metamorpherrat | 0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf

General

Target

0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf.exe
Size

78KB
MD5

049706e8f7a0c6b01a311664a87d2e36
SHA1

3cfb3a3d7601c6f47699da99f8d50069489934e0
SHA256

0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf
SHA512

88dbbbeb8b2f982fff0d91266e9e61bac07b8bb7ae1ad0dfb0af7bb81ee16387c6a55cc4512c48a10d1a8d695c53d8c012315c18eda37f66ce4d876349245588

Score

10^/10

metamorpherrat persistence rat stealer suricata trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

tmp8E07.tmp.exe

pid process

1884 tmp8E07.tmp.exe

pid	process
1884	tmp8E07.tmp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp8E07.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp8E07.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf.exetmp8E07.tmp.exe

description	pid	process
Token: SeDebugPrivilege	3484	0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf.exe
Token: SeDebugPrivilege	1884	tmp8E07.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf.exevbc.exe

description	pid	process	target process
PID 3484 wrote to memory of 1216	3484	0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf.exe	vbc.exe
PID 3484 wrote to memory of 1216	3484	0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf.exe	vbc.exe
PID 3484 wrote to memory of 1216	3484	0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf.exe	vbc.exe
PID 1216 wrote to memory of 2284	1216	vbc.exe	cvtres.exe
PID 1216 wrote to memory of 2284	1216	vbc.exe	cvtres.exe
PID 1216 wrote to memory of 2284	1216	vbc.exe	cvtres.exe
PID 3484 wrote to memory of 1884	3484	0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf.exe	tmp8E07.tmp.exe
PID 3484 wrote to memory of 1884	3484	0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf.exe	tmp8E07.tmp.exe
PID 3484 wrote to memory of 1884	3484	0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf.exe	tmp8E07.tmp.exe

C:\Users\Admin\AppData\Local\Temp\0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf.exe
"C:\Users\Admin\AppData\Local\Temp\0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3484

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\aly4uv5d.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCFF2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1846BC4EEF1541F7AB4CCEC09C98A0EC.TMP"
3⤵
PID:2284

C:\Users\Admin\AppData\Local\Temp\tmp8E07.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp8E07.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1884

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESCFF2.tmp
Filesize
1KB

MD5
43d3849f18c69753bbb1b4c784178a84

SHA1
0d0411c257a0438df36d718dd897b94c92b47998

SHA256
5f45df4f9e0abb24a14e9cbb390a1832a9252298d3c74ecc5b8b580f5d7a59ef

SHA512
fd0aea077ad2a2ee2602e3a7f75cea4f4ee0a70c2b6c08dc5ce949e64ea4637773cb61279051720b18da9c1dff84e3ca6cf2ac427e46d4e5468d54f2bec468ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\aly4uv5d.0.vb
Filesize
14KB

MD5
5bab3f0a5c0d27a9d6cc65a017a46658

SHA1
1bac1a95521f370ad5c3686263b21f90c60e8bf6

SHA256
f383ae825695ff5c02112ddd1fb6d9fdadceafdcd63475b452319a61a835f24c

SHA512
24f622aa48c3e490e29730d6cc59046a831923ca3e8ae43198d09ba472426f084024f12ebb96f5dd20d61cd3fac351bd950955b99b498e9edd70f87cdca1480e

Download Submit
C:\Users\Admin\AppData\Local\Temp\aly4uv5d.cmdline
Filesize
266B

MD5
2dd95eb8db469878647508bc137e3b69

SHA1
b8fb4e1f0d35f856ecf1c24a62092d9ef5ab0b26

SHA256
db41c1da4828221fd72ea603cfa21ec06769913adb2b6088914491f193ce9c79

SHA512
94c1fc31ef5b9ba94799e9ec5747ec776747c06269341bbd17fcdd9f5c244a4f75e16f79ae452445bb3e1557c0b702163a9b36794224a8a3c299441ee2c5d1c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8E07.tmp.exe
Filesize
78KB

MD5
9680eb83e4b18e173b391c82c46c0df8

SHA1
9302fa92bfdf6bac2759a714ecbd58f7001447bd

SHA256
a471a2e9d32f3cc965a3c97f588d275a08dbb080b9fd2ca762c57c4c7e6aa0be

SHA512
f3a19e27a3749bd518c60a8a650d14ed716118e2ac8b91925833840ab17c76a2270683945a6d1415b26a09a16b2129e85377fd72e813fc6c17643f5c225857e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8E07.tmp.exe
Filesize
78KB

MD5
9680eb83e4b18e173b391c82c46c0df8

SHA1
9302fa92bfdf6bac2759a714ecbd58f7001447bd

SHA256
a471a2e9d32f3cc965a3c97f588d275a08dbb080b9fd2ca762c57c4c7e6aa0be

SHA512
f3a19e27a3749bd518c60a8a650d14ed716118e2ac8b91925833840ab17c76a2270683945a6d1415b26a09a16b2129e85377fd72e813fc6c17643f5c225857e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1846BC4EEF1541F7AB4CCEC09C98A0EC.TMP
Filesize
660B

MD5
3c421d172f9ffd4b565b1ee9e927f26c

SHA1
eb16123160baadadac89d16752518a7ceb18bef4

SHA256
2d3c72aaceae239fb4fd1499ba984474c23f897dd16e0de6e4ee0bab2ff95fa2

SHA512
60ec3abbfa831b5a8e8566f8923b6b7f28ce88285b5321d56d217be0b1dd7235119077da0339358d7b1964c4e58dfb742a12a79d0fabd412b21d3aed6c13d18a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/1216-131-0x0000000000000000-mapping.dmp

Download
memory/1884-139-0x0000000000000000-mapping.dmp

Download
memory/1884-141-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/2284-135-0x0000000000000000-mapping.dmp

Download
memory/3484-130-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads