metamorpherrat | eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049

General

Target

eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049.exe
Size

78KB
MD5

22925b7ae382e5821f8706641672eabf
SHA1

694980b0dfe105ff8fa89f6899605f83d6f05771
SHA256

eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049
SHA512

c678ddd737f8b27df377eab594ce2d65d0ac026dcba3446fc51b1dd89a7df8066de96ca13cc5d1e595113380c94ba49662087a3bb313d106add1d5b9dc26f819

Score

10^/10

metamorpherrat persistence rat stealer suricata trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

tmpCC29.tmp.exe

pid process

2096 tmpCC29.tmp.exe

pid	process
2096	tmpCC29.tmp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmpCC29.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmpCC29.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049.exetmpCC29.tmp.exe

description	pid	process
Token: SeDebugPrivilege	4020	eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049.exe
Token: SeDebugPrivilege	2096	tmpCC29.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049.exevbc.exe

description	pid	process	target process
PID 4020 wrote to memory of 2156	4020	eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049.exe	vbc.exe
PID 4020 wrote to memory of 2156	4020	eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049.exe	vbc.exe
PID 4020 wrote to memory of 2156	4020	eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049.exe	vbc.exe
PID 2156 wrote to memory of 2652	2156	vbc.exe	cvtres.exe
PID 2156 wrote to memory of 2652	2156	vbc.exe	cvtres.exe
PID 2156 wrote to memory of 2652	2156	vbc.exe	cvtres.exe
PID 4020 wrote to memory of 2096	4020	eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049.exe	tmpCC29.tmp.exe
PID 4020 wrote to memory of 2096	4020	eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049.exe	tmpCC29.tmp.exe
PID 4020 wrote to memory of 2096	4020	eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049.exe	tmpCC29.tmp.exe

C:\Users\Admin\AppData\Local\Temp\eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049.exe
"C:\Users\Admin\AppData\Local\Temp\eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4020

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xehhyhgu.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2156

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE3D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc807DA5D354F04228BFB8503C85472BC9.TMP"
3⤵
PID:2652

C:\Users\Admin\AppData\Local\Temp\tmpCC29.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpCC29.tmp.exe" C:\Users\Admin\AppData\Local\Temp\eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2096

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESCE3D.tmp
Filesize
1KB

MD5
237fa6bb60c11a2a0f3139558825c4fa

SHA1
9d947fa70e949e66c155a7c9c078a3aa1a114cf5

SHA256
76576a122e8224d18a57d445e32edc91bfb56e086f1d0591a94f5d6a82b76878

SHA512
89d3a305cdcdce46ee697ec385af035a29966b5accf6735169b4f79bdf589c73c890ce886c35759db13396c6e5d3cc3f141ffa262055d38282516ff7c0d89df4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCC29.tmp.exe
Filesize
78KB

MD5
9ac90888a5b5aaa027a61c768e345b41

SHA1
60142c327b877337d8653baf05fe5a5450ca9727

SHA256
58d5c2c7d9c5cf7b9140f4313cef5679e499aab953febf2b33734ca292a61c82

SHA512
127a3eaf2cea5cadfe9857fdbc53643790f8725012c6aa9d69442f70ee36a83541c8f9eb75b8ec626323e428d3292257ab373eacfe2e00928da6d93991df3766

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCC29.tmp.exe
Filesize
78KB

MD5
9ac90888a5b5aaa027a61c768e345b41

SHA1
60142c327b877337d8653baf05fe5a5450ca9727

SHA256
58d5c2c7d9c5cf7b9140f4313cef5679e499aab953febf2b33734ca292a61c82

SHA512
127a3eaf2cea5cadfe9857fdbc53643790f8725012c6aa9d69442f70ee36a83541c8f9eb75b8ec626323e428d3292257ab373eacfe2e00928da6d93991df3766

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc807DA5D354F04228BFB8503C85472BC9.TMP
Filesize
660B

MD5
7fa54457c444313e825ff1f45abe8a84

SHA1
7e3ba071a99a195ed125fca10dfc918cb966f455

SHA256
eb198ef3f4352ec74c3a45a58fbe917da9a97784ad49b4364778bb1520f7db8e

SHA512
5958543e8b78bb3f98512e8cee461d0a5a6ad4b8d15b5e72daab17ef6e7a2f94f384353bdf9d7dbe808c1acf1e8586d37563f93d97e003f23c8ff153fb2e2bf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\xehhyhgu.0.vb
Filesize
15KB

MD5
12291703f69a177b3e9b0f2acd57c4d9

SHA1
4b16e45407858ebc4b4c8ddf33139263b2d4dc90

SHA256
a2a941ff8c395c1eb75c500d332c3c83d0b7fa1c5c1b01c353baa2147ee38844

SHA512
c53e8020eb52ba2821b3556a699ee699b5648e6a6d5d7bac5165b46a21d891972a9df5af707083405f7249cf4b1bcc26129523e30bc58a4a6aa8a37390a3ceea

Download Submit
C:\Users\Admin\AppData\Local\Temp\xehhyhgu.cmdline
Filesize
266B

MD5
3152cc764e9f2c9609d7a32b28ba5191

SHA1
fec2eff3712caad3fd81584b4c4f75aeb40700bd

SHA256
7d009b296a2f6014af87cdbd8380163b402cab0797d7c46c8562b83015d26502

SHA512
2b2c1354317c1a1107955574328b199fe6fec9ba9332f351c3abbccfb09ec588bc33ace2b656977fd1ba3151a4486a9e84f9bea665c4b66289fb99931844514c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/2096-139-0x0000000000000000-mapping.dmp

Download
memory/2096-141-0x0000000074F00000-0x00000000754B1000-memory.dmp

Filesize
5.7MB

Download
memory/2096-142-0x0000000074F00000-0x00000000754B1000-memory.dmp

Filesize
5.7MB

Download
memory/2156-131-0x0000000000000000-mapping.dmp

Download
memory/2652-135-0x0000000000000000-mapping.dmp

Download
memory/4020-130-0x0000000074F00000-0x00000000754B1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads