metamorpherrat | bfc6e45698b47266eabc27eb8fe9373994557bd716535fa6a3f4dc1c37104482

Analysis

max time kernel
4294222s
max time network
178s
platform
windows7_x64
resource
win7-20220311-en
submitted
29-03-2022 19:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfc6e45698b47266eabc27eb8fe9373994557bd716535fa6a3f4dc1c37104482.exe
Size

78KB
MD5

01e331a399bb6dc2647bb28a0b034078
SHA1

0c29521dc433c454d493b1e34fd06fddb8d47f5c
SHA256

bfc6e45698b47266eabc27eb8fe9373994557bd716535fa6a3f4dc1c37104482
SHA512

fe4160d73f2f963beeb6940c175b6bfa1c986a204b1dd3e8d56d4a67e48e7eb75752ca45d4a5c7e2a55867a48497690caa5ce4f3ef732b31f6cdc5d57afbf953

Score

10^/10

metamorpherrat persistence rat stealer suricata trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

tmpA757.tmp.exe

pid process

1884 tmpA757.tmp.exe
Deletes itself 1 IoCs

Processes:

tmpA757.tmp.exe

pid process

1884 tmpA757.tmp.exe

pid	process
1884	tmpA757.tmp.exe

pid	process
1884	tmpA757.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

bfc6e45698b47266eabc27eb8fe9373994557bd716535fa6a3f4dc1c37104482.exe

pid	process
1844	bfc6e45698b47266eabc27eb8fe9373994557bd716535fa6a3f4dc1c37104482.exe
1844	bfc6e45698b47266eabc27eb8fe9373994557bd716535fa6a3f4dc1c37104482.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmpA757.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpA757.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

bfc6e45698b47266eabc27eb8fe9373994557bd716535fa6a3f4dc1c37104482.exetmpA757.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1844	bfc6e45698b47266eabc27eb8fe9373994557bd716535fa6a3f4dc1c37104482.exe
Token: SeDebugPrivilege	1884	tmpA757.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

bfc6e45698b47266eabc27eb8fe9373994557bd716535fa6a3f4dc1c37104482.exevbc.exe

description	pid	process	target process
PID 1844 wrote to memory of 1852	1844	bfc6e45698b47266eabc27eb8fe9373994557bd716535fa6a3f4dc1c37104482.exe	vbc.exe
PID 1844 wrote to memory of 1852	1844	bfc6e45698b47266eabc27eb8fe9373994557bd716535fa6a3f4dc1c37104482.exe	vbc.exe
PID 1844 wrote to memory of 1852	1844	bfc6e45698b47266eabc27eb8fe9373994557bd716535fa6a3f4dc1c37104482.exe	vbc.exe
PID 1844 wrote to memory of 1852	1844	bfc6e45698b47266eabc27eb8fe9373994557bd716535fa6a3f4dc1c37104482.exe	vbc.exe
PID 1852 wrote to memory of 2012	1852	vbc.exe	cvtres.exe
PID 1852 wrote to memory of 2012	1852	vbc.exe	cvtres.exe
PID 1852 wrote to memory of 2012	1852	vbc.exe	cvtres.exe
PID 1852 wrote to memory of 2012	1852	vbc.exe	cvtres.exe
PID 1844 wrote to memory of 1884	1844	bfc6e45698b47266eabc27eb8fe9373994557bd716535fa6a3f4dc1c37104482.exe	tmpA757.tmp.exe
PID 1844 wrote to memory of 1884	1844	bfc6e45698b47266eabc27eb8fe9373994557bd716535fa6a3f4dc1c37104482.exe	tmpA757.tmp.exe
PID 1844 wrote to memory of 1884	1844	bfc6e45698b47266eabc27eb8fe9373994557bd716535fa6a3f4dc1c37104482.exe	tmpA757.tmp.exe
PID 1844 wrote to memory of 1884	1844	bfc6e45698b47266eabc27eb8fe9373994557bd716535fa6a3f4dc1c37104482.exe	tmpA757.tmp.exe

C:\Users\Admin\AppData\Local\Temp\bfc6e45698b47266eabc27eb8fe9373994557bd716535fa6a3f4dc1c37104482.exe
"C:\Users\Admin\AppData\Local\Temp\bfc6e45698b47266eabc27eb8fe9373994557bd716535fa6a3f4dc1c37104482.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bxh934mo.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA8AF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA8AE.tmp"
3⤵
PID:2012

C:\Users\Admin\AppData\Local\Temp\tmpA757.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpA757.tmp.exe" C:\Users\Admin\AppData\Local\Temp\bfc6e45698b47266eabc27eb8fe9373994557bd716535fa6a3f4dc1c37104482.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1884

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA8AF.tmp
Filesize
1KB

MD5
14139f5cfbb1b2c0bd6954f617996c08

SHA1
3a31bb8a339c900c57799b993da93dcc83220970

SHA256
2909f8ad8c32101d3987a92747dd0d90cf2d9903ccc4e1de912d2c4d78dc9155

SHA512
0a8160aa1c3a807778968cc8b8b8f26315dc58d719ee56f4b44221c9ce01536e26614a59ec5ce3597b80c57cc77a7a341666ca2e5628e68f2fc5aceaa7285044

Download Submit
C:\Users\Admin\AppData\Local\Temp\bxh934mo.0.vb
Filesize
15KB

MD5
e62a767aaa0062e6e73c4fcc32425388

SHA1
094684f5ec38604719f38a90398c94b787d5888a

SHA256
c42c41a3684fe42e1274b0657fba8856ad046aea0bedea45338f07e398098bcc

SHA512
66b15a7b9cdb9aa3be7e0730caa83dd978456ded7917876564b1a64688f321fef05ce2462eefdddd77caa6eda2c087a25f11884d1355220cfc73fc0905c8171d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bxh934mo.cmdline
Filesize
266B

MD5
a4ec68b1fb0eddab0590895a4e0607e0

SHA1
40ef4aa184e4e17793f0c5e4f9043db6e0ab8a29

SHA256
54d526261c2c8defdbbb5d7eae9c69ee2bc0c26ed0b09e39aa7107b08c808bf2

SHA512
9cb6f5eb115b533d4cf2cf834722f7523b160418456bbb752428775d1b9aeac93d9d171bccbbb0003f453643afe63fcedb5489e039bd9eb836cea685e91df033

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA757.tmp.exe
Filesize
78KB

MD5
80ef91d2b08bb15e0e583458c32c695e

SHA1
5b6a000e0ea370b86e328193c4795a162363ffe4

SHA256
f3f51b2b5d21a03e3f10dc7d313e5f4ad2d7b7d8c0b067668186e04bdc08200d

SHA512
5ee9f1511678bb4a81d1852eb030620079f28c3fcd4bf9591ea4fdb5d52f3825ce449b5a194e6c5dc1e5b2dfa765387ae7155d1c4f2e479849f83d6e23195196

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA757.tmp.exe
Filesize
78KB

MD5
80ef91d2b08bb15e0e583458c32c695e

SHA1
5b6a000e0ea370b86e328193c4795a162363ffe4

SHA256
f3f51b2b5d21a03e3f10dc7d313e5f4ad2d7b7d8c0b067668186e04bdc08200d

SHA512
5ee9f1511678bb4a81d1852eb030620079f28c3fcd4bf9591ea4fdb5d52f3825ce449b5a194e6c5dc1e5b2dfa765387ae7155d1c4f2e479849f83d6e23195196

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA8AE.tmp
Filesize
660B

MD5
2ee097ca5bfbeb7e9a4008f873866706

SHA1
c8b3ab043cddb342d0fb19d19c84e480aa41c17d

SHA256
039718897689a16538ca84e330ee97e05b06f5331cf9447c7c4f8fc793b54061

SHA512
fd6aa1a14244ac175a4c09519384d546035bc70906c194ca25b1375faf3d5da47838476e86ccb8de9675b0d0a2009b037236ad6d3e97f319abfe2cc3d6ba45d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
\Users\Admin\AppData\Local\Temp\tmpA757.tmp.exe
Filesize
78KB

MD5
80ef91d2b08bb15e0e583458c32c695e

SHA1
5b6a000e0ea370b86e328193c4795a162363ffe4

SHA256
f3f51b2b5d21a03e3f10dc7d313e5f4ad2d7b7d8c0b067668186e04bdc08200d

SHA512
5ee9f1511678bb4a81d1852eb030620079f28c3fcd4bf9591ea4fdb5d52f3825ce449b5a194e6c5dc1e5b2dfa765387ae7155d1c4f2e479849f83d6e23195196

Download Submit
\Users\Admin\AppData\Local\Temp\tmpA757.tmp.exe
Filesize
78KB

MD5
80ef91d2b08bb15e0e583458c32c695e

SHA1
5b6a000e0ea370b86e328193c4795a162363ffe4

SHA256
f3f51b2b5d21a03e3f10dc7d313e5f4ad2d7b7d8c0b067668186e04bdc08200d

SHA512
5ee9f1511678bb4a81d1852eb030620079f28c3fcd4bf9591ea4fdb5d52f3825ce449b5a194e6c5dc1e5b2dfa765387ae7155d1c4f2e479849f83d6e23195196

Download Submit
memory/1844-54-0x0000000075E61000-0x0000000075E63000-memory.dmp

Filesize
8KB

Download
memory/1844-68-0x0000000074090000-0x000000007463B000-memory.dmp

Filesize
5.7MB

Download
memory/1852-55-0x0000000000000000-mapping.dmp

Download
memory/1884-65-0x0000000000000000-mapping.dmp

Download
memory/1884-69-0x0000000073AE0000-0x000000007408B000-memory.dmp

Filesize
5.7MB

Download
memory/1884-70-0x0000000000BE5000-0x0000000000BF6000-memory.dmp

Filesize
68KB

Download
memory/2012-59-0x0000000000000000-mapping.dmp

Download