metamorpherrat | 8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4

General

Target

8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe
Size

78KB
MD5

04d5e9376838e75f62c1e3f72036dcd4
SHA1

dc3c1eebe560105197c9c94a3f317a966381ce59
SHA256

8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4
SHA512

de87d6a909b0e0e1a8ab8452f0bb652918ca2dfdfea31be65dbbc9871e7418b3cbc43f352979512b726a684bc3fe1de291ee2176f25b610277f7f931f377b8a6

Score

10^/10

metamorpherrat rat stealer suricata trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

tmp8AA1.tmp.exe

pid process

3160 tmp8AA1.tmp.exe

pid	process
3160	tmp8AA1.tmp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exetmp8AA1.tmp.exe

description	pid	process
Token: SeDebugPrivilege	4148	8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe
Token: SeDebugPrivilege	3160	tmp8AA1.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exevbc.exe

description	pid	process	target process
PID 4148 wrote to memory of 2488	4148	8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe	vbc.exe
PID 4148 wrote to memory of 2488	4148	8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe	vbc.exe
PID 4148 wrote to memory of 2488	4148	8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe	vbc.exe
PID 2488 wrote to memory of 3112	2488	vbc.exe	cvtres.exe
PID 2488 wrote to memory of 3112	2488	vbc.exe	cvtres.exe
PID 2488 wrote to memory of 3112	2488	vbc.exe	cvtres.exe
PID 4148 wrote to memory of 3160	4148	8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe	tmp8AA1.tmp.exe
PID 4148 wrote to memory of 3160	4148	8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe	tmp8AA1.tmp.exe
PID 4148 wrote to memory of 3160	4148	8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe	tmp8AA1.tmp.exe

C:\Users\Admin\AppData\Local\Temp\8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe
"C:\Users\Admin\AppData\Local\Temp\8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4148

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7kbfityx.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2488

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES92A0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc14927EA26B14466DB927234940AE6788.TMP"
3⤵
PID:3112

C:\Users\Admin\AppData\Local\Temp\tmp8AA1.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp8AA1.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:2828

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7kbfityx.0.vb
Filesize
15KB

MD5
9655e0392b89058e061706fb024b61dc

SHA1
fd17c81b1d8c3a6a74e655851fa2a535e08866d3

SHA256
2acea73a45fcbd3096f5d89d5335329bcff023733728669166bc2dc382647efe

SHA512
f3cde532ed3b457107120cfa15a30e5117c7903952a4e73c4dba9209f4e8492f1aee117e38b2c6b4df473ddf22d3002608acabcee42dfff5c1e450677e989ab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7kbfityx.cmdline
Filesize
266B

MD5
eaed9507297c045fc8f2e7724b267e4d

SHA1
37d62ee85cf108c54ab6887d742cbe0bc7edf1e8

SHA256
6c64b0839f73c314e0a7b4b367aa880a2b64f04df9929230229204e5408ffec8

SHA512
fed5a89d9125a311b651e216a545d066ac02c9205d3226d1f0e1a54bd362f5e92e2df22cdd4bb56d4a687ac1759579ebf2ebfc0d1f77207d1e67f49ee19ec867

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES92A0.tmp
Filesize
1KB

MD5
74f4fda313460ef5cbaf367842e70a2e

SHA1
b90bbec6d1c4359066bdefe85d2ba9e05c092248

SHA256
e5684574cb019922513bfe2f3c1b1725571e652f42835e4d48bb62a14f61ce86

SHA512
4504bb076949ab58c25287124158940f86f316d2e8ece7ebbb002dc4b9f3e8d18e05cbadf2651d28365a7b27f1637009559078037b9c95be47282e7ca248b4c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8AA1.tmp.exe
Filesize
78KB

MD5
f46400b31efd81ba39f09223cc4233c6

SHA1
ead411f7976ef1ca81447735e8d1ac0bbad72c95

SHA256
c272aadce3eaa1bf4ad7a8e4db12e6ae8232ce0627751e7fbcbc0c629a7444b2

SHA512
d23aed759acda594ca40d36fb6c5bdf5139bcca4492c85fd6b9455e71fba516a5e19b94f976a32765ee92aed9a12d3468c1a2d641c981f3e80f2f3691c4471be

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8AA1.tmp.exe
Filesize
78KB

MD5
f46400b31efd81ba39f09223cc4233c6

SHA1
ead411f7976ef1ca81447735e8d1ac0bbad72c95

SHA256
c272aadce3eaa1bf4ad7a8e4db12e6ae8232ce0627751e7fbcbc0c629a7444b2

SHA512
d23aed759acda594ca40d36fb6c5bdf5139bcca4492c85fd6b9455e71fba516a5e19b94f976a32765ee92aed9a12d3468c1a2d641c981f3e80f2f3691c4471be

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc14927EA26B14466DB927234940AE6788.TMP
Filesize
660B

MD5
49606d191dc96b5eee60a549a7891138

SHA1
34c7b206f4f4f44cfe8b3abbad093503fb2fa5c4

SHA256
f01d7647e530c0c520dc972d15b9a475f4a3dac4941fd5133616c9e7a833c636

SHA512
68c8a36270baf3af6cbf8e4afbabd4cac13f0f4af9047cb6aef629ef7f736574539801bf3bb604051904443e777b121e1d9f8cdad0176485cd3cd32ec75a6bfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/2488-130-0x0000000000000000-mapping.dmp

Download
memory/3112-135-0x0000000000000000-mapping.dmp

Download
memory/3160-139-0x0000000000000000-mapping.dmp

Download
memory/3160-141-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/4148-131-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads