vanillarat | c9dcd0ef1aeb4a2f8bbb4ff93f0f523bee99a739c7e0ad8f21c70aa368204f41

Analysis

max time kernel
1337s
max time network
1164s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
22-07-2023 10:19

Target

hi.exe
Size

114KB
MD5

8a2cc75f1a0196bc659384fecc0fed8a
SHA1

2e5b7de6a0977da0ef29bc5855e65e8deca4e51c
SHA256

c9dcd0ef1aeb4a2f8bbb4ff93f0f523bee99a739c7e0ad8f21c70aa368204f41
SHA512

5a5b5cde00bf0f105a04cb60b1baae2bc8c82225e447e34df87fd2789a6acddb1757f699933e78938ca6fbcce98400f7ae1c02907990198d2fe39004b17397bf
SSDEEP

3072:gJZKnPE2YyJzELtyTFyYeY8lNgoiJ+sX8HFvytbmNM:gJZKBI0FyYeY4eoiJ+sCFvR

Score

10^/10

vanillarat rat

VanillaRat
VanillaRat is an advanced remote administration tool coded in C#.
rat vanillarat

Vanilla Rat payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/4132-134-0x0000000000280000-0x00000000002A2000-memory.dmp	vanillarat

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

hi.exe

pid process

4132 hi.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

hi.exe

description pid process

Token: SeDebugPrivilege 4132 hi.exe

pid	process
4132	hi.exe

description	pid	process
Token: SeDebugPrivilege	4132	hi.exe

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

memory/4132-133-0x00000000743E0000-0x0000000074B90000-memory.dmp

Filesize
7.7MB

Download
memory/4132-134-0x0000000000280000-0x00000000002A2000-memory.dmp

Filesize
136KB

Download
memory/4132-135-0x00000000052C0000-0x0000000005864000-memory.dmp

Filesize
5.6MB

Download
memory/4132-136-0x0000000004D10000-0x0000000004DA2000-memory.dmp

Filesize
584KB

Download
memory/4132-137-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/4132-138-0x0000000004CC0000-0x0000000004CCA000-memory.dmp

Filesize
40KB

Download
memory/4132-139-0x00000000094E0000-0x0000000009546000-memory.dmp

Filesize
408KB

Download
memory/4132-140-0x00000000743E0000-0x0000000074B90000-memory.dmp

Filesize
7.7MB

Download
memory/4132-141-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/4132-142-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/4132-143-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/4132-144-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/4132-145-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/4132-146-0x00000000743E0000-0x0000000074B90000-memory.dmp

Filesize
7.7MB

Download