metamorpherrat | 348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806

General

Target

348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806.exe
Size

78KB
MD5

0d9c2592b4c26d0442c9bd807979f66e
SHA1

af6180101e58fb4489c54fe8f78840a41e0e86fd
SHA256

348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806
SHA512

5000a9a5a30f4ff638b153ebff11c3143c6b2de35b368f4e17f4c76088906980fa1293b70aa58eb604597375b23720d2644ad26f5042f35fd9573f349ad097ec

Score

10^/10

metamorpherrat persistence rat stealer suricata trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

tmp87ED.tmp.exe

pid process

4064 tmp87ED.tmp.exe

pid	process
4064	tmp87ED.tmp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp87ED.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp87ED.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806.exetmp87ED.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2540	348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806.exe
Token: SeDebugPrivilege	4064	tmp87ED.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806.exevbc.exe

description	pid	process	target process
PID 2540 wrote to memory of 1568	2540	348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806.exe	vbc.exe
PID 2540 wrote to memory of 1568	2540	348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806.exe	vbc.exe
PID 2540 wrote to memory of 1568	2540	348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806.exe	vbc.exe
PID 1568 wrote to memory of 4860	1568	vbc.exe	cvtres.exe
PID 1568 wrote to memory of 4860	1568	vbc.exe	cvtres.exe
PID 1568 wrote to memory of 4860	1568	vbc.exe	cvtres.exe
PID 2540 wrote to memory of 4064	2540	348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806.exe	tmp87ED.tmp.exe
PID 2540 wrote to memory of 4064	2540	348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806.exe	tmp87ED.tmp.exe
PID 2540 wrote to memory of 4064	2540	348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806.exe	tmp87ED.tmp.exe

C:\Users\Admin\AppData\Local\Temp\348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806.exe
"C:\Users\Admin\AppData\Local\Temp\348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zhpizw2l.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B29.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB398E614C9D443FDB7DC45E961387F5.TMP"
3⤵
PID:4860

C:\Users\Admin\AppData\Local\Temp\tmp87ED.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp87ED.tmp.exe" C:\Users\Admin\AppData\Local\Temp\348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4064

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8B29.tmp
Filesize
1KB

MD5
ed36eec5d8fb3dc637cb626988b1303b

SHA1
99cb2ef2bff6af90d04ae74b06de349f19cbc996

SHA256
7e8a2cc1f557b86ae68f5e4a97237511aae7559e17e5ef0f425b71032cb45f1a

SHA512
652ded81c5d3179e6e73f3be59627b2b1ea01dd5d4d6fc28faa287163921b973b843767f55893f459e128f2a8633b8165cccbef4148cf86b58c5da00db488044

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp87ED.tmp.exe
Filesize
78KB

MD5
9a5da0fb6b6d98e06a3b7bd60ca5fc3e

SHA1
9793e0ee4d92ce5cd4c75434546d2a6ca44edb3b

SHA256
df5a4af2a95f6d756b34e0cb3df0c77f136b8f23063af15d3fa3f50e6f9f28c5

SHA512
916723a40e524460d0f69a0f1cc5bf0b15123212b2d96fc399206979e562fb8fa47eef182acc917120613d3743863f3fa08ad5717f44d83b7a0f4fec7b048a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp87ED.tmp.exe
Filesize
78KB

MD5
9a5da0fb6b6d98e06a3b7bd60ca5fc3e

SHA1
9793e0ee4d92ce5cd4c75434546d2a6ca44edb3b

SHA256
df5a4af2a95f6d756b34e0cb3df0c77f136b8f23063af15d3fa3f50e6f9f28c5

SHA512
916723a40e524460d0f69a0f1cc5bf0b15123212b2d96fc399206979e562fb8fa47eef182acc917120613d3743863f3fa08ad5717f44d83b7a0f4fec7b048a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB398E614C9D443FDB7DC45E961387F5.TMP
Filesize
660B

MD5
e6a84c9bc907afeee4703eb619a05466

SHA1
a455bc47fa0f83b71ed12b43ca1bb62411a64b13

SHA256
06cb5a77e1a523fef403a39763392f15136ad8012f0b1489403aad9af095033f

SHA512
367c333494b69771c23153b2f3258d9d2b17f155e3684531192fb8e20d68e71bd63cd4a7d0bb597e8315a5411cc1cf20aa944a1c7b6979a3031f0051e924b51b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
C:\Users\Admin\AppData\Local\Temp\zhpizw2l.0.vb
Filesize
14KB

MD5
41f00fc7f82e5b1aacd6778373fbe009

SHA1
f1c6d2e61b18e08204961fc747d067cca570c454

SHA256
9f98f7f64c091e9c96c9738fcf0d1fdd02ab25a6a08b4887737274980660fb72

SHA512
178c9d51825af92e184dae8cb104bfa83bc83431f0b88ba7712ac27242a376b7bf91061594879ffff22608c48a2ec0c1a7249f6567a7074124d9dc405cbe7456

Download Submit
C:\Users\Admin\AppData\Local\Temp\zhpizw2l.cmdline
Filesize
266B

MD5
2ceebbc8bb8862054212554cb246efbc

SHA1
931f5f12ee485a3fb52952e5ed48c5933f3839b5

SHA256
eef1e87c8b7bc9b39b92a515adfd9fa0da6b363d704dbf18cb130904c847923f

SHA512
f3d9186ccf9d6daf82f1d0f08e5b0b2607b570e7225fa7c6b3fa5ffd4f8eb663f04524c6decbf90b69690016de7cf304624b7d03169692d73036924213a6f928

Download Submit
memory/1568-131-0x0000000000000000-mapping.dmp

Download
memory/2540-130-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/4064-139-0x0000000000000000-mapping.dmp

Download
memory/4064-141-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/4860-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads