metamorpherrat | 5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3

General

Target

5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3.exe
Size

78KB
MD5

03e7554116590a34c071d2c7954df17d
SHA1

d4b801e0f7427bf55e2440b59139cb4365a54e62
SHA256

5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3
SHA512

148aa862f433bfc3f006e596a7d273546d389a9740a738a0abf11d152b0437fb1ed474854ac1904e740c7441670f170235b8f00eabd7ee57bf688c47fb963c40

Score

10^/10

metamorpherrat persistence rat stealer suricata trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

tmp54F6.tmp.exe

pid process

2436 tmp54F6.tmp.exe

pid	process
2436	tmp54F6.tmp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp54F6.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp54F6.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3.exetmp54F6.tmp.exe

description	pid	process
Token: SeDebugPrivilege	4744	5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3.exe
Token: SeDebugPrivilege	2436	tmp54F6.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3.exevbc.exe

description	pid	process	target process
PID 4744 wrote to memory of 2748	4744	5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3.exe	vbc.exe
PID 4744 wrote to memory of 2748	4744	5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3.exe	vbc.exe
PID 4744 wrote to memory of 2748	4744	5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3.exe	vbc.exe
PID 2748 wrote to memory of 4784	2748	vbc.exe	cvtres.exe
PID 2748 wrote to memory of 4784	2748	vbc.exe	cvtres.exe
PID 2748 wrote to memory of 4784	2748	vbc.exe	cvtres.exe
PID 4744 wrote to memory of 2436	4744	5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3.exe	tmp54F6.tmp.exe
PID 4744 wrote to memory of 2436	4744	5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3.exe	tmp54F6.tmp.exe
PID 4744 wrote to memory of 2436	4744	5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3.exe	tmp54F6.tmp.exe

C:\Users\Admin\AppData\Local\Temp\5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3.exe
"C:\Users\Admin\AppData\Local\Temp\5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4744

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m989ugl0.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES56F9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4B79C337F7074378ACC68D56E4E362DE.TMP"
3⤵
PID:4784

C:\Users\Admin\AppData\Local\Temp\tmp54F6.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp54F6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2436

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES56F9.tmp
Filesize
1KB

MD5
7c747f277dbef0ebd047ef775484c595

SHA1
ac44022964c21bdad113994f698b02df56a180e6

SHA256
3213c8afa2e1d656f68bd1f115e1862bf043c051d41b3c2aac024b31d099805e

SHA512
e1a10021685357fdf60dd502396fe1332d72589238acc57016acdfecdc33c198d35bbd104d0a9c13578ac29fd70bddef12d5a15d44f724a18fdcecd43dc8a1c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\m989ugl0.0.vb
Filesize
14KB

MD5
a18f896d3b6a3b8f147a1a118cecb4ff

SHA1
db7e598421df2ba0f7bee80fd600a0c44f1d2029

SHA256
73888c7f0571ec60b35db19b5ff704fcdb417021ba3774d50cabbc2e7a4d004a

SHA512
b8d2db2c49c749740c04a16ac0ddc50f47cbf18488e06ab97d2229dfee0307a4da8b23325382a1f81be7aa313be2804a2cffbddbfd0e071e3cc93de3f5f55e9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\m989ugl0.cmdline
Filesize
266B

MD5
2afa2791744ae3e9ad13a135e55c6867

SHA1
f425d25452aa53254ab74c8ffc3a32d85c2f2cc6

SHA256
137a8c0f89a97f739a45d115c12f2222ddfadc6e32f55511fb305d1e79254667

SHA512
89b80f3eb00ad00fd9beae5e25a3c3c111c6e995db29bed4edb65a9b125a10f7e2ea4c9574d2b9d129c49943f2dd97b31823e8a878785ead66a6ddfd6aedecc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp54F6.tmp.exe
Filesize
78KB

MD5
81bc607a96252701d0112556251824c5

SHA1
47324271e42f59f83f4d863154ebf9cfb18969f8

SHA256
bbe3966bbe87aca1342a1ddbcc94df4ff2d1a33c8bceac06b215c70bda27bd64

SHA512
8a3b2dec2ecb08a36f446787399354595ecd9746de092f3ad35286de0fbc60a020d3f3393b5f285e4a6f31321d7cf6ee9826e4a35931a4e0dd82ed336e6f20b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp54F6.tmp.exe
Filesize
78KB

MD5
81bc607a96252701d0112556251824c5

SHA1
47324271e42f59f83f4d863154ebf9cfb18969f8

SHA256
bbe3966bbe87aca1342a1ddbcc94df4ff2d1a33c8bceac06b215c70bda27bd64

SHA512
8a3b2dec2ecb08a36f446787399354595ecd9746de092f3ad35286de0fbc60a020d3f3393b5f285e4a6f31321d7cf6ee9826e4a35931a4e0dd82ed336e6f20b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4B79C337F7074378ACC68D56E4E362DE.TMP
Filesize
660B

MD5
d5f7c360c2693b77b738191564938838

SHA1
9afa515ae22d5780bb623fcb45974a3fc281440e

SHA256
aa2f46b7984d4947c2d25ffa917b68c35b6441fdd5a04b0d86b350806870507a

SHA512
42c111408bcffeead22db06e10494e4c10cf8dfbb51b5a6bc2e15ffc81c2474030b23592763b044c416ef88f25e05b1aea56a133b5e32497c5850ed9d3c98b0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2436-139-0x0000000000000000-mapping.dmp

Download
memory/2436-141-0x0000000075360000-0x0000000075911000-memory.dmp

Filesize
5.7MB

Download
memory/2748-131-0x0000000000000000-mapping.dmp

Download
memory/4744-130-0x0000000075360000-0x0000000075911000-memory.dmp

Filesize
5.7MB

Download
memory/4784-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads