vanillarat | 661cb7d69264a4953e0ec5d87b533e9e79c1b893b090d720a79692f7fb8f2a50

General

Target

Firefox Installer.exe
Size

188KB
MD5

d8754b62c9e5fa6a98480f4ff45a2272
SHA1

97187ad5f282caa38a08c2af5178d2d2508f2807
SHA256

661cb7d69264a4953e0ec5d87b533e9e79c1b893b090d720a79692f7fb8f2a50
SHA512

f0c1905dc644d7d394cea141c9a10dc7c85c591cc18d689f1f68615936dd5aabf84617f8bc4056d41801b5356e5af479d6384a95b9f5404ec20d5a52de1570b1
SSDEEP

3072:oJZKnPE2YyJzELtyTRyYeY8lNgoiJ+sX8HFvytbaN+feQAcoQntK+C7VieM3SFZK:oJZKBI0RyYeY4eoiJ+sCFv9BPTQwX3Mp

Score

10^/10

vanillarat persistence rat

Malware Config

Signatures

VanillaRat
VanillaRat is an advanced remote administration tool coded in C#.
rat vanillarat

Vanilla Rat payload 7 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/4144-117-0x0000000000BE0000-0x0000000000C16000-memory.dmp	vanillarat
C:\Users\Admin\svchost.exe	vanillarat
C:\Users\Admin\svchost.exe	vanillarat
behavioral1/memory/2944-126-0x0000000000C90000-0x0000000000CB2000-memory.dmp	vanillarat
C:\Users\Admin\AppData\Roaming\svchost.exe	vanillarat
C:\Users\Admin\AppData\Roaming\svchost.exe	vanillarat
C:\Users\Admin\AppData\Roaming\svchost.exe	vanillarat

Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

2944 svchost.exe
368 svchost.exe

pid	process
2944	svchost.exe
368	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
4	ip-api.com

Modifies registry class 2 IoCs

Processes:

control.execontrol.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings	control.exe
Key created	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings	control.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

Firefox Installer.exesvchost.exesvchost.exewhoami.exewhoami.exe

description	pid	process
Token: SeDebugPrivilege	4144	Firefox Installer.exe
Token: SeDebugPrivilege	2944	svchost.exe
Token: SeDebugPrivilege	368	svchost.exe
Token: SeDebugPrivilege	4564	whoami.exe
Token: SeDebugPrivilege	2684	whoami.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

Firefox Installer.exesvchost.exesvchost.execmd.exe

description	pid	process	target process
PID 4144 wrote to memory of 2944	4144	Firefox Installer.exe	svchost.exe
PID 4144 wrote to memory of 2944	4144	Firefox Installer.exe	svchost.exe
PID 4144 wrote to memory of 2944	4144	Firefox Installer.exe	svchost.exe
PID 2944 wrote to memory of 368	2944	svchost.exe	svchost.exe
PID 2944 wrote to memory of 368	2944	svchost.exe	svchost.exe
PID 2944 wrote to memory of 368	2944	svchost.exe	svchost.exe
PID 368 wrote to memory of 2084	368	svchost.exe	cmd.exe
PID 368 wrote to memory of 2084	368	svchost.exe	cmd.exe
PID 368 wrote to memory of 2084	368	svchost.exe	cmd.exe
PID 2084 wrote to memory of 2188	2084	cmd.exe	winver.exe
PID 2084 wrote to memory of 2188	2084	cmd.exe	winver.exe
PID 2084 wrote to memory of 2188	2084	cmd.exe	winver.exe
PID 2084 wrote to memory of 4564	2084	cmd.exe	whoami.exe
PID 2084 wrote to memory of 4564	2084	cmd.exe	whoami.exe
PID 2084 wrote to memory of 4564	2084	cmd.exe	whoami.exe
PID 2084 wrote to memory of 2684	2084	cmd.exe	whoami.exe
PID 2084 wrote to memory of 2684	2084	cmd.exe	whoami.exe
PID 2084 wrote to memory of 2684	2084	cmd.exe	whoami.exe
PID 2084 wrote to memory of 3700	2084	cmd.exe	control.exe
PID 2084 wrote to memory of 3700	2084	cmd.exe	control.exe
PID 2084 wrote to memory of 3700	2084	cmd.exe	control.exe
PID 2084 wrote to memory of 200	2084	cmd.exe	control.exe
PID 2084 wrote to memory of 200	2084	cmd.exe	control.exe
PID 2084 wrote to memory of 200	2084	cmd.exe	control.exe

C:\Users\Admin\AppData\Local\Temp\Firefox Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Firefox Installer.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4144
- C:\Users\Admin\svchost.exe
  "C:\Users\Admin\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:368
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2084
    - - C:\Windows\SysWOW64\winver.exe
        
        winver
        5⤵
        
        PID:2188
    - - C:\Windows\SysWOW64\whoami.exe
        
        whoami
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4564
    - - C:\Windows\SysWOW64\whoami.exe
        
        whoami
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
    - - C:\Windows\SysWOW64\control.exe
        
        control
        5⤵
        Modifies registry class
        
        PID:3700
    - - C:\Windows\SysWOW64\control.exe
        
        control
        5⤵
        Modifies registry class
        
        PID:200

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:3600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Web Service

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
115KB

MD5
d171fba5b90821656b0bd8a16c577652

SHA1
a9aee6e9e269c16a490563ac9a731e8d09c40a66

SHA256
7cfbea8b7f2d149337c086793a3fc24ec7c0836ad4f5994a7aac5e55bd6855e6

SHA512
5dee382e8bd03b391dd2c3cbce4a5b5d219dd913722e9a7430196024019490d0fc021bfed7a5b6273375a7555c36e3807ce7a485ac0fad1948d5c5088d136468

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
115KB

MD5
d171fba5b90821656b0bd8a16c577652

SHA1
a9aee6e9e269c16a490563ac9a731e8d09c40a66

SHA256
7cfbea8b7f2d149337c086793a3fc24ec7c0836ad4f5994a7aac5e55bd6855e6

SHA512
5dee382e8bd03b391dd2c3cbce4a5b5d219dd913722e9a7430196024019490d0fc021bfed7a5b6273375a7555c36e3807ce7a485ac0fad1948d5c5088d136468

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
115KB

MD5
d171fba5b90821656b0bd8a16c577652

SHA1
a9aee6e9e269c16a490563ac9a731e8d09c40a66

SHA256
7cfbea8b7f2d149337c086793a3fc24ec7c0836ad4f5994a7aac5e55bd6855e6

SHA512
5dee382e8bd03b391dd2c3cbce4a5b5d219dd913722e9a7430196024019490d0fc021bfed7a5b6273375a7555c36e3807ce7a485ac0fad1948d5c5088d136468

Download Submit
C:\Users\Admin\svchost.exe

Filesize
115KB

MD5
d171fba5b90821656b0bd8a16c577652

SHA1
a9aee6e9e269c16a490563ac9a731e8d09c40a66

SHA256
7cfbea8b7f2d149337c086793a3fc24ec7c0836ad4f5994a7aac5e55bd6855e6

SHA512
5dee382e8bd03b391dd2c3cbce4a5b5d219dd913722e9a7430196024019490d0fc021bfed7a5b6273375a7555c36e3807ce7a485ac0fad1948d5c5088d136468

Download Submit
C:\Users\Admin\svchost.exe

Filesize
115KB

MD5
d171fba5b90821656b0bd8a16c577652

SHA1
a9aee6e9e269c16a490563ac9a731e8d09c40a66

SHA256
7cfbea8b7f2d149337c086793a3fc24ec7c0836ad4f5994a7aac5e55bd6855e6

SHA512
5dee382e8bd03b391dd2c3cbce4a5b5d219dd913722e9a7430196024019490d0fc021bfed7a5b6273375a7555c36e3807ce7a485ac0fad1948d5c5088d136468

Download Submit
memory/368-136-0x0000000005A00000-0x0000000005B00000-memory.dmp

Filesize
1024KB

Download
memory/368-142-0x0000000005A00000-0x0000000005B00000-memory.dmp

Filesize
1024KB

Download
memory/368-141-0x0000000005A00000-0x0000000005B00000-memory.dmp

Filesize
1024KB

Download
memory/368-140-0x0000000005A00000-0x0000000005B00000-memory.dmp

Filesize
1024KB

Download
memory/368-139-0x000000000A640000-0x000000000A67E000-memory.dmp

Filesize
248KB

Download
memory/368-138-0x000000000A010000-0x000000000A022000-memory.dmp

Filesize
72KB

Download
memory/368-137-0x0000000009C30000-0x0000000009C96000-memory.dmp

Filesize
408KB

Download
memory/2944-126-0x0000000000C90000-0x0000000000CB2000-memory.dmp

Filesize
136KB

Download
memory/2944-130-0x0000000001A00000-0x0000000001A0A000-memory.dmp

Filesize
40KB

Download
memory/2944-129-0x0000000005C00000-0x0000000005D00000-memory.dmp

Filesize
1024KB

Download
memory/2944-128-0x0000000005A40000-0x0000000005AD2000-memory.dmp

Filesize
584KB

Download
memory/2944-127-0x0000000006100000-0x00000000065FE000-memory.dmp

Filesize
5.0MB

Download
memory/4144-117-0x0000000000BE0000-0x0000000000C16000-memory.dmp

Filesize
216KB

Download
memory/4144-118-0x00000000055F0000-0x000000000568C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads