Malware Analysis Report

2024-10-23 20:55

Sample ID 230710-ntfhasah51
Target Firefox Installer.exe
SHA256 6e977411cea076427e903cba32827b2d78202021f62c6b045c1e4a65042e8d15
Tags
rat vanillarat persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6e977411cea076427e903cba32827b2d78202021f62c6b045c1e4a65042e8d15

Threat Level: Known bad

The file Firefox Installer.exe was found to be: Known bad.

Malicious Activity Summary

rat vanillarat persistence

Vanillarat family

VanillaRat

Vanilla Rat payload

Vanilla Rat payload

Executes dropped EXE

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-10 11:41

Signatures

Vanilla Rat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Vanillarat family

vanillarat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-10 11:41

Reported

2023-07-10 11:45

Platform

win10-20230703-de

Max time kernel

127s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Firefox Installer.exe"

Signatures

VanillaRat

rat vanillarat

Vanilla Rat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Firefox Installer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Firefox Installer.exe

"C:\Users\Admin\AppData\Local\Temp\Firefox Installer.exe"

C:\Users\Admin\svchost.exe

"C:\Users\Admin\svchost.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 1444

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 7.tcp.eu.ngrok.io udp
DE 35.157.111.131:14997 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 131.111.157.35.in-addr.arpa udp
US 8.8.8.8:53 73.254.224.20.in-addr.arpa udp
US 8.8.8.8:53 7.tcp.eu.ngrok.io udp
DE 3.67.15.169:14997 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 169.15.67.3.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

memory/1016-120-0x0000000000EE0000-0x0000000000F16000-memory.dmp

C:\Users\Admin\svchost.exe

MD5 afd5d29bfcddb00b11a869fd2016282d
SHA1 0de3328c8a0dce66d17765665b29662de75e5d15
SHA256 38194b42cc180ab72aed1256447bec9b8b65910241e5a2b97ac29b0c12d95748
SHA512 ce3aaf59162768087bbb34de0767c74ee05e8f13a19559c49896f5249d36900ee14270ade74964c8cd3d8b6bcf684002cf3bddc8d14856907d2b2b2d0026f133

C:\Users\Admin\svchost.exe

MD5 afd5d29bfcddb00b11a869fd2016282d
SHA1 0de3328c8a0dce66d17765665b29662de75e5d15
SHA256 38194b42cc180ab72aed1256447bec9b8b65910241e5a2b97ac29b0c12d95748
SHA512 ce3aaf59162768087bbb34de0767c74ee05e8f13a19559c49896f5249d36900ee14270ade74964c8cd3d8b6bcf684002cf3bddc8d14856907d2b2b2d0026f133

memory/1016-128-0x0000000006270000-0x0000000006374000-memory.dmp

memory/4960-127-0x0000000000EE0000-0x0000000000F02000-memory.dmp

memory/4960-129-0x0000000006200000-0x00000000066FE000-memory.dmp

memory/4960-130-0x0000000005D00000-0x0000000005D92000-memory.dmp

memory/4960-131-0x0000000005B40000-0x0000000005B4A000-memory.dmp

memory/4960-132-0x0000000005E00000-0x0000000005F00000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 afd5d29bfcddb00b11a869fd2016282d
SHA1 0de3328c8a0dce66d17765665b29662de75e5d15
SHA256 38194b42cc180ab72aed1256447bec9b8b65910241e5a2b97ac29b0c12d95748
SHA512 ce3aaf59162768087bbb34de0767c74ee05e8f13a19559c49896f5249d36900ee14270ade74964c8cd3d8b6bcf684002cf3bddc8d14856907d2b2b2d0026f133

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 afd5d29bfcddb00b11a869fd2016282d
SHA1 0de3328c8a0dce66d17765665b29662de75e5d15
SHA256 38194b42cc180ab72aed1256447bec9b8b65910241e5a2b97ac29b0c12d95748
SHA512 ce3aaf59162768087bbb34de0767c74ee05e8f13a19559c49896f5249d36900ee14270ade74964c8cd3d8b6bcf684002cf3bddc8d14856907d2b2b2d0026f133

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 afd5d29bfcddb00b11a869fd2016282d
SHA1 0de3328c8a0dce66d17765665b29662de75e5d15
SHA256 38194b42cc180ab72aed1256447bec9b8b65910241e5a2b97ac29b0c12d95748
SHA512 ce3aaf59162768087bbb34de0767c74ee05e8f13a19559c49896f5249d36900ee14270ade74964c8cd3d8b6bcf684002cf3bddc8d14856907d2b2b2d0026f133

memory/4976-138-0x0000000005F00000-0x0000000006000000-memory.dmp

memory/4976-139-0x000000000A100000-0x000000000A166000-memory.dmp

memory/4976-140-0x0000000005F00000-0x0000000006000000-memory.dmp