Malware Analysis Report

2024-10-19 08:13

Sample ID 240102-vencxsadaj
Target 3e82d4b205d458e65db00eb0f4231546
SHA256 92d129825bda8b18723026a90fcc19bed5614c7ba17b1a50e1ed91518fc93752
Tags
rat vanillarat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

92d129825bda8b18723026a90fcc19bed5614c7ba17b1a50e1ed91518fc93752

Threat Level: Known bad

The file 3e82d4b205d458e65db00eb0f4231546 was found to be: Known bad.

Malicious Activity Summary

rat vanillarat

Vanillarat family

VanillaRat

Vanilla Rat payload

Vanilla Rat payload

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-02 16:54

Signatures

Vanilla Rat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Vanillarat family

vanillarat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-02 16:54

Reported

2024-01-02 16:57

Platform

win7-20231215-en

Max time kernel

150s

Max time network

169s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3e82d4b205d458e65db00eb0f4231546.exe"

Signatures

VanillaRat

rat vanillarat

Vanilla Rat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Processes

C:\Users\Admin\AppData\Local\Temp\3e82d4b205d458e65db00eb0f4231546.exe

"C:\Users\Admin\AppData\Local\Temp\3e82d4b205d458e65db00eb0f4231546.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.tcp.sa.ngrok.io udp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
US 8.8.8.8:53 0.tcp.sa.ngrok.io udp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
US 8.8.8.8:53 0.tcp.sa.ngrok.io udp
BR 18.228.115.60:19296 0.tcp.sa.ngrok.io tcp
BR 18.228.115.60:19296 0.tcp.sa.ngrok.io tcp
BR 18.228.115.60:19296 0.tcp.sa.ngrok.io tcp
BR 18.228.115.60:19296 0.tcp.sa.ngrok.io tcp
BR 18.228.115.60:19296 0.tcp.sa.ngrok.io tcp
BR 18.228.115.60:19296 0.tcp.sa.ngrok.io tcp
BR 18.228.115.60:19296 0.tcp.sa.ngrok.io tcp
BR 18.228.115.60:19296 0.tcp.sa.ngrok.io tcp
BR 18.228.115.60:19296 0.tcp.sa.ngrok.io tcp
BR 18.228.115.60:19296 0.tcp.sa.ngrok.io tcp
BR 18.228.115.60:19296 0.tcp.sa.ngrok.io tcp
BR 18.228.115.60:19296 0.tcp.sa.ngrok.io tcp
BR 18.228.115.60:19296 0.tcp.sa.ngrok.io tcp
BR 18.228.115.60:19296 0.tcp.sa.ngrok.io tcp
BR 18.228.115.60:19296 0.tcp.sa.ngrok.io tcp
BR 18.228.115.60:19296 0.tcp.sa.ngrok.io tcp
BR 18.228.115.60:19296 0.tcp.sa.ngrok.io tcp
BR 18.228.115.60:19296 0.tcp.sa.ngrok.io tcp
BR 18.228.115.60:19296 0.tcp.sa.ngrok.io tcp
BR 18.228.115.60:19296 0.tcp.sa.ngrok.io tcp
BR 18.228.115.60:19296 0.tcp.sa.ngrok.io tcp

Files

memory/1704-0-0x0000000000B30000-0x0000000000B52000-memory.dmp

memory/1704-1-0x0000000074C50000-0x000000007533E000-memory.dmp

memory/1704-2-0x00000000042E0000-0x0000000004320000-memory.dmp

memory/1704-3-0x0000000074C50000-0x000000007533E000-memory.dmp

memory/1704-4-0x00000000042E0000-0x0000000004320000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-02 16:54

Reported

2024-01-02 16:56

Platform

win10v2004-20231222-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3e82d4b205d458e65db00eb0f4231546.exe"

Signatures

VanillaRat

rat vanillarat

Vanilla Rat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Processes

C:\Users\Admin\AppData\Local\Temp\3e82d4b205d458e65db00eb0f4231546.exe

"C:\Users\Admin\AppData\Local\Temp\3e82d4b205d458e65db00eb0f4231546.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 0.tcp.sa.ngrok.io udp
US 8.8.8.8:53 2.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
US 8.8.8.8:53 63.146.229.18.in-addr.arpa udp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
US 8.8.8.8:53 167.109.18.2.in-addr.arpa udp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.146.63:19296 0.tcp.sa.ngrok.io tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 0.tcp.sa.ngrok.io udp
BR 54.94.248.37:19296 0.tcp.sa.ngrok.io tcp
BR 54.94.248.37:19296 0.tcp.sa.ngrok.io tcp
BR 54.94.248.37:19296 0.tcp.sa.ngrok.io tcp
US 8.8.8.8:53 37.248.94.54.in-addr.arpa udp
BR 54.94.248.37:19296 0.tcp.sa.ngrok.io tcp
BR 54.94.248.37:19296 0.tcp.sa.ngrok.io tcp
BR 54.94.248.37:19296 0.tcp.sa.ngrok.io tcp
US 8.8.8.8:53 72.135.221.88.in-addr.arpa udp
BR 54.94.248.37:19296 0.tcp.sa.ngrok.io tcp
BR 54.94.248.37:19296 0.tcp.sa.ngrok.io tcp
BR 54.94.248.37:19296 0.tcp.sa.ngrok.io tcp
BR 54.94.248.37:19296 0.tcp.sa.ngrok.io tcp
BR 54.94.248.37:19296 0.tcp.sa.ngrok.io tcp
BR 54.94.248.37:19296 0.tcp.sa.ngrok.io tcp
BR 54.94.248.37:19296 0.tcp.sa.ngrok.io tcp
BR 54.94.248.37:19296 0.tcp.sa.ngrok.io tcp
BR 54.94.248.37:19296 0.tcp.sa.ngrok.io tcp
BR 54.94.248.37:19296 0.tcp.sa.ngrok.io tcp
BR 54.94.248.37:19296 0.tcp.sa.ngrok.io tcp
BR 54.94.248.37:19296 0.tcp.sa.ngrok.io tcp
BR 54.94.248.37:19296 0.tcp.sa.ngrok.io tcp
BR 54.94.248.37:19296 0.tcp.sa.ngrok.io tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
BR 54.94.248.37:19296 0.tcp.sa.ngrok.io tcp
BR 54.94.248.37:19296 0.tcp.sa.ngrok.io tcp
BR 54.94.248.37:19296 0.tcp.sa.ngrok.io tcp
BR 54.94.248.37:19296 0.tcp.sa.ngrok.io tcp
US 8.8.8.8:53 198.178.17.96.in-addr.arpa udp
BR 54.94.248.37:19296 0.tcp.sa.ngrok.io tcp
BR 54.94.248.37:19296 0.tcp.sa.ngrok.io tcp
BR 54.94.248.37:19296 0.tcp.sa.ngrok.io tcp
BR 54.94.248.37:19296 0.tcp.sa.ngrok.io tcp
BR 54.94.248.37:19296 0.tcp.sa.ngrok.io tcp
BR 54.94.248.37:19296 0.tcp.sa.ngrok.io tcp
BR 54.94.248.37:19296 0.tcp.sa.ngrok.io tcp
BR 54.94.248.37:19296 0.tcp.sa.ngrok.io tcp
BR 54.94.248.37:19296 0.tcp.sa.ngrok.io tcp
BR 54.94.248.37:19296 0.tcp.sa.ngrok.io tcp
BR 54.94.248.37:19296 0.tcp.sa.ngrok.io tcp
BR 54.94.248.37:19296 0.tcp.sa.ngrok.io tcp
BR 54.94.248.37:19296 0.tcp.sa.ngrok.io tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
BR 54.94.248.37:19296 0.tcp.sa.ngrok.io tcp
BR 54.94.248.37:19296 0.tcp.sa.ngrok.io tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
BR 54.94.248.37:19296 0.tcp.sa.ngrok.io tcp
BR 54.94.248.37:19296 0.tcp.sa.ngrok.io tcp
BR 54.94.248.37:19296 0.tcp.sa.ngrok.io tcp
BR 54.94.248.37:19296 0.tcp.sa.ngrok.io tcp
BR 54.94.248.37:19296 0.tcp.sa.ngrok.io tcp
US 8.8.8.8:53 0.tcp.sa.ngrok.io udp
BR 18.229.248.167:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.248.167:19296 0.tcp.sa.ngrok.io tcp
US 8.8.8.8:53 167.248.229.18.in-addr.arpa udp
BR 18.229.248.167:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.248.167:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.248.167:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.248.167:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.248.167:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.248.167:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.248.167:19296 0.tcp.sa.ngrok.io tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
BR 18.229.248.167:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.248.167:19296 0.tcp.sa.ngrok.io tcp
US 8.8.8.8:53 210.135.221.88.in-addr.arpa udp
BR 18.229.248.167:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.248.167:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.248.167:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.248.167:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.248.167:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.248.167:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.248.167:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.248.167:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.248.167:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.248.167:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.248.167:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.248.167:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.248.167:19296 0.tcp.sa.ngrok.io tcp
BR 18.229.248.167:19296 tcp

Files

memory/4960-1-0x0000000074AC0000-0x0000000075270000-memory.dmp

memory/4960-2-0x0000000005B20000-0x00000000060C4000-memory.dmp

memory/4960-3-0x0000000005570000-0x0000000005602000-memory.dmp

memory/4960-4-0x00000000057D0000-0x00000000057E0000-memory.dmp

memory/4960-5-0x0000000005500000-0x000000000550A000-memory.dmp

memory/4960-0-0x0000000000C10000-0x0000000000C32000-memory.dmp

memory/4960-6-0x0000000009410000-0x0000000009476000-memory.dmp

memory/4960-7-0x0000000074AC0000-0x0000000075270000-memory.dmp

memory/4960-8-0x00000000057D0000-0x00000000057E0000-memory.dmp