vanillarat | 3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49

General

Target

3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe
Size

216KB
MD5

7d5130b3d2921ce20b1ff6015c63ac7b
SHA1

6533edb2384541c31cdd08734e39b22e8815c861
SHA256

3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49
SHA512

7ac7ee838584b5cf0857e855c1ef821e46c4246ba41a366285c4cd46d30f60bf742ad9eec72a38e7b9fed50e69abb406fc0ba83ac324c8a98df0e4ac2010430f

Score

10^/10

vanillarat rat

Malware Config

Signatures

VanillaRat
VanillaRat is an advanced remote administration tool coded in C#.
rat vanillarat

Vanilla Rat Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1828-138-0x0000000000400000-0x0000000000422000-memory.dmp	vanillarat

Suspicious use of SetThreadContext 2 IoCs

Processes:

3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe

description	pid	process	target process
PID 4492 set thread context of 3528	4492	3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe	3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe
PID 3528 set thread context of 1828	3528	3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe	3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe

pid	process
4492	3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe
4492	3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe

description pid process

Token: SeDebugPrivilege 4492 3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe

description	pid	process
Token: SeDebugPrivilege	4492	3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe

C:\Users\Admin\AppData\Local\Temp\3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe
"C:\Users\Admin\AppData\Local\Temp\3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4492
- C:\Users\Admin\AppData\Local\Temp\3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe
  "C:\Users\Admin\AppData\Local\Temp\3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe"
  2⤵
  PID:344
- C:\Users\Admin\AppData\Local\Temp\3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe
  "C:\Users\Admin\AppData\Local\Temp\3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3528
- - C:\Users\Admin\AppData\Local\Temp\3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe
    "C:\Users\Admin\AppData\Local\Temp\3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe"
    3⤵
    PID:1828

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe.log

Filesize
410B

MD5
3bbb825ef1319deb378787046587112b

SHA1
67da95f0031be525b4cf10645632ca34d66b913b

SHA256
d9c6d00fad02f7a9ef0fcddc298ffd58b17020fb12b1336d5733237cbfadb1e0

SHA512
7771ae543e188d544e1bb6c65e0453a6777c1c39790a355f4cce652a815bfaf94dd426de3db910a67bd06e463ac0143d9e2ca44d2b12af7f0d84c27b4a09cc54

Download Submit
memory/344-133-0x0000000000000000-mapping.dmp

Download
memory/1828-138-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1828-137-0x0000000000000000-mapping.dmp

Download
memory/1828-139-0x0000000005650000-0x000000000565A000-memory.dmp

Filesize
40KB

Download
memory/3528-135-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3528-134-0x0000000000000000-mapping.dmp

Download
memory/4492-130-0x0000000000170000-0x00000000001B0000-memory.dmp

Filesize
256KB

Download
memory/4492-131-0x000000000A780000-0x000000000AD24000-memory.dmp

Filesize
5.6MB

Download
memory/4492-132-0x000000000A420000-0x000000000A4B2000-memory.dmp

Filesize
584KB

Download

description	pid	process	target process
PID 4492 wrote to memory of 344	4492	3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe	3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe
PID 4492 wrote to memory of 344	4492	3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe	3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe
PID 4492 wrote to memory of 344	4492	3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe	3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe
PID 4492 wrote to memory of 3528	4492	3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe	3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe
PID 4492 wrote to memory of 3528	4492	3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe	3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe
PID 4492 wrote to memory of 3528	4492	3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe	3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe
PID 4492 wrote to memory of 3528	4492	3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe	3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe
PID 4492 wrote to memory of 3528	4492	3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe	3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe
PID 4492 wrote to memory of 3528	4492	3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe	3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe
PID 4492 wrote to memory of 3528	4492	3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe	3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe
PID 4492 wrote to memory of 3528	4492	3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe	3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe
PID 3528 wrote to memory of 1828	3528	3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe	3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe
PID 3528 wrote to memory of 1828	3528	3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe	3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe
PID 3528 wrote to memory of 1828	3528	3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe	3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe
PID 3528 wrote to memory of 1828	3528	3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe	3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe
PID 3528 wrote to memory of 1828	3528	3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe	3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe
PID 3528 wrote to memory of 1828	3528	3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe	3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe
PID 3528 wrote to memory of 1828	3528	3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe	3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe
PID 3528 wrote to memory of 1828	3528	3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe	3e2edb8f934920d1f71052fc4a13ca3a159ce56ddaa14e60822c236675cd3b49.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads