d8e235ac50163438c77.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Users\Admin\AppData\Local\Temp\b9d6e34118727762237c58edda33894c5753b3e2a44c6d8e235ac50163438c77.exe
  "C:\Users\Admin\AppData\Local\Temp\b9d6e34118727762237c58edda33894c5753b3e2a44c6d8e235ac50163438c77.exe"
  2⤵
  PID:2900

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\b9d6e34118727762237c58edda33894c5753b3e2a44c6d8e235ac50163438c77.exe.log

Filesize
410B

MD5
3bbb825ef1319deb378787046587112b

SHA1
67da95f0031be525b4cf10645632ca34d66b913b

SHA256
d9c6d00fad02f7a9ef0fcddc298ffd58b17020fb12b1336d5733237cbfadb1e0

SHA512
7771ae543e188d544e1bb6c65e0453a6777c1c39790a355f4cce652a815bfaf94dd426de3db910a67bd06e463ac0143d9e2ca44d2b12af7f0d84c27b4a09cc54

Download Submit
memory/1476-130-0x0000000000E30000-0x0000000000E6A000-memory.dmp

Filesize
232KB

Download
memory/1476-131-0x000000000B320000-0x000000000B8C4000-memory.dmp

Filesize
5.6MB

Download
memory/1476-132-0x000000000AFA0000-0x000000000B032000-memory.dmp

Filesize
584KB

Download
memory/2900-134-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2900-136-0x0000000005590000-0x000000000559A000-memory.dmp

Filesize
40KB

Download