metamorpherrat | bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886

Analysis

max time kernel
163s
max time network
178s
platform
windows7_x64
resource
win7-20220414-en
submitted
08-05-2022 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe
Size

78KB
MD5

0076c31673c59cad62f795210aaa96e2
SHA1

a819bcca450431310dae5423110c9d227f167327
SHA256

bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886
SHA512

cd5ae8b97052e259417b497136bf6da4b3806261d08d78a783fdc530ef09e2777c6360d2756df44dcd6a24978b3dba540a59bea645da57321d9c69335bf8bd9f

Score

10^/10

metamorpherrat rat stealer suricata trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

tmp7447.tmp.exe

pid process

992 tmp7447.tmp.exe

pid	process
992	tmp7447.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe

pid	process
1812	bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe
1812	bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe

description pid process

Token: SeDebugPrivilege 1812 bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe

description	pid	process
Token: SeDebugPrivilege	1812	bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exevbc.exe

description	pid	process	target process
PID 1812 wrote to memory of 1460	1812	bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe	vbc.exe
PID 1812 wrote to memory of 1460	1812	bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe	vbc.exe
PID 1812 wrote to memory of 1460	1812	bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe	vbc.exe
PID 1812 wrote to memory of 1460	1812	bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe	vbc.exe
PID 1460 wrote to memory of 2020	1460	vbc.exe	cvtres.exe
PID 1460 wrote to memory of 2020	1460	vbc.exe	cvtres.exe
PID 1460 wrote to memory of 2020	1460	vbc.exe	cvtres.exe
PID 1460 wrote to memory of 2020	1460	vbc.exe	cvtres.exe
PID 1812 wrote to memory of 992	1812	bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe	tmp7447.tmp.exe
PID 1812 wrote to memory of 992	1812	bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe	tmp7447.tmp.exe
PID 1812 wrote to memory of 992	1812	bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe	tmp7447.tmp.exe
PID 1812 wrote to memory of 992	1812	bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe	tmp7447.tmp.exe

C:\Users\Admin\AppData\Local\Temp\bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe
"C:\Users\Admin\AppData\Local\Temp\bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p4xycyrm.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7570.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc756F.tmp"
3⤵
PID:2020

C:\Users\Admin\AppData\Local\Temp\tmp7447.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp7447.tmp.exe" C:\Users\Admin\AppData\Local\Temp\bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe
2⤵
- Executes dropped EXE
PID:992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7570.tmp
Filesize
1KB

MD5
2ef9c99625921c94af995b3e6716b68a

SHA1
6936de384c047af13c3abfe6a4c9b8ef734eba65

SHA256
cf8015ff2d5bbaed9057a1a2376db1b28edac8e94f98e9f432b22af24ff1afc9

SHA512
5d16d0aab967cd934745f65f7f78e597b09ae1801e877ce840120586168d3a2239f7df77ad638b8cc996469ec8fa06cfc02d87fb0e29d0262d58e57ba4ccb018

Download Submit
C:\Users\Admin\AppData\Local\Temp\p4xycyrm.0.vb
Filesize
15KB

MD5
bf705e82df738fd1b50b155c8c725328

SHA1
98484a65f2c4c9bfdde441f36d296b53b22db047

SHA256
758175194dba8fe564a1fa58ab6cd7d0f30b646dc38c6e4788847be3df90f3f6

SHA512
bbc688498bdd6fd9350d717a7ab0d2d5d7b0cf6f079692cf3039a921ab1661e6ec880b49c279109baedf66c8dce1539c8860daf8b7068dfc08e9bbcb6c98344a

Download Submit
C:\Users\Admin\AppData\Local\Temp\p4xycyrm.cmdline
Filesize
266B

MD5
2e21525a1a494c253ffb6a90811e693e

SHA1
8a2ed68f6cf6f73be008698d568adb2426cd2edc

SHA256
dd6fbca8101a83ea881d1e11f4e0464fa2d050186b4d7378cb45d49bd69274f3

SHA512
65f5cfe75e7237dc62c754833df7b370fcc6bc62d281aec9d82e06579d7143bc312924773957ce18bc16512f1acaff1fe4936fda0e18c9faca8f63639dd39630

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7447.tmp.exe
Filesize
78KB

MD5
473bbc00333621e1d98d6e5d94cff0f4

SHA1
3f98b2cc3168d4b1d48ef5185d1b90dc951b5926

SHA256
3d16c5e8f93e8efcf011bb8a9c7a86d36842cae79db9c4e86e38930c3df9f2a1

SHA512
06bad3fdf87099595cbe849954be96db6bd69c38529510c71f5441139b6a5a0ff9a230a59dac79531556a2536f2bf657311b452974ce94165b1899009afe7cd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7447.tmp.exe
Filesize
78KB

MD5
473bbc00333621e1d98d6e5d94cff0f4

SHA1
3f98b2cc3168d4b1d48ef5185d1b90dc951b5926

SHA256
3d16c5e8f93e8efcf011bb8a9c7a86d36842cae79db9c4e86e38930c3df9f2a1

SHA512
06bad3fdf87099595cbe849954be96db6bd69c38529510c71f5441139b6a5a0ff9a230a59dac79531556a2536f2bf657311b452974ce94165b1899009afe7cd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc756F.tmp
Filesize
660B

MD5
d2767a9523a9210470b67add1eb05c62

SHA1
099cf314b375faa20f2296d68d770e4d45a3b2c3

SHA256
078ed8f851f1d06b9fef6f91c57af7c14b636e3471020a991141634a90117e99

SHA512
2379d22683c45b515f5d3349855b5aae34137db81d719bba52194dc92c8af6c7a86636db464aff545d8b8779b21ebe8e1aaa583d12dd11dade2713569a6f33bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7447.tmp.exe
Filesize
78KB

MD5
473bbc00333621e1d98d6e5d94cff0f4

SHA1
3f98b2cc3168d4b1d48ef5185d1b90dc951b5926

SHA256
3d16c5e8f93e8efcf011bb8a9c7a86d36842cae79db9c4e86e38930c3df9f2a1

SHA512
06bad3fdf87099595cbe849954be96db6bd69c38529510c71f5441139b6a5a0ff9a230a59dac79531556a2536f2bf657311b452974ce94165b1899009afe7cd7

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7447.tmp.exe
Filesize
78KB

MD5
473bbc00333621e1d98d6e5d94cff0f4

SHA1
3f98b2cc3168d4b1d48ef5185d1b90dc951b5926

SHA256
3d16c5e8f93e8efcf011bb8a9c7a86d36842cae79db9c4e86e38930c3df9f2a1

SHA512
06bad3fdf87099595cbe849954be96db6bd69c38529510c71f5441139b6a5a0ff9a230a59dac79531556a2536f2bf657311b452974ce94165b1899009afe7cd7

Download Submit
memory/992-65-0x0000000000000000-mapping.dmp

Download
memory/992-69-0x0000000074860000-0x0000000074E0B000-memory.dmp

Filesize
5.7MB

Download
memory/992-70-0x0000000002095000-0x00000000020A6000-memory.dmp

Filesize
68KB

Download
memory/1460-55-0x0000000000000000-mapping.dmp

Download
memory/1812-54-0x00000000763C1000-0x00000000763C3000-memory.dmp

Filesize
8KB

Download
memory/1812-68-0x0000000074860000-0x0000000074E0B000-memory.dmp

Filesize
5.7MB

Download
memory/2020-59-0x0000000000000000-mapping.dmp

Download