Malware Analysis Report

2024-10-23 20:55

Sample ID 230710-tltylsbh82
Target Firefox Installer.exe
SHA256 661cb7d69264a4953e0ec5d87b533e9e79c1b893b090d720a79692f7fb8f2a50
Tags
rat vanillarat persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

661cb7d69264a4953e0ec5d87b533e9e79c1b893b090d720a79692f7fb8f2a50

Threat Level: Known bad

The file Firefox Installer.exe was found to be: Known bad.

Malicious Activity Summary

rat vanillarat persistence

VanillaRat

Vanilla Rat payload

Vanillarat family

Vanilla Rat payload

Executes dropped EXE

Looks up external IP address via web service

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-10 16:09

Signatures

Vanilla Rat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Vanillarat family

vanillarat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-10 16:09

Reported

2023-07-10 16:12

Platform

win10-20230703-en

Max time kernel

143s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Firefox Installer.exe"

Signatures

VanillaRat

rat vanillarat

Vanilla Rat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings C:\Windows\SysWOW64\control.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings C:\Windows\SysWOW64\control.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Firefox Installer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4144 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\Firefox Installer.exe C:\Users\Admin\svchost.exe
PID 4144 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\Firefox Installer.exe C:\Users\Admin\svchost.exe
PID 4144 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\Firefox Installer.exe C:\Users\Admin\svchost.exe
PID 2944 wrote to memory of 368 N/A C:\Users\Admin\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2944 wrote to memory of 368 N/A C:\Users\Admin\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2944 wrote to memory of 368 N/A C:\Users\Admin\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 368 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 368 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 368 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\winver.exe
PID 2084 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\winver.exe
PID 2084 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\winver.exe
PID 2084 wrote to memory of 4564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\whoami.exe
PID 2084 wrote to memory of 4564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\whoami.exe
PID 2084 wrote to memory of 4564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\whoami.exe
PID 2084 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\whoami.exe
PID 2084 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\whoami.exe
PID 2084 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\whoami.exe
PID 2084 wrote to memory of 3700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\control.exe
PID 2084 wrote to memory of 3700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\control.exe
PID 2084 wrote to memory of 3700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\control.exe
PID 2084 wrote to memory of 200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\control.exe
PID 2084 wrote to memory of 200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\control.exe
PID 2084 wrote to memory of 200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\control.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Firefox Installer.exe

"C:\Users\Admin\AppData\Local\Temp\Firefox Installer.exe"

C:\Users\Admin\svchost.exe

"C:\Users\Admin\svchost.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe"

C:\Windows\SysWOW64\winver.exe

winver

C:\Windows\SysWOW64\whoami.exe

whoami

C:\Windows\SysWOW64\whoami.exe

whoami

C:\Windows\SysWOW64\control.exe

control

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

C:\Windows\SysWOW64\control.exe

control

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 3.125.102.39:14034 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 39.102.125.3.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 18.158.249.75:14034 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 75.249.158.18.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

memory/4144-117-0x0000000000BE0000-0x0000000000C16000-memory.dmp

memory/4144-118-0x00000000055F0000-0x000000000568C000-memory.dmp

C:\Users\Admin\svchost.exe

MD5 d171fba5b90821656b0bd8a16c577652
SHA1 a9aee6e9e269c16a490563ac9a731e8d09c40a66
SHA256 7cfbea8b7f2d149337c086793a3fc24ec7c0836ad4f5994a7aac5e55bd6855e6
SHA512 5dee382e8bd03b391dd2c3cbce4a5b5d219dd913722e9a7430196024019490d0fc021bfed7a5b6273375a7555c36e3807ce7a485ac0fad1948d5c5088d136468

C:\Users\Admin\svchost.exe

MD5 d171fba5b90821656b0bd8a16c577652
SHA1 a9aee6e9e269c16a490563ac9a731e8d09c40a66
SHA256 7cfbea8b7f2d149337c086793a3fc24ec7c0836ad4f5994a7aac5e55bd6855e6
SHA512 5dee382e8bd03b391dd2c3cbce4a5b5d219dd913722e9a7430196024019490d0fc021bfed7a5b6273375a7555c36e3807ce7a485ac0fad1948d5c5088d136468

memory/2944-126-0x0000000000C90000-0x0000000000CB2000-memory.dmp

memory/2944-127-0x0000000006100000-0x00000000065FE000-memory.dmp

memory/2944-128-0x0000000005A40000-0x0000000005AD2000-memory.dmp

memory/2944-129-0x0000000005C00000-0x0000000005D00000-memory.dmp

memory/2944-130-0x0000000001A00000-0x0000000001A0A000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 d171fba5b90821656b0bd8a16c577652
SHA1 a9aee6e9e269c16a490563ac9a731e8d09c40a66
SHA256 7cfbea8b7f2d149337c086793a3fc24ec7c0836ad4f5994a7aac5e55bd6855e6
SHA512 5dee382e8bd03b391dd2c3cbce4a5b5d219dd913722e9a7430196024019490d0fc021bfed7a5b6273375a7555c36e3807ce7a485ac0fad1948d5c5088d136468

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 d171fba5b90821656b0bd8a16c577652
SHA1 a9aee6e9e269c16a490563ac9a731e8d09c40a66
SHA256 7cfbea8b7f2d149337c086793a3fc24ec7c0836ad4f5994a7aac5e55bd6855e6
SHA512 5dee382e8bd03b391dd2c3cbce4a5b5d219dd913722e9a7430196024019490d0fc021bfed7a5b6273375a7555c36e3807ce7a485ac0fad1948d5c5088d136468

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 d171fba5b90821656b0bd8a16c577652
SHA1 a9aee6e9e269c16a490563ac9a731e8d09c40a66
SHA256 7cfbea8b7f2d149337c086793a3fc24ec7c0836ad4f5994a7aac5e55bd6855e6
SHA512 5dee382e8bd03b391dd2c3cbce4a5b5d219dd913722e9a7430196024019490d0fc021bfed7a5b6273375a7555c36e3807ce7a485ac0fad1948d5c5088d136468

memory/368-136-0x0000000005A00000-0x0000000005B00000-memory.dmp

memory/368-137-0x0000000009C30000-0x0000000009C96000-memory.dmp

memory/368-138-0x000000000A010000-0x000000000A022000-memory.dmp

memory/368-139-0x000000000A640000-0x000000000A67E000-memory.dmp

memory/368-140-0x0000000005A00000-0x0000000005B00000-memory.dmp

memory/368-141-0x0000000005A00000-0x0000000005B00000-memory.dmp

memory/368-142-0x0000000005A00000-0x0000000005B00000-memory.dmp