metamorpherrat | 054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a

Analysis

max time kernel
166s
max time network
203s
platform
windows7_x64
resource
win7-20220414-en
submitted
09-05-2022 00:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe
Size

78KB
MD5

00a5cb539ee1e451fd035c658f8b3cec
SHA1

a0cd23c3c67d184c789203ef60ba8c6f45b38204
SHA256

054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a
SHA512

4dad74d7783123f125d4b0695c4b19019cd2f3b3a957c0983ed31ee009a7d94a2f87e860a3fe0f6c48fd72f1793101ec6e030dcf910eb8e46d3363bfafd7c8cd

Score

10^/10

metamorpherrat rat stealer suricata trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

tmpEE56.tmp.exe

pid process

1072 tmpEE56.tmp.exe
Deletes itself 1 IoCs

Processes:

tmpEE56.tmp.exe

pid process

1072 tmpEE56.tmp.exe

pid	process
1072	tmpEE56.tmp.exe

pid	process
1072	tmpEE56.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe

pid	process
1352	054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe
1352	054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe

description pid process

Token: SeDebugPrivilege 1352 054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe

description	pid	process
Token: SeDebugPrivilege	1352	054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exevbc.exe

description	pid	process	target process
PID 1352 wrote to memory of 1304	1352	054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe	vbc.exe
PID 1352 wrote to memory of 1304	1352	054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe	vbc.exe
PID 1352 wrote to memory of 1304	1352	054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe	vbc.exe
PID 1352 wrote to memory of 1304	1352	054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe	vbc.exe
PID 1304 wrote to memory of 1096	1304	vbc.exe	cvtres.exe
PID 1304 wrote to memory of 1096	1304	vbc.exe	cvtres.exe
PID 1304 wrote to memory of 1096	1304	vbc.exe	cvtres.exe
PID 1304 wrote to memory of 1096	1304	vbc.exe	cvtres.exe
PID 1352 wrote to memory of 1072	1352	054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe	tmpEE56.tmp.exe
PID 1352 wrote to memory of 1072	1352	054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe	tmpEE56.tmp.exe
PID 1352 wrote to memory of 1072	1352	054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe	tmpEE56.tmp.exe
PID 1352 wrote to memory of 1072	1352	054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe	tmpEE56.tmp.exe

C:\Users\Admin\AppData\Local\Temp\054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe
"C:\Users\Admin\AppData\Local\Temp\054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mj51ox4h.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF088.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF078.tmp"
3⤵
PID:1096

C:\Users\Admin\AppData\Local\Temp\tmpEE56.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpEE56.tmp.exe" C:\Users\Admin\AppData\Local\Temp\054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe
2⤵
- Executes dropped EXE
- Deletes itself
PID:1072

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF088.tmp
Filesize
1KB

MD5
5a59e0d7f01a7148de2747200bccd861

SHA1
55d02d69371831fad42372e18c93a4d43035d810

SHA256
9ab70f394335bde512aa25d2d7f058084dd1d3d3952fcbd05dc159499fbcb7f0

SHA512
35ee45932b432c50f9d12e80091909069bedbea775b25d35c4c25e05ddf812a22155da73c58b0d462139601deb4cbac02b5d28115a4162352175091f4e0ad197

Download Submit
C:\Users\Admin\AppData\Local\Temp\mj51ox4h.0.vb
Filesize
14KB

MD5
17161e9d69e4b1765d24df9de720ebd8

SHA1
412b48e90c436e9c30e14fe0494b0b63ac057a04

SHA256
004c5d3809e124e0f220351a89ff9341d1bc82331874797d341a28e7894c6780

SHA512
64b06de58e2e6afa098093866eae27667be7644f620bc176441f986eab37396a7e5294884d28c23a9411493b2d7aa85734bb72d721cf872b483d05cb1510ea78

Download Submit
C:\Users\Admin\AppData\Local\Temp\mj51ox4h.cmdline
Filesize
266B

MD5
f42809a66635046849c9536b7294ac45

SHA1
a073381ceb9c3a907b3454a1879b76c0d6a0051c

SHA256
1e2278793197f73b584842af843d11bc02487dc5a5aec61cf972db16eaac9a0b

SHA512
66cc94fd22b8bb26621253931a4bd377f69a428312f2d9f9e674c695cc15e9713dea223a585d36179ae2b4be519cb6e0e8e13b539db7b7caed918eddaf63dfaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEE56.tmp.exe
Filesize
78KB

MD5
98c7b85591c74500fb5647407bab264f

SHA1
b8c944f4e3a1f5c3d7a2ffdad06789fc02b32af4

SHA256
14fb117ffb7a9e21cfd682c87b108f55cb8c6e419b92d9c99cd54a6a295aa0ed

SHA512
8cd020a8de1b7d59e6268473ecad0a118394fab755e6d9bcffaa3668b2782a9361d75bf7a4d7f2d8cfa65bca467beb1cf10ddac268a22a1083e5cecf59ba1e39

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEE56.tmp.exe
Filesize
78KB

MD5
98c7b85591c74500fb5647407bab264f

SHA1
b8c944f4e3a1f5c3d7a2ffdad06789fc02b32af4

SHA256
14fb117ffb7a9e21cfd682c87b108f55cb8c6e419b92d9c99cd54a6a295aa0ed

SHA512
8cd020a8de1b7d59e6268473ecad0a118394fab755e6d9bcffaa3668b2782a9361d75bf7a4d7f2d8cfa65bca467beb1cf10ddac268a22a1083e5cecf59ba1e39

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF078.tmp
Filesize
660B

MD5
5c4c319f6f179079c3971ef986ac31a8

SHA1
d12c1f9f6d303f0d02708e014251b2716c4d8af4

SHA256
54408ca509ab037641869bd5cc4a4f80a080f764d4e09ca17a45246ef4bbe3d7

SHA512
3926fca523d897fa830da8d5cd5d4669b506aa4015d86908cc38041c55582f8e8674ddd0b9858f7680988304f2d1de78c780aeaba7f5e8412fc2a49542a5cc78

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
\Users\Admin\AppData\Local\Temp\tmpEE56.tmp.exe
Filesize
78KB

MD5
98c7b85591c74500fb5647407bab264f

SHA1
b8c944f4e3a1f5c3d7a2ffdad06789fc02b32af4

SHA256
14fb117ffb7a9e21cfd682c87b108f55cb8c6e419b92d9c99cd54a6a295aa0ed

SHA512
8cd020a8de1b7d59e6268473ecad0a118394fab755e6d9bcffaa3668b2782a9361d75bf7a4d7f2d8cfa65bca467beb1cf10ddac268a22a1083e5cecf59ba1e39

Download Submit
\Users\Admin\AppData\Local\Temp\tmpEE56.tmp.exe
Filesize
78KB

MD5
98c7b85591c74500fb5647407bab264f

SHA1
b8c944f4e3a1f5c3d7a2ffdad06789fc02b32af4

SHA256
14fb117ffb7a9e21cfd682c87b108f55cb8c6e419b92d9c99cd54a6a295aa0ed

SHA512
8cd020a8de1b7d59e6268473ecad0a118394fab755e6d9bcffaa3668b2782a9361d75bf7a4d7f2d8cfa65bca467beb1cf10ddac268a22a1083e5cecf59ba1e39

Download Submit
memory/1072-66-0x0000000000000000-mapping.dmp

Download
memory/1072-69-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download
memory/1072-70-0x0000000000BC5000-0x0000000000BD6000-memory.dmp

Filesize
68KB

Download
memory/1096-60-0x0000000000000000-mapping.dmp

Download
memory/1304-56-0x0000000000000000-mapping.dmp

Download
memory/1352-55-0x00000000741E0000-0x000000007478B000-memory.dmp

Filesize
5.7MB

Download
memory/1352-54-0x0000000075C71000-0x0000000075C73000-memory.dmp

Filesize
8KB

Download