metamorpherrat | 6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5

General

Target

6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5.exe
Size

78KB
MD5

0e8bd026f56f21cbd8a899387f20524a
SHA1

8b344cee89d25bb000d0f6d2f396c0d6507467e4
SHA256

6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5
SHA512

faec15a510ddbb64162a58ce477afe806c6ddb35a91815580bf39092b9a6dde4d2da94c5b9c853d81c445a5bd8e8f37e614bb59330cd0bba3504729ec259b001

Score

10^/10

metamorpherrat persistence rat stealer suricata trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

tmp7469.tmp.exe

pid process

1384 tmp7469.tmp.exe

pid	process
1384	tmp7469.tmp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp7469.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp7469.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5.exetmp7469.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2124	6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5.exe
Token: SeDebugPrivilege	1384	tmp7469.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5.exevbc.exe

description	pid	process	target process
PID 2124 wrote to memory of 2304	2124	6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5.exe	vbc.exe
PID 2124 wrote to memory of 2304	2124	6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5.exe	vbc.exe
PID 2124 wrote to memory of 2304	2124	6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5.exe	vbc.exe
PID 2304 wrote to memory of 3440	2304	vbc.exe	cvtres.exe
PID 2304 wrote to memory of 3440	2304	vbc.exe	cvtres.exe
PID 2304 wrote to memory of 3440	2304	vbc.exe	cvtres.exe
PID 2124 wrote to memory of 1384	2124	6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5.exe	tmp7469.tmp.exe
PID 2124 wrote to memory of 1384	2124	6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5.exe	tmp7469.tmp.exe
PID 2124 wrote to memory of 1384	2124	6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5.exe	tmp7469.tmp.exe

C:\Users\Admin\AppData\Local\Temp\6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5.exe
"C:\Users\Admin\AppData\Local\Temp\6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ddnbryaw.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2304

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES75E0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB0F8A63A1A714DDD9E77359348E426D.TMP"
3⤵
PID:3440

C:\Users\Admin\AppData\Local\Temp\tmp7469.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp7469.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1384

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES75E0.tmp
Filesize
1KB

MD5
cc874c263576f12e6cc8689fa0685b3f

SHA1
8839e3266cf4c7baf9aa7caeb093e810f880718e

SHA256
a7171061f1c809ab6f6cf01bd530b1053745196f49191124890401d2a3e9459e

SHA512
6c398d32d2092ecf23cdb67abfd01e4ffd59da1c1055d3f473b849eccee1ff3f2e3fec89bb88d1197936bb49ad905c1b06cdb5720e598b3a491b1a208a319718

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddnbryaw.0.vb
Filesize
15KB

MD5
424bc92dcf7a405fdc61a50952bfd315

SHA1
804e72908c71c1b769dca3dca1383e08e714a4cf

SHA256
5aadfc15750fa9d7ebb080fac299b23f1af87ab6122d465d94c332dd0ff7b11c

SHA512
03942c40a189aa7864694b53b4131a705fcd773304735e656f6def7fce21033093172b162b923bf6189c818b315b29b4f9fc0dbcfe69de0695ea86d0b0f6337c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddnbryaw.cmdline
Filesize
266B

MD5
41dc26521e3a7585ea32388ba4e7b924

SHA1
463fa87dcd9bdea80c929c7b6779de9703e6d1d9

SHA256
f847a9ed93383ccb23544c8e035651a52c98e2a003821b21e3c9e610556e8190

SHA512
3d3c2b91d92038e77bc6c303afeea1a93c376a6e869504e1b3f8523226a6476550c1efcc3bd21e4ef371c056f80c1694dfda55c6630af4d0d28f8da3c08af56a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7469.tmp.exe
Filesize
78KB

MD5
01377b5141f064785e8ad872c88e3aa8

SHA1
98433a23c523ac6833370483d5353f446670b47d

SHA256
fa5131937157372be70ee99308bb8796be7188f226eca644093b3d2f24b8fecb

SHA512
332db2cc26c0a4ffb60990bb865aa3e01dc617b7ee5e6f23ea9c8037fd036a8f6500b3c0bfb7f909fc028f4224283f605e27182d1963686ab425fdd69a80d872

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7469.tmp.exe
Filesize
78KB

MD5
01377b5141f064785e8ad872c88e3aa8

SHA1
98433a23c523ac6833370483d5353f446670b47d

SHA256
fa5131937157372be70ee99308bb8796be7188f226eca644093b3d2f24b8fecb

SHA512
332db2cc26c0a4ffb60990bb865aa3e01dc617b7ee5e6f23ea9c8037fd036a8f6500b3c0bfb7f909fc028f4224283f605e27182d1963686ab425fdd69a80d872

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB0F8A63A1A714DDD9E77359348E426D.TMP
Filesize
660B

MD5
59f4e66f086e5084f0cd08c396d14212

SHA1
4b6b4dab6ab93f3119fde5ee4f3c914e133270da

SHA256
aa156ff2561e4f07546fb5e0c4ab0ab55d8c94c2bf85944da02ffb5aa8529480

SHA512
fafe051c2e2492bb0a3505102b32d1dd11317757e4821a8ce6791ca0500170d3a607be492a6ffbb16bc114a86ff32f897e7050995dfb2bbb923a2a41292b8488

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/1384-139-0x0000000000000000-mapping.dmp

Download
memory/1384-142-0x0000000074F00000-0x00000000754B1000-memory.dmp

Filesize
5.7MB

Download
memory/1384-143-0x0000000074F00000-0x00000000754B1000-memory.dmp

Filesize
5.7MB

Download
memory/2124-130-0x0000000074F00000-0x00000000754B1000-memory.dmp

Filesize
5.7MB

Download
memory/2124-141-0x0000000074F00000-0x00000000754B1000-memory.dmp

Filesize
5.7MB

Download
memory/2304-131-0x0000000000000000-mapping.dmp

Download
memory/3440-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads