metamorpherrat | ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48

General

Target

ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48.exe
Size

78KB
MD5

06af9b765f0971d34da6cee01bb0dfd3
SHA1

d418e6d883263be3253b8e7884b3481ee9e362ba
SHA256

ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48
SHA512

3d20ef5897663c30fc0669fc0f1498d9b7f9fee5a1ab002022a03140e9075797eb8c4108777f22888d44004dc914601a71066592ae9b1a3c52b03bab0959f285

Score

10^/10

metamorpherrat persistence rat stealer suricata trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

tmpD254.tmp.exe

pid process

2720 tmpD254.tmp.exe

pid	process
2720	tmpD254.tmp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmpD254.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpD254.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48.exetmpD254.tmp.exe

description	pid	process
Token: SeDebugPrivilege	556	ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48.exe
Token: SeDebugPrivilege	2720	tmpD254.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48.exevbc.exe

description	pid	process	target process
PID 556 wrote to memory of 5116	556	ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48.exe	vbc.exe
PID 556 wrote to memory of 5116	556	ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48.exe	vbc.exe
PID 556 wrote to memory of 5116	556	ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48.exe	vbc.exe
PID 5116 wrote to memory of 1668	5116	vbc.exe	cvtres.exe
PID 5116 wrote to memory of 1668	5116	vbc.exe	cvtres.exe
PID 5116 wrote to memory of 1668	5116	vbc.exe	cvtres.exe
PID 556 wrote to memory of 2720	556	ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48.exe	tmpD254.tmp.exe
PID 556 wrote to memory of 2720	556	ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48.exe	tmpD254.tmp.exe
PID 556 wrote to memory of 2720	556	ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48.exe	tmpD254.tmp.exe

C:\Users\Admin\AppData\Local\Temp\ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48.exe
"C:\Users\Admin\AppData\Local\Temp\ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:556

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p0fidx5o.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:5116

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD551.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE63B9C76BD7141959E9B52BEAF1DBEC6.TMP"
3⤵
PID:1668

C:\Users\Admin\AppData\Local\Temp\tmpD254.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpD254.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD551.tmp
Filesize
1KB

MD5
e644193ebe9860fb2c4774ce9995d897

SHA1
2b3e8cc6114d3f7ca37198e6afe7199cd7b80441

SHA256
b5651bc87e7f3cea10dda208d631aa970a371e069aaeaaa3ea278a2e983886aa

SHA512
00fbba05826f886223885646d1a2cea9303b01c3573929acc8bdf2d4d9858ce6b5b12c0b84a265c084fb9f8b592a1413f77b0bde115f6d8ffd2c0aac371f5e73

Download Submit
C:\Users\Admin\AppData\Local\Temp\p0fidx5o.0.vb
Filesize
14KB

MD5
a2f503133a375d28ff810981b3311692

SHA1
04ddc806f64cd8673a2c2c6849600f3b48e1ad21

SHA256
983eb971eda6e79816e868d52e9cdde1916a28125ac63b792c78bf8d0e03fb6a

SHA512
cf7c30bc37eb31f58e9bbf834803189c51a4bb50eac4df9b4c5c51f6a1794698580abfd06bdb6f51138c47f057cafe71e5466678dfd87951783e9380b6c46b1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\p0fidx5o.cmdline
Filesize
266B

MD5
1d44ad30fd4795af0c546ea936232e04

SHA1
c2dffc15caaadd3468d312d51535ac7e544983fe

SHA256
0562b5076f36e2c4cf767b102ae3fb35b1ac2abeb284c22aa7bb2882fe7ef567

SHA512
043093d0e936ed66a75aba522e780c00e3689a74fb3544541b468de6dfc108cedda8a2e83a1e9c1a091a9cc75ab3405a4e34ab9714adb6e8f57a93fe649ad8e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD254.tmp.exe
Filesize
78KB

MD5
6fe65429cbbd3e2526e40411a223843b

SHA1
ce36b861cc27eb46043eacf82117a544782fe2cb

SHA256
b4524f452e4ab4223664ea3c39ea58cf903fcbffcc9efbe69f69cce20af48705

SHA512
1ded9b4089dc7bfdc2ff43d8cbe812844a2303c6dee67af579c731c96d0766749e6beb73bd2182a0f186eb8c48b888ee9902c618c3bf4be7720ef558323d87e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD254.tmp.exe
Filesize
78KB

MD5
6fe65429cbbd3e2526e40411a223843b

SHA1
ce36b861cc27eb46043eacf82117a544782fe2cb

SHA256
b4524f452e4ab4223664ea3c39ea58cf903fcbffcc9efbe69f69cce20af48705

SHA512
1ded9b4089dc7bfdc2ff43d8cbe812844a2303c6dee67af579c731c96d0766749e6beb73bd2182a0f186eb8c48b888ee9902c618c3bf4be7720ef558323d87e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE63B9C76BD7141959E9B52BEAF1DBEC6.TMP
Filesize
660B

MD5
05cb98539520e291fa8c7e8bb73a36f0

SHA1
1b02e928a9fa8a0b073c96bbc806497a57aedc76

SHA256
164600fe26fedd641b52d0ec4a604b6e0fdfa33cffc05f068b08ecccc01e5cad

SHA512
07eea38c910af4a196c0624e12748a754e8aa9e90ab38857537d76bbf65bce699eab4689638d111887b7cc17fef78d32228428fc1751907cce06c724831acc9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/556-130-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/1668-135-0x0000000000000000-mapping.dmp

Download
memory/2720-139-0x0000000000000000-mapping.dmp

Download
memory/2720-141-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/5116-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads