metamorpherrat | d9812bb6700c46fe3194bcdc4ab101abf29cb318b7d2212b85d38ae910c23db6

General

Target

d9812bb6700c46fe3194bcdc4ab101abf29cb318b7d2212b85d38ae910c23db6.exe
Size

78KB
MD5

bca232d75b22ea2eb38d8875fdba585c
SHA1

1b0721050bf6d2d208deb945f7cac8ff28e5c35a
SHA256

d9812bb6700c46fe3194bcdc4ab101abf29cb318b7d2212b85d38ae910c23db6
SHA512

6f70e3c4fa7ee9ec8277c07d656e9be7bbdde8f302d844f56ab106ca176470d300af636bc07cdfb128f3e835d8155ccf7bd0525e09b2fd47982263817a1faf5f

Score

10^/10

metamorpherrat persistence rat stealer suricata trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

tmp6602.tmp.exe

pid process

2244 tmp6602.tmp.exe

pid	process
2244	tmp6602.tmp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d9812bb6700c46fe3194bcdc4ab101abf29cb318b7d2212b85d38ae910c23db6.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	d9812bb6700c46fe3194bcdc4ab101abf29cb318b7d2212b85d38ae910c23db6.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp6602.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp6602.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

d9812bb6700c46fe3194bcdc4ab101abf29cb318b7d2212b85d38ae910c23db6.exetmp6602.tmp.exe

description	pid	process
Token: SeDebugPrivilege	3136	d9812bb6700c46fe3194bcdc4ab101abf29cb318b7d2212b85d38ae910c23db6.exe
Token: SeDebugPrivilege	2244	tmp6602.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

d9812bb6700c46fe3194bcdc4ab101abf29cb318b7d2212b85d38ae910c23db6.exevbc.exe

description	pid	process	target process
PID 3136 wrote to memory of 4412	3136	d9812bb6700c46fe3194bcdc4ab101abf29cb318b7d2212b85d38ae910c23db6.exe	vbc.exe
PID 3136 wrote to memory of 4412	3136	d9812bb6700c46fe3194bcdc4ab101abf29cb318b7d2212b85d38ae910c23db6.exe	vbc.exe
PID 3136 wrote to memory of 4412	3136	d9812bb6700c46fe3194bcdc4ab101abf29cb318b7d2212b85d38ae910c23db6.exe	vbc.exe
PID 4412 wrote to memory of 4632	4412	vbc.exe	cvtres.exe
PID 4412 wrote to memory of 4632	4412	vbc.exe	cvtres.exe
PID 4412 wrote to memory of 4632	4412	vbc.exe	cvtres.exe
PID 3136 wrote to memory of 2244	3136	d9812bb6700c46fe3194bcdc4ab101abf29cb318b7d2212b85d38ae910c23db6.exe	tmp6602.tmp.exe
PID 3136 wrote to memory of 2244	3136	d9812bb6700c46fe3194bcdc4ab101abf29cb318b7d2212b85d38ae910c23db6.exe	tmp6602.tmp.exe
PID 3136 wrote to memory of 2244	3136	d9812bb6700c46fe3194bcdc4ab101abf29cb318b7d2212b85d38ae910c23db6.exe	tmp6602.tmp.exe

C:\Users\Admin\AppData\Local\Temp\d9812bb6700c46fe3194bcdc4ab101abf29cb318b7d2212b85d38ae910c23db6.exe
"C:\Users\Admin\AppData\Local\Temp\d9812bb6700c46fe3194bcdc4ab101abf29cb318b7d2212b85d38ae910c23db6.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3136

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\69enbh5g.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4412

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6798.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc548687F639A848898B9A8E54854046CF.TMP"
3⤵
PID:4632

C:\Users\Admin\AppData\Local\Temp\tmp6602.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp6602.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d9812bb6700c46fe3194bcdc4ab101abf29cb318b7d2212b85d38ae910c23db6.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2244

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\69enbh5g.0.vb
Filesize
15KB

MD5
2ffca42f0920b7aa3516c03a14080888

SHA1
477491bcd39538155f60ae8af070b1f6643af914

SHA256
1143d438220aba49762bfd105b85b22e542c7f02bb22530e29911403feafe7e2

SHA512
def70fb5e7207fb439fa8425077c943ac4ba8e89045df11324a25e266d62d7c4705524c481f51195b5cf6ecab0ea963de57d592d610b8feee8563e8b45d63936

Download Submit
C:\Users\Admin\AppData\Local\Temp\69enbh5g.cmdline
Filesize
266B

MD5
0ff84085269e22e80a461499920b620f

SHA1
e628bf596d98d8512c68e2e1d94d6d45838a3a63

SHA256
7f6caeaf07171daf76f982e22f6f3e550c6c8227d2a52d65a60fcce4d83d6c1f

SHA512
74e1fb00dfd22b5d8fc3bea39ccbb003119809ee5f555d87cb7a900bf36c78a07ad4fd520690b09ca143ad58e6691ed5ac1c3b27ef4e3a8ba0239086d50da541

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6798.tmp
Filesize
1KB

MD5
8b1949a01230fc76fe98fdb20951e823

SHA1
b3032eeaa9bcb1229906384854a50250a14c6f95

SHA256
3c223ae341af4f2f23fb0dd3a9efe40e159e5069866ae9ac5a1cef90e4890c96

SHA512
34690461d2f935e7f821026970987b42007acffbd1de33d12573c44803d28f13a80b8822f06b318bbb776e55154fd143c74e2e49e30e1b6180b5ff1bbbfb1ad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6602.tmp.exe
Filesize
78KB

MD5
5b09c90bb07c0b06450b6eaf16cc280d

SHA1
6448330e363c06bd60c0b1e9821ede0509c14026

SHA256
1a52aa12231ff6c5eb50ffb5c0562938bbda70b5af6ba21eb2c9c0e44f5f3eae

SHA512
153706685edc078f41499f6a8a8036f8bbee8abc8a5996af01a53c0e54220261fddd9d0c092d0941651ffe3400f65ece075952c96f171e0b49686784b5114f1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6602.tmp.exe
Filesize
78KB

MD5
5b09c90bb07c0b06450b6eaf16cc280d

SHA1
6448330e363c06bd60c0b1e9821ede0509c14026

SHA256
1a52aa12231ff6c5eb50ffb5c0562938bbda70b5af6ba21eb2c9c0e44f5f3eae

SHA512
153706685edc078f41499f6a8a8036f8bbee8abc8a5996af01a53c0e54220261fddd9d0c092d0941651ffe3400f65ece075952c96f171e0b49686784b5114f1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc548687F639A848898B9A8E54854046CF.TMP
Filesize
660B

MD5
78703972c26d05f847bfa75280f2ed2b

SHA1
8cf19a7b45100e5319bb4213bfee4b9d9ddb7d62

SHA256
5f43c877be1b4fad50f54d5cc7fc1958a9f490c1ebac0a4bfd7659901655a886

SHA512
c81a33d893ee0d782bf3021a1e75442c023d634ee0866eac89068b2488c5fbfee747f25a02c6bed95bf60446dac41e29a89ad3555b7c14827e173bcceb75a78e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2244-139-0x0000000000000000-mapping.dmp

Download
memory/2244-142-0x00000000752D0000-0x0000000075881000-memory.dmp

Filesize
5.7MB

Download
memory/2244-143-0x00000000752D0000-0x0000000075881000-memory.dmp

Filesize
5.7MB

Download
memory/3136-130-0x00000000752D0000-0x0000000075881000-memory.dmp

Filesize
5.7MB

Download
memory/3136-141-0x00000000752D0000-0x0000000075881000-memory.dmp

Filesize
5.7MB

Download
memory/4412-131-0x0000000000000000-mapping.dmp

Download
memory/4632-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads