metamorpherrat | eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7

General

Target

eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7.exe
Size

78KB
MD5

015b121254c946730c35060c7677e4f9
SHA1

f085f06f9034fee0f222dc3b173c1a5b1cd10b60
SHA256

eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7
SHA512

7563d7410cdc80f2cb63c4c4d45c8636141af2f5ab870e17fb0c0f8ebed0032943c9144b0132da29390252d3a190baec8560ba350b73068dddddd04d35cf3a7d

Score

10^/10

metamorpherrat persistence rat stealer suricata trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

tmp5CC6.tmp.exe

pid process

1136 tmp5CC6.tmp.exe

pid	process
1136	tmp5CC6.tmp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp5CC6.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp5CC6.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7.exetmp5CC6.tmp.exe

description	pid	process
Token: SeDebugPrivilege	3412	eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7.exe
Token: SeDebugPrivilege	1136	tmp5CC6.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7.exevbc.exe

description	pid	process	target process
PID 3412 wrote to memory of 376	3412	eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7.exe	vbc.exe
PID 3412 wrote to memory of 376	3412	eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7.exe	vbc.exe
PID 3412 wrote to memory of 376	3412	eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7.exe	vbc.exe
PID 376 wrote to memory of 1580	376	vbc.exe	cvtres.exe
PID 376 wrote to memory of 1580	376	vbc.exe	cvtres.exe
PID 376 wrote to memory of 1580	376	vbc.exe	cvtres.exe
PID 3412 wrote to memory of 1136	3412	eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7.exe	tmp5CC6.tmp.exe
PID 3412 wrote to memory of 1136	3412	eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7.exe	tmp5CC6.tmp.exe
PID 3412 wrote to memory of 1136	3412	eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7.exe	tmp5CC6.tmp.exe

C:\Users\Admin\AppData\Local\Temp\eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7.exe
"C:\Users\Admin\AppData\Local\Temp\eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3412

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0izt6o61.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:376

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES64F4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc545750FC1DD04479AC14F65CEF6D53D8.TMP"
3⤵
PID:1580

C:\Users\Admin\AppData\Local\Temp\tmp5CC6.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp5CC6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1136

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0izt6o61.0.vb
Filesize
14KB

MD5
4b6a3bb824537a024f610ae976e968c1

SHA1
87b6f542f86fb16525210eab75e301848c3cabff

SHA256
80a90b0e192103ba3f639a5d60cba38292433582856b909fe6f6838fc1eb5409

SHA512
bd774ff45601505fed02839b41c478ac611af94ff325a703131fe6096097d7772e3f2c63abaa878cb0802aeeea2f0f6186705ae8762d52065643b703f81071a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\0izt6o61.cmdline
Filesize
266B

MD5
cfc4fd3ea1ca7017225f9283b284c802

SHA1
4f32bc25b3229403d8255522f9b634fed9f0721e

SHA256
b837af97ed846082567a932f406923e39325f7466dd386e1fb07c0c9ef2b694b

SHA512
5e9e3ab09cc3f1477266e000d326011d4f436cf88a6f73c4630586f90a760391274c9826a143e808ab47436ae0668da7a352b6dd9c8650a925fc0ed56344605e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES64F4.tmp
Filesize
1KB

MD5
f1ab9a9472f6d28dac20239700ba2ae7

SHA1
44af10458b865a0c74185c72d0b5724f9b53e2e1

SHA256
ea9a7ad694342d5399aafcc28a86698de1b70902ee4e55a75270a0a51b64314a

SHA512
b0a844148272823c54d05445800c5f84d0647f37d23ccfdb0bd25fb155aec9af0c642699f6d2df62abc2ca706937355c525c428163ba17cebe95ee26360d8e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5CC6.tmp.exe
Filesize
78KB

MD5
5cdd52b358306575777bc250dc7e820a

SHA1
05a3d1bbc30b6367e65bebb027994da77a335074

SHA256
8045c512f4d45ee4e283592e63c0c946db23deff0a8a5e9b58a1cb5e062b1bb7

SHA512
554d9ba79131e6e9352042d16a7bde43cb8f123f24b69ea9f0ba58b5aa5e7d18a7d209b2e6e781d07c7747a40345864f9453b465393fb85142949fae16c2af50

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5CC6.tmp.exe
Filesize
78KB

MD5
5cdd52b358306575777bc250dc7e820a

SHA1
05a3d1bbc30b6367e65bebb027994da77a335074

SHA256
8045c512f4d45ee4e283592e63c0c946db23deff0a8a5e9b58a1cb5e062b1bb7

SHA512
554d9ba79131e6e9352042d16a7bde43cb8f123f24b69ea9f0ba58b5aa5e7d18a7d209b2e6e781d07c7747a40345864f9453b465393fb85142949fae16c2af50

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc545750FC1DD04479AC14F65CEF6D53D8.TMP
Filesize
660B

MD5
8a7b963bb496162997126dcbaaf8af3c

SHA1
418c1c93cd8d015d5c68bff9e78abdb8b6f4194f

SHA256
d5d6fb1f9555e8a3e61e6b10cb942c6f5a2e3a7e34d5ccd03828010eda1bee60

SHA512
2dcf05a0cd2db331aed162b2e188bbe33cdfa6712161edbc46f2fa311eefd09c22378bfbeb366048485d0a5a0efd9adc1d97445b0483b315f4513731ce22ed40

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/376-131-0x0000000000000000-mapping.dmp

Download
memory/1136-139-0x0000000000000000-mapping.dmp

Download
memory/1136-141-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download
memory/1580-135-0x0000000000000000-mapping.dmp

Download
memory/3412-130-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads