metamorpherrat | cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695

General

Target

cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe
Size

78KB
MD5

03e747b5e88513e21319eeaa1126b81e
SHA1

b05e3fbf5b3711eba03abd4660ec94e1acc11a17
SHA256

cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695
SHA512

d368b1800287d189a8ed49c420721d25eaf72e1b441281dd1881e4e7defdb2d602b277c3cb98dad04028e3ae6da94ff73b136e00616d3dd31eefeaae21c29732

Score

10^/10

metamorpherrat persistence rat stealer suricata trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

tmpBA57.tmp.exe

pid process

4936 tmpBA57.tmp.exe

pid	process
4936	tmpBA57.tmp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmpBA57.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpBA57.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exetmpBA57.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2096	cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe
Token: SeDebugPrivilege	4936	tmpBA57.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exevbc.exe

description	pid	process	target process
PID 2096 wrote to memory of 4812	2096	cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe	vbc.exe
PID 2096 wrote to memory of 4812	2096	cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe	vbc.exe
PID 2096 wrote to memory of 4812	2096	cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe	vbc.exe
PID 4812 wrote to memory of 388	4812	vbc.exe	cvtres.exe
PID 4812 wrote to memory of 388	4812	vbc.exe	cvtres.exe
PID 4812 wrote to memory of 388	4812	vbc.exe	cvtres.exe
PID 2096 wrote to memory of 4936	2096	cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe	tmpBA57.tmp.exe
PID 2096 wrote to memory of 4936	2096	cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe	tmpBA57.tmp.exe
PID 2096 wrote to memory of 4936	2096	cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe	tmpBA57.tmp.exe

C:\Users\Admin\AppData\Local\Temp\cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe
"C:\Users\Admin\AppData\Local\Temp\cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m3ngq3jt.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4812

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD16.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc111DDB2E9C4744F58DA97558FDAB93BE.TMP"
3⤵
PID:388

C:\Users\Admin\AppData\Local\Temp\tmpBA57.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpBA57.tmp.exe" C:\Users\Admin\AppData\Local\Temp\cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4936

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBD16.tmp
Filesize
1KB

MD5
92ee7b12094adb9a8d518468d1b738ca

SHA1
8a7f69f34fb7d6769dac045ecc33f66ce8f7276a

SHA256
086e13d532573a26ba1267498fa841642b8bc56174796a853c6914f5c792cfaf

SHA512
f653eb72fd7fc86bb7668ad2de5c0ff5cd88706cef5d66b7320242d867fcbd5a13887e981bc8f8d0e04ba3d1fdb8720ff8eb74557044e73a26c521ad0a106f8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\m3ngq3jt.0.vb
Filesize
15KB

MD5
54d2043bcd351f7d78646b22812f5645

SHA1
3793ad2be82ba295d6de1af2cfe2b2fcd0e95ec7

SHA256
7cdcbd1e79dfa4db755e3227d1a061ea296ca32b6a0b99aadceb1500af8be9b8

SHA512
6ec4fe7717bccf01070c1e1eba96ecc545952100222765556c464b90538800288cba4060efbbf8177293ce0b27734ef5622f077f3c06ad7cc797cff671f47e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\m3ngq3jt.cmdline
Filesize
266B

MD5
b9d73effbdd95f9dab5fef0c96bcf9e5

SHA1
2d5e15e2a5d4084766452be835d22e342c7be1ca

SHA256
1b93655cfae108fe9f46f32a37aef49504c78ba9f3a784011b325bcfd3763de7

SHA512
a3e5efa0a56571b20ff62ba6a3ec0e84b57d03042d20b5df3d9035d3b1abee216a5134c25ed927dfa5b12b34007df51750bb60ab9b0dde5e1bbb04eaa8a6e6e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBA57.tmp.exe
Filesize
78KB

MD5
4e2fda90338ae61af76e4725d2b10eba

SHA1
9e747db62afae7c5e4379bc26715142b94138dc8

SHA256
0d6074af25a192c6f675ca01a38387bddbd36a42e7d13e7f834cdf47322a4cb2

SHA512
2dd3b798293a5b7b4f3fe0e1460ce8117eb8afc50cd33accdeb72bc86e8781300fa5c62e45462ec5753505053ad3e663765cd57b1dc044353a7ccd1672d1b76b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBA57.tmp.exe
Filesize
78KB

MD5
4e2fda90338ae61af76e4725d2b10eba

SHA1
9e747db62afae7c5e4379bc26715142b94138dc8

SHA256
0d6074af25a192c6f675ca01a38387bddbd36a42e7d13e7f834cdf47322a4cb2

SHA512
2dd3b798293a5b7b4f3fe0e1460ce8117eb8afc50cd33accdeb72bc86e8781300fa5c62e45462ec5753505053ad3e663765cd57b1dc044353a7ccd1672d1b76b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc111DDB2E9C4744F58DA97558FDAB93BE.TMP
Filesize
660B

MD5
51bcdec07267225b4b9dc709a6be4f5b

SHA1
f5fe02cf17e7588e51293da297fb0239d15fafc5

SHA256
e8d6463a2cf0eac94716b1938016993add9ea0a36be6cad3b6e65226f3af5030

SHA512
9d86e00426e735d6c4357846b746bf46e883a3ece214276e5204d2199449d15e95c187ed7eb8a860162f77d2b63bcdde1b683d369f2614e056c427067dee8112

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/388-135-0x0000000000000000-mapping.dmp

Download
memory/2096-130-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/4812-131-0x0000000000000000-mapping.dmp

Download
memory/4936-139-0x0000000000000000-mapping.dmp

Download
memory/4936-141-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads