metamorpherrat | 2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc

General

Target

2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc.exe
Size

78KB
MD5

02f5b7afb2fcd2301daa10fcb64e7998
SHA1

a1641dcd6cd0d2b7f9c2a8b52917deb3b340a61e
SHA256

2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc
SHA512

7c7d05b7380829caf16a95174f1d0e4433e23ac24c4b822e02349c3a8f53e7e91981e7186bbe8e72173b4cf3cdcfdf8e22dc899c59f632c78ec04b6c038bcea7

Score

10^/10

metamorpherrat persistence rat stealer suricata trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

tmp9933.tmp.exe

pid process

3136 tmp9933.tmp.exe

pid	process
3136	tmp9933.tmp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp9933.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp9933.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc.exetmp9933.tmp.exe

description	pid	process
Token: SeDebugPrivilege	4636	2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc.exe
Token: SeDebugPrivilege	3136	tmp9933.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc.exevbc.exe

description	pid	process	target process
PID 4636 wrote to memory of 4548	4636	2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc.exe	vbc.exe
PID 4636 wrote to memory of 4548	4636	2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc.exe	vbc.exe
PID 4636 wrote to memory of 4548	4636	2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc.exe	vbc.exe
PID 4548 wrote to memory of 4384	4548	vbc.exe	cvtres.exe
PID 4548 wrote to memory of 4384	4548	vbc.exe	cvtres.exe
PID 4548 wrote to memory of 4384	4548	vbc.exe	cvtres.exe
PID 4636 wrote to memory of 3136	4636	2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc.exe	tmp9933.tmp.exe
PID 4636 wrote to memory of 3136	4636	2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc.exe	tmp9933.tmp.exe
PID 4636 wrote to memory of 3136	4636	2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc.exe	tmp9933.tmp.exe

C:\Users\Admin\AppData\Local\Temp\2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc.exe
"C:\Users\Admin\AppData\Local\Temp\2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4636

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hnoc0bs9.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4548

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA103.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc349133FE20B34C11BC13DF2622C029BE.TMP"
3⤵
PID:4384

C:\Users\Admin\AppData\Local\Temp\tmp9933.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp9933.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3136

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA103.tmp
Filesize
1KB

MD5
a8e12d8e0af017b6e7c440ffd4281ec7

SHA1
c9ded4b64e8502207c9d3e1e9ebcca6fc991496d

SHA256
3a8a7580c57e9baf0709c6c3720eff84d4a805d38d56adcec80ced10b8206cca

SHA512
88ba5e8bfee48f7f13af044a314b25881a40d04de73f2c4771a859dcf52ec4e1d0e9418609845f2a506d261f73934e865da18a11a3c0a9d4327167f63d8c658f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hnoc0bs9.0.vb
Filesize
15KB

MD5
3a5d894464d19567ee03f2bb83563c0d

SHA1
dcbbe10de4633de96eb1692587503b6b88d00de4

SHA256
d3554091ef19764a1698173edc5b96cabee14313de1b57b94f40b9bfc7c56ab2

SHA512
5d2e21c073b0eef4c578cea7aafadb6189457f3fc42880a459e181132887440778de559de020918a9040475d831405aa6df9c12e424fc19e75f3ca1b26676b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hnoc0bs9.cmdline
Filesize
266B

MD5
01159aeb0927fed263462635235ff399

SHA1
03dca062e0dd3c371aae6ab3a83efba0f0f61ccc

SHA256
db91bd69a02995a62a071cc86485c6b62689bd2c095a25d3fffbb639c63183ac

SHA512
b2c7b2cd225148f3dedb9d304ad30495fb16e6d6cb25f88f60a21f319a5f9f4029e280a0e70c2654bc337143754587a6e56db07dcfa812dc7a8a9f60c50f8982

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9933.tmp.exe
Filesize
78KB

MD5
405cec994ee599499f58516253d31b70

SHA1
116411536bb198572cb6a27e26c1003ba2d63c01

SHA256
b817d807de07fb75e6214ba4b44725ae2463127d1ef1eaba05727e63b4332546

SHA512
6dc400e21a784e7ff347cd916d1de88670e3a31c40dbbfeb13ae0af6533379589e3cf3dc2288104fbbc9bbbd454eae447ff2a7002518402698f9956830ae1ec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9933.tmp.exe
Filesize
78KB

MD5
405cec994ee599499f58516253d31b70

SHA1
116411536bb198572cb6a27e26c1003ba2d63c01

SHA256
b817d807de07fb75e6214ba4b44725ae2463127d1ef1eaba05727e63b4332546

SHA512
6dc400e21a784e7ff347cd916d1de88670e3a31c40dbbfeb13ae0af6533379589e3cf3dc2288104fbbc9bbbd454eae447ff2a7002518402698f9956830ae1ec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc349133FE20B34C11BC13DF2622C029BE.TMP
Filesize
660B

MD5
3421fa6b4239de530eeb762dea535b6f

SHA1
8a99eb144657440ddf300203563b8f8191b52afa

SHA256
0a57e75cb883d5c26e04e7dd6b863ff424a62078b100cf386bf0d464907a4bba

SHA512
cbcc0d8b9f8b2cf18c2ece7510b45f371e2d361f86b3289d907bccfc4bfbe6ccb4ac90833a1823d407a8cfb1eca816a35bb26e7789970878c5f2cb1ab6f2ef94

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/3136-139-0x0000000000000000-mapping.dmp

Download
memory/3136-141-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/4384-135-0x0000000000000000-mapping.dmp

Download
memory/4548-131-0x0000000000000000-mapping.dmp

Download
memory/4636-130-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads