vanillarat

General

Target

110852b8629477f0483bdcd381aae7a7
Size

7.1MB
Sample

240229-sytmyadb8s
MD5

110852b8629477f0483bdcd381aae7a7
SHA1

3242ea437ab5a6c08d5ceb3343c78bf457d49d01
SHA256

ac86c98a4e8eb00a2e85079613c12a32d664bd4d9f7c07b05541874fddf0e005
SHA512

f5833154a846e4b3f671bd103c04652b2213a13724e1a1619159275854b7b6373fd3b990f5dd2210d4bb344452bcf6f2fbb6d41adf591fe6f0ea3e0b6634f288
SSDEEP

98304:9B2pC6XG4HNkq5UKPhc24Y1/QPldHVTgPNhV0ADXqQgpkWDRIZVMnu0jjD8ueJU:OcUG4raKu24YY7HVT4hV0AD6QgqKRgX

Score

10^/10

Malware Config

Targets

- Target
  
  110852b8629477f0483bdcd381aae7a7
- Size
  
  7.1MB
- MD5
  
  110852b8629477f0483bdcd381aae7a7
- SHA1
  
  3242ea437ab5a6c08d5ceb3343c78bf457d49d01
- SHA256
  
  ac86c98a4e8eb00a2e85079613c12a32d664bd4d9f7c07b05541874fddf0e005
- SHA512
  
  f5833154a846e4b3f671bd103c04652b2213a13724e1a1619159275854b7b6373fd3b990f5dd2210d4bb344452bcf6f2fbb6d41adf591fe6f0ea3e0b6634f288
- SSDEEP
  
  98304:9B2pC6XG4HNkq5UKPhc24Y1/QPldHVTgPNhV0ADXqQgpkWDRIZVMnu0jjD8ueJU:OcUG4raKu24YY7HVT4hV0AD6QgqKRgX
Score

10^/10

vanillarat agilenet evasion rat themida trojan
- VanillaRat
  VanillaRat is an advanced remote administration tool coded in C#.
  rat vanillarat
- Detects executables packed with Agile.NET / CliSecure
- Detects executables packed with Themida
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Vanilla Rat payload
  rat
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Detects executables packed with Agile.NET / CliSecure

Detects executables packed with Themida

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Vanilla Rat payload

Checks BIOS information in registry

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Themida packer

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2