vanillarat | e590d9d061fc38da277121abaf50c5d2432fe4cab8eb4fc347687d04c188f34b | Triage

Sharing

General

Target

VanillaRat.rar
Size

9.3MB
Sample

231101-m5evgahc86
MD5

a049dc80cb0ce48c4e91ac7d5172a082
SHA1

e45fe95f502072b7ff28e6b3978fc0fd80e58ca1
SHA256

e590d9d061fc38da277121abaf50c5d2432fe4cab8eb4fc347687d04c188f34b
SHA512

0785dc1529f61a5b9af743d24cd5aa836b871dc077cc2ec37b0c66998f79c5fed260e1d4859a43ccb7fc5e0fab0173e64f59f245106325f7e36b6a6bd4a5dfea
SSDEEP

196608:JBl2bbnL8Gw727XWgrz7BrNsMeYg58cvLXthkIYisyqIjRqVTvBKFsOcoN:JB8bbn4umoPgMeb8cLtSIjsyqIEVYFsC

Score

10^/10

vanillarat rat

Malware Config

Targets

- Target
  
  VanillaRat/Handlers/HandlerInstaller.bat
- Size
  
  12.4MB
- MD5
  
  36120c9b85ac8d0886754aea83b5f651
- SHA1
  
  f37d5eb87609e6312dc30b37f3b9568f788e1d9d
- SHA256
  
  3087b98c490a4be2e1e8d97a74edbacaab32c4162c49050408e9c86e0d1374eb
- SHA512
  
  973d80dd9f55c9219c0c1fcb194cb3151b872b2187a83abbcae53f9185a37877253962c116c282019e2309154b0ee0aba4675862f9e4eb4b0084a757ed7a8957
- SSDEEP
  
  49152:gfNOR3QlUQZ81jHk0IYRuKSGUhYHEPgU9XA1J8yWSUZ89FIJI25U3euQ6o2Mif+6:J
Score

10^/10
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  VanillaRat/Main/VanillaRat.exe
- Size
  
  1.8MB
- MD5
  
  15e08de70a1aa3202bf12873d7464cfb
- SHA1
  
  3797022285b7250fe7c3b4d3c68aabd7b02e77df
- SHA256
  
  0888ca367d882709d10712f6d8eefc5945ff067467e832f59e0071a86ae96555
- SHA512
  
  f084621d43085877aaccdfa73394e4ec11e56a2c7d6086aa6308b0e086a3d5bfa7c18fc4374a1d2028868fad0f9d45dff4d82a6c0ef8c2e9946a901a7779a343
- SSDEEP
  
  24576:HDTgl3eQury9oQqdTfqauvHpcV3+bGeVUEY995IK5:jkJ94y9oBuvHCuHqEV
Score

10^/10

vanillarat rat
- VanillaRat
  VanillaRat is an advanced remote administration tool coded in C#.
  rat vanillarat
- Vanilla Rat payload
  rat
- Executes dropped EXE
behavioral3 behavioral4
- Target
  
  VanillaRat/Main/VanillaStub.exe
- Size
  
  111KB
- MD5
  
  ba4ef2f128dd9d5ad47cf36448248cbc
- SHA1
  
  c791033df85c85b1c67638a64177553cef896970
- SHA256
  
  3515285bcb1e7b4a7c5a570ab9ba0543f4733cc9b1a5afb6d4c1bc4d0b0afa92
- SHA512
  
  f83f79f85167e2980b85db8a8fbd731c352ccf049203749fb70fabba78067361ebd15fe22783cd8a80355e4ae66a6999eee200aadacf75556dec3c67b840f287
- SSDEEP
  
  3072:o0w4Vztdrx+jiEPtXKb0H/vbabULtyTl:LxrrkzPtabK/v50
Score

10^/10

vanillarat rat
- VanillaRat
  VanillaRat is an advanced remote administration tool coded in C#.
  rat vanillarat
- Vanilla Rat payload
  rat
behavioral5 behavioral6
- Target
  
  VanillaRat/Start.bat
- Size
  
  3KB
- MD5
  
  78d817fe7349683c207f17c0b4774484
- SHA1
  
  9dc66330a6aef8e8678b45ac3fa79091f2f50ccc
- SHA256
  
  b7ddf09d72ad1671da5c5ad5bf0e5d22ac6f4fee8cedd04f188a9e109e8b86f6
- SHA512
  
  77e0bdc2d0faa24d4f4ff42059f8b002b7214300fd7f44b07d76fb042b111a1ad85e2b32e1032942aaf29bed11efe17a73e623cafd777ec21e603118e70d2699
Score

10^/10
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral7 behavioral8

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8