metamorpherrat | 08be913146b17ed08d074486acc94d835545d1a488478c67f6fbcd4cf7d03e24

General

Target

08be913146b17ed08d074486acc94d835545d1a488478c67f6fbcd4cf7d03e24.exe
Size

78KB
MD5

00a165f92e1ef3491ca5470c4a52ad0e
SHA1

1151a21145e1dbfd84cc19df4568e9b87ffe86f0
SHA256

08be913146b17ed08d074486acc94d835545d1a488478c67f6fbcd4cf7d03e24
SHA512

550d917976cdc913cdafd934a5e06f7117fc1e6ae88d5c7b4b88cf2509ee1e607ae997562ceed1f5556bbfd0346dbc05a793139f64c405efbda40b7b9b194a57

Score

10^/10

metamorpherrat persistence rat stealer suricata trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

tmp4EFB.tmp.exe

pid process

2068 tmp4EFB.tmp.exe

pid	process
2068	tmp4EFB.tmp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

08be913146b17ed08d074486acc94d835545d1a488478c67f6fbcd4cf7d03e24.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	08be913146b17ed08d074486acc94d835545d1a488478c67f6fbcd4cf7d03e24.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp4EFB.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp4EFB.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

08be913146b17ed08d074486acc94d835545d1a488478c67f6fbcd4cf7d03e24.exetmp4EFB.tmp.exe

description	pid	process
Token: SeDebugPrivilege	3592	08be913146b17ed08d074486acc94d835545d1a488478c67f6fbcd4cf7d03e24.exe
Token: SeDebugPrivilege	2068	tmp4EFB.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

08be913146b17ed08d074486acc94d835545d1a488478c67f6fbcd4cf7d03e24.exevbc.exe

description	pid	process	target process
PID 3592 wrote to memory of 2796	3592	08be913146b17ed08d074486acc94d835545d1a488478c67f6fbcd4cf7d03e24.exe	vbc.exe
PID 3592 wrote to memory of 2796	3592	08be913146b17ed08d074486acc94d835545d1a488478c67f6fbcd4cf7d03e24.exe	vbc.exe
PID 3592 wrote to memory of 2796	3592	08be913146b17ed08d074486acc94d835545d1a488478c67f6fbcd4cf7d03e24.exe	vbc.exe
PID 2796 wrote to memory of 8	2796	vbc.exe	cvtres.exe
PID 2796 wrote to memory of 8	2796	vbc.exe	cvtres.exe
PID 2796 wrote to memory of 8	2796	vbc.exe	cvtres.exe
PID 3592 wrote to memory of 2068	3592	08be913146b17ed08d074486acc94d835545d1a488478c67f6fbcd4cf7d03e24.exe	tmp4EFB.tmp.exe
PID 3592 wrote to memory of 2068	3592	08be913146b17ed08d074486acc94d835545d1a488478c67f6fbcd4cf7d03e24.exe	tmp4EFB.tmp.exe
PID 3592 wrote to memory of 2068	3592	08be913146b17ed08d074486acc94d835545d1a488478c67f6fbcd4cf7d03e24.exe	tmp4EFB.tmp.exe

C:\Users\Admin\AppData\Local\Temp\08be913146b17ed08d074486acc94d835545d1a488478c67f6fbcd4cf7d03e24.exe
"C:\Users\Admin\AppData\Local\Temp\08be913146b17ed08d074486acc94d835545d1a488478c67f6fbcd4cf7d03e24.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3592

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bqy7j7qx.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2796

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES51BA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc60DDA171CC47E88EAACA84F63066F3.TMP"
3⤵
PID:8

C:\Users\Admin\AppData\Local\Temp\tmp4EFB.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp4EFB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\08be913146b17ed08d074486acc94d835545d1a488478c67f6fbcd4cf7d03e24.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2068

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES51BA.tmp
Filesize
1KB

MD5
9109b194f753438e9a3e7e0491bcd96d

SHA1
9e8f4e072e891ad39e26b18f534cdb52335285d1

SHA256
68faa72118beb72f4aaf8cf13bc471adf1f248560001e02c6d0087f2da6bfe1c

SHA512
2dcdea1763aa679e98f1f095e6c96846710b6856fb8e2b28bdcb69b4b13dbb3ea53dd1327d590ba772093e0a336674c11993dccdec066f12e4d38e2ef453e3d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\bqy7j7qx.0.vb
Filesize
15KB

MD5
7e573796fba956082a3393947be64c04

SHA1
7ad0b94ddb172210125e552afc0e1a701773b44e

SHA256
1d3d27d2340d484a5ef31cc0a6cb0386fe7e6531dd93488d059fd032ca56383a

SHA512
9fcaa6452d91db33250dae405fed59362a34ff2c0bd69febe84d0a51727484b35412a7e761eed7de9762f62d6676fbf1cd17cb984ca3b96a6a2defcb38b2988d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bqy7j7qx.cmdline
Filesize
266B

MD5
f72c527553e7d1512141d6fb996ae4b4

SHA1
01144b9d3ab906fab6b2c70dc5e16c7deb6a09fd

SHA256
a1a2571f102665f2645e993e9e856a92da47a46eb2cbe68eccb4743823581ef0

SHA512
a9c880d8e65ada32499dce834098a469acfff20762e4ff4029d1abae833d4f87e4f0cbeef419f7ddd95b64ca8069f75eee0e1bdae56a57a1e677eb901f402555

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4EFB.tmp.exe
Filesize
78KB

MD5
bb248e41e1510606d75b83a828cfcb5a

SHA1
5afbbe65dc1ef56642abcfa940173e4a309499b3

SHA256
86a1886e22603e6d2c1e365b4365ed2ab96b321b9825383bb670e820f82304a6

SHA512
965cefb5601919f3022a40b59cac1cdf8b68905084d826863bf83c4ef8879fb497e8763f389a400e66a21c01dae99f9c5d2f4aa79774cd0c4eac4dad5767fbed

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4EFB.tmp.exe
Filesize
78KB

MD5
bb248e41e1510606d75b83a828cfcb5a

SHA1
5afbbe65dc1ef56642abcfa940173e4a309499b3

SHA256
86a1886e22603e6d2c1e365b4365ed2ab96b321b9825383bb670e820f82304a6

SHA512
965cefb5601919f3022a40b59cac1cdf8b68905084d826863bf83c4ef8879fb497e8763f389a400e66a21c01dae99f9c5d2f4aa79774cd0c4eac4dad5767fbed

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc60DDA171CC47E88EAACA84F63066F3.TMP
Filesize
660B

MD5
7a2de09864add07088b671a32d773c32

SHA1
8c8125b7f54af0835c8b314d894c1a7a1615e6cc

SHA256
f6c40045c488ca56769fbc2721cf7ce12d359f92c1d78255005d0f8ac4a74975

SHA512
3a8d2c6bbe598c24f86cc10ffb9428172feb1b10c7f9e11eb99b39c1632d8d7875a1f96c2d84b5afc44cd1da5c072bd6fe1e0b9e402ca6425cfcec84eca1745d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/8-135-0x0000000000000000-mapping.dmp

Download
memory/2068-139-0x0000000000000000-mapping.dmp

Download
memory/2068-141-0x0000000074A70000-0x0000000075021000-memory.dmp

Filesize
5.7MB

Download
memory/2796-131-0x0000000000000000-mapping.dmp

Download
memory/3592-130-0x0000000074A70000-0x0000000075021000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads