vanillarat | 13273e8bbcd46160e0f3e1e7095b0a0ed79fe4f592871661a34a3068c0c1a174

Analysis

max time kernel
146s
max time network
154s
platform
windows7_x64
resource
win7-20220414-en
submitted
24-05-2022 16:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13273e8bbcd46160e0f3e1e7095b0a0ed79fe4f592871661a34a3068c0c1a174.dll
Size

4.0MB
MD5

a37a6a4e999d48740013ee70916a392c
SHA1

c7cbab63161c97a309b94cd9960660b72fb8eb67
SHA256

13273e8bbcd46160e0f3e1e7095b0a0ed79fe4f592871661a34a3068c0c1a174
SHA512

542a32839881c42b877ff6aa5f296cae21357a7fb4c04fb37ca07da6623941dcc74a1b9a6b8e577a43fd5853c68d8a6d2f51d5ecc4c3185b258d7554edcca18a

Score

10^/10

vanillarat evasion persistence rat

Malware Config

Signatures

VanillaRat
VanillaRat is an advanced remote administration tool coded in C#.
rat vanillarat
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vanilla Rat Payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/584-80-0x0000000000400000-0x0000000000422000-memory.dmp	vanillarat
behavioral1/memory/584-81-0x0000000000400000-0x0000000000422000-memory.dmp	vanillarat
behavioral1/memory/584-83-0x000000000041DC2E-mapping.dmp	vanillarat
behavioral1/memory/584-82-0x0000000000400000-0x0000000000422000-memory.dmp	vanillarat
behavioral1/memory/584-86-0x0000000000400000-0x0000000000422000-memory.dmp	vanillarat
behavioral1/memory/584-88-0x0000000000400000-0x0000000000422000-memory.dmp	vanillarat

Executes dropped EXE 4 IoCs

Processes:

pcstat.exeRandoInjector.exeFATALITTTT.exesvhost.exe

pid process

1432 pcstat.exe
2020 RandoInjector.exe
304 FATALITTTT.exe
584 svhost.exe

pid	process
1432	pcstat.exe
2020	RandoInjector.exe
304	FATALITTTT.exe
584	svhost.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rundll32.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

rundll32.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Wine rundll32.exe
Loads dropped DLL 3 IoCs

Processes:

rundll32.exeFATALITTTT.exe

pid process

908 rundll32.exe
304 FATALITTTT.exe
304 FATALITTTT.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Wine	rundll32.exe

pid	process
908	rundll32.exe
304	FATALITTTT.exe
304	FATALITTTT.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

pcstat.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	pcstat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	pcstat.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

rundll32.exe

pid process

908 rundll32.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

FATALITTTT.exe

description pid process target process

PID 304 set thread context of 584 304 FATALITTTT.exe svhost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
NTFS ADS 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier cmd.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exeRandoInjector.exeFATALITTTT.exe

pid process

908 rundll32.exe
2020 RandoInjector.exe
304 FATALITTTT.exe
304 FATALITTTT.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

FATALITTTT.exe

description pid process

Token: SeDebugPrivilege 304 FATALITTTT.exe
Token: 33 304 FATALITTTT.exe
Token: SeIncBasePriorityPrivilege 304 FATALITTTT.exe

pid	process
908	rundll32.exe

description	pid	process	target process
PID 304 set thread context of 584	304	FATALITTTT.exe	svhost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier	cmd.exe

pid	process
908	rundll32.exe
2020	RandoInjector.exe
304	FATALITTTT.exe
304	FATALITTTT.exe

description	pid	process
Token: SeDebugPrivilege	304	FATALITTTT.exe
Token: 33	304	FATALITTTT.exe
Token: SeIncBasePriorityPrivilege	304	FATALITTTT.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

rundll32.exerundll32.exepcstat.exeFATALITTTT.execmd.exe

description	pid	process	target process
PID 548 wrote to memory of 908	548	rundll32.exe	rundll32.exe
PID 548 wrote to memory of 908	548	rundll32.exe	rundll32.exe
PID 548 wrote to memory of 908	548	rundll32.exe	rundll32.exe
PID 548 wrote to memory of 908	548	rundll32.exe	rundll32.exe
PID 548 wrote to memory of 908	548	rundll32.exe	rundll32.exe
PID 548 wrote to memory of 908	548	rundll32.exe	rundll32.exe
PID 548 wrote to memory of 908	548	rundll32.exe	rundll32.exe
PID 908 wrote to memory of 1432	908	rundll32.exe	pcstat.exe
PID 908 wrote to memory of 1432	908	rundll32.exe	pcstat.exe
PID 908 wrote to memory of 1432	908	rundll32.exe	pcstat.exe
PID 908 wrote to memory of 1432	908	rundll32.exe	pcstat.exe
PID 1432 wrote to memory of 2020	1432	pcstat.exe	RandoInjector.exe
PID 1432 wrote to memory of 2020	1432	pcstat.exe	RandoInjector.exe
PID 1432 wrote to memory of 2020	1432	pcstat.exe	RandoInjector.exe
PID 1432 wrote to memory of 2020	1432	pcstat.exe	RandoInjector.exe
PID 1432 wrote to memory of 304	1432	pcstat.exe	FATALITTTT.exe
PID 1432 wrote to memory of 304	1432	pcstat.exe	FATALITTTT.exe
PID 1432 wrote to memory of 304	1432	pcstat.exe	FATALITTTT.exe
PID 1432 wrote to memory of 304	1432	pcstat.exe	FATALITTTT.exe
PID 304 wrote to memory of 1864	304	FATALITTTT.exe	cmd.exe
PID 304 wrote to memory of 1864	304	FATALITTTT.exe	cmd.exe
PID 304 wrote to memory of 1864	304	FATALITTTT.exe	cmd.exe
PID 304 wrote to memory of 1864	304	FATALITTTT.exe	cmd.exe
PID 304 wrote to memory of 916	304	FATALITTTT.exe	cmd.exe
PID 304 wrote to memory of 916	304	FATALITTTT.exe	cmd.exe
PID 304 wrote to memory of 916	304	FATALITTTT.exe	cmd.exe
PID 304 wrote to memory of 916	304	FATALITTTT.exe	cmd.exe
PID 916 wrote to memory of 1112	916	cmd.exe	reg.exe
PID 916 wrote to memory of 1112	916	cmd.exe	reg.exe
PID 916 wrote to memory of 1112	916	cmd.exe	reg.exe
PID 916 wrote to memory of 1112	916	cmd.exe	reg.exe
PID 304 wrote to memory of 268	304	FATALITTTT.exe	cmd.exe
PID 304 wrote to memory of 268	304	FATALITTTT.exe	cmd.exe
PID 304 wrote to memory of 268	304	FATALITTTT.exe	cmd.exe
PID 304 wrote to memory of 268	304	FATALITTTT.exe	cmd.exe
PID 304 wrote to memory of 584	304	FATALITTTT.exe	svhost.exe
PID 304 wrote to memory of 584	304	FATALITTTT.exe	svhost.exe
PID 304 wrote to memory of 584	304	FATALITTTT.exe	svhost.exe
PID 304 wrote to memory of 584	304	FATALITTTT.exe	svhost.exe
PID 304 wrote to memory of 584	304	FATALITTTT.exe	svhost.exe
PID 304 wrote to memory of 584	304	FATALITTTT.exe	svhost.exe
PID 304 wrote to memory of 584	304	FATALITTTT.exe	svhost.exe
PID 304 wrote to memory of 584	304	FATALITTTT.exe	svhost.exe
PID 304 wrote to memory of 584	304	FATALITTTT.exe	svhost.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\13273e8bbcd46160e0f3e1e7095b0a0ed79fe4f592871661a34a3068c0c1a174.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:548

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\13273e8bbcd46160e0f3e1e7095b0a0ed79fe4f592871661a34a3068c0c1a174.dll,#1
2⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:908

C:\Users\Admin\AppData\Local\Temp\pcstat.exe
"C:\Users\Admin\AppData\Local\Temp\pcstat.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1432

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RandoInjector.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RandoInjector.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2020

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FATALITTTT.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FATALITTTT.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:304

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/IXP000.TMP/FATALITTTT.exe" "%temp%\FolderN\name.exe" /Y
5⤵
PID:1864

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
5⤵
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
6⤵
PID:1112

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
5⤵
- NTFS ADS
PID:268

C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
5⤵
- Executes dropped EXE
PID:584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe
Filesize
383KB

MD5
689828bf189ae19dc11c6064f55e35f9

SHA1
a43eeb3c93bad1de4779c0b4249ef0189d89cbbd

SHA256
2e2cccc03c787f2f405f66588f69b2bcfb6daf0e6b20ba41a23c4cef20a6827e

SHA512
f2c8aaab424d3dd47194bc63d922bfc0f01c87e32f14b2061844a6435d7de06ccda0c6cd335f0b7b39a9153075da5ed3f5db770d4e5ec7aa65ee85b3e4b145d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FATALITTTT.exe
Filesize
383KB

MD5
689828bf189ae19dc11c6064f55e35f9

SHA1
a43eeb3c93bad1de4779c0b4249ef0189d89cbbd

SHA256
2e2cccc03c787f2f405f66588f69b2bcfb6daf0e6b20ba41a23c4cef20a6827e

SHA512
f2c8aaab424d3dd47194bc63d922bfc0f01c87e32f14b2061844a6435d7de06ccda0c6cd335f0b7b39a9153075da5ed3f5db770d4e5ec7aa65ee85b3e4b145d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FATALITTTT.exe
Filesize
383KB

MD5
689828bf189ae19dc11c6064f55e35f9

SHA1
a43eeb3c93bad1de4779c0b4249ef0189d89cbbd

SHA256
2e2cccc03c787f2f405f66588f69b2bcfb6daf0e6b20ba41a23c4cef20a6827e

SHA512
f2c8aaab424d3dd47194bc63d922bfc0f01c87e32f14b2061844a6435d7de06ccda0c6cd335f0b7b39a9153075da5ed3f5db770d4e5ec7aa65ee85b3e4b145d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RandoInjector.exe
Filesize
280KB

MD5
a746fe2e58044d6a01d10fa7f312ab57

SHA1
e9b67f0a93de11b55e7299351387bc9e03e363bf

SHA256
934ba617b0bf87d698b45f01a2797fd8a14418a70755e4b8f0796fd266d4de49

SHA512
c2558f9091a69968a1c600d2fa7d4af37f5ea7e4d9e2c01837d0ddf5e2a536ab9487478c97688add477a77ba2162bd204207a846b9aeed0da1ae9d08092578e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcstat.exe
Filesize
1.5MB

MD5
0a35a7e7d511d7b0186e0e24c43d9504

SHA1
59f67d047bd4f63a35863670e5d698981883dbb5

SHA256
eeef5dc93378dc90acc7013e947ac2297549d0a450a88354aec7fb5fe7fb409b

SHA512
b5d50a8937eaa2dcbb8cf8862fe67f026832cc6d6f61d44b9512c3b776f459a01bb209b125eeab390bbbacdfabbbfe31ad394221c4fc4ed6cfc75fcdc7e8e9c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
255KB

MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
255KB

MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
\Users\Admin\AppData\Local\Temp\FolderN\name.exe
Filesize
383KB

MD5
689828bf189ae19dc11c6064f55e35f9

SHA1
a43eeb3c93bad1de4779c0b4249ef0189d89cbbd

SHA256
2e2cccc03c787f2f405f66588f69b2bcfb6daf0e6b20ba41a23c4cef20a6827e

SHA512
f2c8aaab424d3dd47194bc63d922bfc0f01c87e32f14b2061844a6435d7de06ccda0c6cd335f0b7b39a9153075da5ed3f5db770d4e5ec7aa65ee85b3e4b145d6

Download Submit
\Users\Admin\AppData\Local\Temp\pcstat.exe
Filesize
1.5MB

MD5
0a35a7e7d511d7b0186e0e24c43d9504

SHA1
59f67d047bd4f63a35863670e5d698981883dbb5

SHA256
eeef5dc93378dc90acc7013e947ac2297549d0a450a88354aec7fb5fe7fb409b

SHA512
b5d50a8937eaa2dcbb8cf8862fe67f026832cc6d6f61d44b9512c3b776f459a01bb209b125eeab390bbbacdfabbbfe31ad394221c4fc4ed6cfc75fcdc7e8e9c0

Download Submit
\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
255KB

MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
memory/268-75-0x0000000000000000-mapping.dmp

Download
memory/304-62-0x0000000000000000-mapping.dmp

Download
memory/304-68-0x0000000000320000-0x0000000000344000-memory.dmp

Filesize
144KB

Download
memory/304-65-0x0000000001370000-0x00000000013D6000-memory.dmp

Filesize
408KB

Download
memory/584-80-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/584-82-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/584-88-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/584-86-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/584-83-0x000000000041DC2E-mapping.dmp

Download
memory/584-81-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/584-78-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/584-77-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/908-54-0x0000000000000000-mapping.dmp

Download
memory/908-66-0x0000000077BE0000-0x0000000077D60000-memory.dmp

Filesize
1.5MB

Download
memory/908-67-0x00000000749E0000-0x0000000074DDA000-memory.dmp

Filesize
4.0MB

Download
memory/908-55-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download
memory/916-71-0x0000000000000000-mapping.dmp

Download
memory/1112-72-0x0000000000000000-mapping.dmp

Download
memory/1432-59-0x000007FEFC281000-0x000007FEFC283000-memory.dmp

Filesize
8KB

Download
memory/1432-57-0x0000000000000000-mapping.dmp

Download
memory/1864-70-0x0000000000000000-mapping.dmp

Download
memory/2020-60-0x0000000000000000-mapping.dmp

Download