metamorpherrat | 2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc

Analysis

max time kernel
153s
max time network
195s
platform
windows7_x64
resource
win7-20220414-en
submitted
08-05-2022 23:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc.exe
Size

78KB
MD5

02f5b7afb2fcd2301daa10fcb64e7998
SHA1

a1641dcd6cd0d2b7f9c2a8b52917deb3b340a61e
SHA256

2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc
SHA512

7c7d05b7380829caf16a95174f1d0e4433e23ac24c4b822e02349c3a8f53e7e91981e7186bbe8e72173b4cf3cdcfdf8e22dc899c59f632c78ec04b6c038bcea7

Score

10^/10

metamorpherrat persistence rat stealer suricata trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

tmp9F4C.tmp.exe

pid process

1368 tmp9F4C.tmp.exe
Deletes itself 1 IoCs

Processes:

tmp9F4C.tmp.exe

pid process

1368 tmp9F4C.tmp.exe

pid	process
1368	tmp9F4C.tmp.exe

pid	process
1368	tmp9F4C.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc.exe

pid	process
1636	2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc.exe
1636	2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp9F4C.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp9F4C.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc.exetmp9F4C.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1636	2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc.exe
Token: SeDebugPrivilege	1368	tmp9F4C.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc.exevbc.exe

description	pid	process	target process
PID 1636 wrote to memory of 1508	1636	2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc.exe	vbc.exe
PID 1636 wrote to memory of 1508	1636	2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc.exe	vbc.exe
PID 1636 wrote to memory of 1508	1636	2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc.exe	vbc.exe
PID 1636 wrote to memory of 1508	1636	2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc.exe	vbc.exe
PID 1508 wrote to memory of 316	1508	vbc.exe	cvtres.exe
PID 1508 wrote to memory of 316	1508	vbc.exe	cvtres.exe
PID 1508 wrote to memory of 316	1508	vbc.exe	cvtres.exe
PID 1508 wrote to memory of 316	1508	vbc.exe	cvtres.exe
PID 1636 wrote to memory of 1368	1636	2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc.exe	tmp9F4C.tmp.exe
PID 1636 wrote to memory of 1368	1636	2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc.exe	tmp9F4C.tmp.exe
PID 1636 wrote to memory of 1368	1636	2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc.exe	tmp9F4C.tmp.exe
PID 1636 wrote to memory of 1368	1636	2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc.exe	tmp9F4C.tmp.exe

C:\Users\Admin\AppData\Local\Temp\2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc.exe
"C:\Users\Admin\AppData\Local\Temp\2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0uanbfvm.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA594.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA574.tmp"
3⤵
PID:316

C:\Users\Admin\AppData\Local\Temp\tmp9F4C.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp9F4C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1368

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0uanbfvm.0.vb
Filesize
15KB

MD5
f3257055a2e0c13873979000721e88a2

SHA1
9af9db537a76ed118f41bb31961516c40343dccf

SHA256
ef2471d545949b0da478fab7417328a2ca8192b0bb4921797fa35fa6b3bf248c

SHA512
4b00d2e559d3b8b0645746bb9a97941ce6213e1c4eb5335c632c294bfb684c6cd6caedbd67dd8377e38fda09e4e0241167350da83f15794e5fdd3db88d272c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\0uanbfvm.cmdline
Filesize
266B

MD5
4da32afd2f4610dda46e9651e0408a9c

SHA1
e20e3a9e40ed6631532ace529961e854a97c032d

SHA256
eb872894f9a167791e62c7dee2ad3917db30184b1e67cc58d52b32ef1a7d87b7

SHA512
013ab47d44295f35b49ec70a498a1f0376131b6e20130064d28ff879e291e6f2e86e4d55f1ebf28217b3d91aebd4c5dea9c7d4fe975087f95f65a27fe0672ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA594.tmp
Filesize
1KB

MD5
7f94a50f449f4fbc12b3767d774a45fe

SHA1
f25e3488d2df6ca8250fc141243911ddda2ecf52

SHA256
5376c66db7b728b800b873aa126d93bb868329a2c6ea25e9f78a50eadc4d9bd1

SHA512
00c9d1ef6ced6d8264f4b96838381b8a24a2c4a7b8dd7b64802605777bf91bd6583bb32ce46423a49fcb088cc65dc1ea7eaaea80086f8d096c75edf982b7b574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9F4C.tmp.exe
Filesize
78KB

MD5
e1bb9a5cd2f9ff77e91c0b622b9f98be

SHA1
69989c8e05002b61a632bfdfde7a6d83b94a6a0e

SHA256
1b058c8fc24192d7ac982d3c2e793c141a6db46c648a4df50b4465bc54afa192

SHA512
93e7d74dbcbeeab281f084be2b62009c0f9767ed5120499005380952dc9b9f4099c40e040d1920217e35bda173f2562a55c25b4b30e97cf75636d58ff73830f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9F4C.tmp.exe
Filesize
78KB

MD5
e1bb9a5cd2f9ff77e91c0b622b9f98be

SHA1
69989c8e05002b61a632bfdfde7a6d83b94a6a0e

SHA256
1b058c8fc24192d7ac982d3c2e793c141a6db46c648a4df50b4465bc54afa192

SHA512
93e7d74dbcbeeab281f084be2b62009c0f9767ed5120499005380952dc9b9f4099c40e040d1920217e35bda173f2562a55c25b4b30e97cf75636d58ff73830f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA574.tmp
Filesize
660B

MD5
01592a8a0f78a804b7ad4af6a1f54057

SHA1
a2bfb4a071895f3074446c7ad12015f06cd0494e

SHA256
2417a668c949c85e0fc1881f906d7298f38445ec4a6e275f8934b2eae59cc1bb

SHA512
2c1a64a5a0b9b493667fcbb759bc92d4967cc48ed80ecdcfb5a9cab3b82de540141a9ab47c10e92e3bbf0e1fcd3f824e08cfe4382d0ecea973eb6a4bbe895dcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
\Users\Admin\AppData\Local\Temp\tmp9F4C.tmp.exe
Filesize
78KB

MD5
e1bb9a5cd2f9ff77e91c0b622b9f98be

SHA1
69989c8e05002b61a632bfdfde7a6d83b94a6a0e

SHA256
1b058c8fc24192d7ac982d3c2e793c141a6db46c648a4df50b4465bc54afa192

SHA512
93e7d74dbcbeeab281f084be2b62009c0f9767ed5120499005380952dc9b9f4099c40e040d1920217e35bda173f2562a55c25b4b30e97cf75636d58ff73830f2

Download Submit
\Users\Admin\AppData\Local\Temp\tmp9F4C.tmp.exe
Filesize
78KB

MD5
e1bb9a5cd2f9ff77e91c0b622b9f98be

SHA1
69989c8e05002b61a632bfdfde7a6d83b94a6a0e

SHA256
1b058c8fc24192d7ac982d3c2e793c141a6db46c648a4df50b4465bc54afa192

SHA512
93e7d74dbcbeeab281f084be2b62009c0f9767ed5120499005380952dc9b9f4099c40e040d1920217e35bda173f2562a55c25b4b30e97cf75636d58ff73830f2

Download Submit
memory/316-60-0x0000000000000000-mapping.dmp

Download
memory/1368-66-0x0000000000000000-mapping.dmp

Download
memory/1368-69-0x0000000074490000-0x0000000074A3B000-memory.dmp

Filesize
5.7MB

Download
memory/1368-70-0x0000000000D85000-0x0000000000D96000-memory.dmp

Filesize
68KB

Download
memory/1508-55-0x0000000000000000-mapping.dmp

Download
memory/1636-54-0x0000000075721000-0x0000000075723000-memory.dmp

Filesize
8KB

Download
memory/1636-57-0x00000000744D0000-0x0000000074A7B000-memory.dmp

Filesize
5.7MB

Download