Overview

overview

10

Static

static

10

VanillaRat.exe

windows10-2004-x64

10

VanillaStub.exe

windows10-2004-x64

10

Resubmissions

13-08-2024 13:12

240813-qfnymazelq 10

13-08-2024 13:11

240813-qe4bxszejl 10

Analysis

  • max time kernel
    94s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-08-2024 13:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VanillaRat.exe

  • Size

    982KB

  • MD5

    ce012d13bf11b47e0b8d1cf2d2ba9846

  • SHA1

    4a554c01352281134eb95ac8f7534468e250c50a

  • SHA256

    0fe257c142a900fe69dd5ff1ebd56a9c073c977442173d823f90981b77e3c210

  • SHA512

    b9a931458c2562b414fd4b90b859ebf2d8c09f9fee6214d3523b3fe57e640c7c2316dd604eb0b307739ef90c265789913f7f6b6da3cc9b086d995bb0efadb799

  • SSDEEP

    12288:+rzh887PPRqUy3G9nc6NghhkuqmzMarPPXj9RAyJ07lPFgoZ7+B:T87PPEUy3G9nLCnkQzM2UtzZa

Score
10/10
vanillaratdiscoveryrat

Malware Config

Signatures

  • VanillaRat

    VanillaRat is an advanced remote administration tool coded in C#.

    ratvanillarat
  • Vanilla Rat payload 2 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 39 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe
    "C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:1220
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Temp\Clients\
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2164
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2096
    • C:\Users\Admin\AppData\Local\Temp\Clients\8.exe
      "C:\Users\Admin\AppData\Local\Temp\Clients\8.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2992
    • C:\Users\Admin\AppData\Local\Temp\Clients\8.exe
      "C:\Users\Admin\AppData\Local\Temp\Clients\8.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:5100
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4716

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Clients\8.exe
      Filesize

      114KB

      MD5

      2b245b1f61439dabb3f2cd1d43223421

      SHA1

      e2ea5775213f151c00379beaa1069f818864a1f8

      SHA256

      f0ed788a91d15d76b75a16c151dca01cc7d6d82d5de44949c17ade49db390b15

      SHA512

      45fc120d0ce36e26a5cd5773eeb8afe3f837df0083e6abaee38129f0d0fbf1b25626eb9c3d791a4aeede508b7008b1094e064ad495b38da2f0d92d07fa28758a

      Download Submit

    • memory/1220-4-0x0000000005130000-0x000000000513A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1220-7-0x0000000074610000-0x0000000074DC0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1220-3-0x0000000005180000-0x0000000005212000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1220-0-0x000000007461E000-0x000000007461F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1220-9-0x0000000074610000-0x0000000074DC0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1220-6-0x0000000006D90000-0x0000000006F36000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1220-2-0x0000000005730000-0x0000000005CD4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1220-8-0x000000007461E000-0x000000007461F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1220-5-0x0000000074610000-0x0000000074DC0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1220-10-0x0000000074610000-0x0000000074DC0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1220-11-0x0000000008830000-0x000000000894C000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1220-1-0x0000000000620000-0x000000000071C000-memory.dmp

      Filesize

      1008KB

      Download

    • memory/1220-24-0x0000000074610000-0x0000000074DC0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1220-20-0x0000000074610000-0x0000000074DC0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2992-19-0x0000000009220000-0x0000000009286000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2992-15-0x0000000000D70000-0x0000000000D92000-memory.dmp

      Filesize

      136KB

      Download