metamorpherrat | bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886

General

Target

bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe
Size

78KB
MD5

0076c31673c59cad62f795210aaa96e2
SHA1

a819bcca450431310dae5423110c9d227f167327
SHA256

bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886
SHA512

cd5ae8b97052e259417b497136bf6da4b3806261d08d78a783fdc530ef09e2777c6360d2756df44dcd6a24978b3dba540a59bea645da57321d9c69335bf8bd9f

Score

10^/10

metamorpherrat rat stealer suricata trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

tmpAC9B.tmp.exe

pid process

1032 tmpAC9B.tmp.exe

pid	process
1032	tmpAC9B.tmp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exetmpAC9B.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2276	bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe
Token: SeDebugPrivilege	1032	tmpAC9B.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exevbc.exe

description	pid	process	target process
PID 2276 wrote to memory of 4132	2276	bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe	vbc.exe
PID 2276 wrote to memory of 4132	2276	bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe	vbc.exe
PID 2276 wrote to memory of 4132	2276	bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe	vbc.exe
PID 4132 wrote to memory of 2432	4132	vbc.exe	cvtres.exe
PID 4132 wrote to memory of 2432	4132	vbc.exe	cvtres.exe
PID 4132 wrote to memory of 2432	4132	vbc.exe	cvtres.exe
PID 2276 wrote to memory of 1032	2276	bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe	tmpAC9B.tmp.exe
PID 2276 wrote to memory of 1032	2276	bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe	tmpAC9B.tmp.exe
PID 2276 wrote to memory of 1032	2276	bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe	tmpAC9B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe
"C:\Users\Admin\AppData\Local\Temp\bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rbcy9ps2.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4132

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD6E7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE16C0EE656FB4C3A86B0E9C4A9BBE41B.TMP"
3⤵
PID:2432

C:\Users\Admin\AppData\Local\Temp\tmpAC9B.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpAC9B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1032

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD6E7.tmp
Filesize
1KB

MD5
12215bd92fe0fac8b21183c3ce78a342

SHA1
d360100d7bc668fda089c8d6b57620b27c5639b5

SHA256
701fabbd6cc3d58c908d6262111d84b406b319769af5ad8aed69b84bcd5e197c

SHA512
6371e49a3685635dc56f833ad34625ed582ecd5e12ec594bbb65648f0b2c31a7f288836004ed44df8cf39550dcebaaeeef41b17cfdd40d0610d12b12cae3b7d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\rbcy9ps2.0.vb
Filesize
15KB

MD5
2409351c0467fe812fc5e9cd5cb46688

SHA1
f0c54cbc5192ede23150155c77c63f7f677995a9

SHA256
95c77ce0d00105f84c7ddc91d48485222339b824fe199b27fb5e045fb6c47c14

SHA512
24332aee894ea3f671c56ebe5ea0c197ab78519b853bb55cbc8e9905d01d60c8cd84a0715faaa16cb345dcceaaa0ada5856daac4065327d2255ba441a79a4601

Download Submit
C:\Users\Admin\AppData\Local\Temp\rbcy9ps2.cmdline
Filesize
266B

MD5
b250a7d3f8174dbfc26ff66fd3a40edf

SHA1
f6413ecc513a62e8c3f795a3def92f5370341032

SHA256
0a748d8e34e9ae3036a22c92e42d4094fa146d9d97f101abe8a65df994e2f4f5

SHA512
6e67467f78ab10041ebe840dcbb030b2f50f27c2647bad547911ad2a1feba4cc06fddd5c89b5094f8e333fddbe0300f32389ba35b33eb226f783578763c7e5b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAC9B.tmp.exe
Filesize
78KB

MD5
25c69f002d0f935652713090d231eae1

SHA1
e77ce76ccf7bd8ead886e28ce5145de74060244c

SHA256
5fc378f159321c0f1fd05e5ed7ed8d056ad677ec18807788c1ab882baf795073

SHA512
78264b8271af06e3351207a0b01ddf7493b010da64a275cfd90dd0961447fd1972fdb0c7364191dc0b7cb8442381ac3e544c4c51b63d5562b3c92b6f3e72e4cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAC9B.tmp.exe
Filesize
78KB

MD5
25c69f002d0f935652713090d231eae1

SHA1
e77ce76ccf7bd8ead886e28ce5145de74060244c

SHA256
5fc378f159321c0f1fd05e5ed7ed8d056ad677ec18807788c1ab882baf795073

SHA512
78264b8271af06e3351207a0b01ddf7493b010da64a275cfd90dd0961447fd1972fdb0c7364191dc0b7cb8442381ac3e544c4c51b63d5562b3c92b6f3e72e4cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE16C0EE656FB4C3A86B0E9C4A9BBE41B.TMP
Filesize
660B

MD5
962f4c63222a47b98a6f57b8e50473cb

SHA1
8626d33171228fcbcd2ec2f83ff189305a1b7b25

SHA256
e519cc38a02fda17218421f2cabe61139075b8d88dce75b5bef74d9516834b17

SHA512
eb8da20f69e8ab0c8d0e4744cd220c3849a3362a370d580be88b9d5e93ea9719ade4263862d06d67dcbe7c0417fc1e20b639b63ab0a5098c0f3819316cfe99c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/1032-139-0x0000000000000000-mapping.dmp

Download
memory/1032-141-0x00000000752D0000-0x0000000075881000-memory.dmp

Filesize
5.7MB

Download
memory/2276-130-0x00000000752D0000-0x0000000075881000-memory.dmp

Filesize
5.7MB

Download
memory/2432-135-0x0000000000000000-mapping.dmp

Download
memory/4132-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads