metamorpherrat | 556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73

General

Target

556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe
Size

78KB
MD5

b6e8fa374675658ee48142da90c14bd6
SHA1

53ec1171fda63af0eae7e440bc6aa0d7bf3094b5
SHA256

556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73
SHA512

86568c84272077e3f295d47805c337981ec59d9f56d3c258a8fd1c0ad5aed996e53d9d1604ada5c01abb21c01340d3302e1ac72dfa4b798e98bf51e0c1ce5e4d

Score

10^/10

metamorpherrat persistence rat stealer suricata trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

tmpA27E.tmp.exe

pid process

456 tmpA27E.tmp.exe

pid	process
456	tmpA27E.tmp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmpA27E.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpA27E.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exetmpA27E.tmp.exe

description	pid	process
Token: SeDebugPrivilege	4628	556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe
Token: SeDebugPrivilege	456	tmpA27E.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exevbc.exe

description	pid	process	target process
PID 4628 wrote to memory of 4504	4628	556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe	vbc.exe
PID 4628 wrote to memory of 4504	4628	556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe	vbc.exe
PID 4628 wrote to memory of 4504	4628	556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe	vbc.exe
PID 4504 wrote to memory of 2760	4504	vbc.exe	cvtres.exe
PID 4504 wrote to memory of 2760	4504	vbc.exe	cvtres.exe
PID 4504 wrote to memory of 2760	4504	vbc.exe	cvtres.exe
PID 4628 wrote to memory of 456	4628	556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe	tmpA27E.tmp.exe
PID 4628 wrote to memory of 456	4628	556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe	tmpA27E.tmp.exe
PID 4628 wrote to memory of 456	4628	556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe	tmpA27E.tmp.exe

C:\Users\Admin\AppData\Local\Temp\556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe
"C:\Users\Admin\AppData\Local\Temp\556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4628

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tr25np84.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4504

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA405.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB7675E8E2D08412B814063D96B886517.TMP"
3⤵
PID:2760

C:\Users\Admin\AppData\Local\Temp\tmpA27E.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpA27E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:456

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA405.tmp
Filesize
1KB

MD5
f8e2dd8d84f843d059c895f591d2f35c

SHA1
86ede02eba31e2bddebbc0aa6ac9fc56191b2837

SHA256
597705d7b08e142a41dcf76b29fd0b61ac68f2575dda273cb288febbd1562eb5

SHA512
f66fb5cd37ac7be365932521f7300d9636097363763832522ca23358abefd8d4996559fbaf9e12c5c90b4741a50aa1bae79e8187a1ec2f41358125d3f3fb63ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA27E.tmp.exe
Filesize
78KB

MD5
10281dbf002f0a74181e7d2b925d4f9a

SHA1
7cdae961d61c01a9bf32401f6d3ba00091d2a702

SHA256
0638fb9db583ffacb5d2d40582c2ab385f8dfafa883b8e43ced45d2bf170a049

SHA512
73de0e10c506c4a31855df1c4d15687fba133269784ee0d483a01bfd51c6729ff9c9575385d7c7d17ff6dfd23085fe434280423d75410215b3d8f15b613ffcc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA27E.tmp.exe
Filesize
78KB

MD5
10281dbf002f0a74181e7d2b925d4f9a

SHA1
7cdae961d61c01a9bf32401f6d3ba00091d2a702

SHA256
0638fb9db583ffacb5d2d40582c2ab385f8dfafa883b8e43ced45d2bf170a049

SHA512
73de0e10c506c4a31855df1c4d15687fba133269784ee0d483a01bfd51c6729ff9c9575385d7c7d17ff6dfd23085fe434280423d75410215b3d8f15b613ffcc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tr25np84.0.vb
Filesize
14KB

MD5
24dfe4dd0d0826bc0599276846362d6e

SHA1
fbf0a21c1afc403843879c4bef5bfaeaeabcdc97

SHA256
4f0de2914862db1e29d4567d0502edd42ef1f6a8d9b777e97c4d0ec46a438474

SHA512
7ed410edd0986af064da1f3031c01b6f74b5b6285de5810668047fcb9aa440cb78b4fa849223f631116a3cad760b3059e289570ef6da25bb482e6ea4ac1c55b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tr25np84.cmdline
Filesize
266B

MD5
d5c4a68e31cf7c03d2b4b43fe17306da

SHA1
a4b9a00c12bb2c35f9c6c79ca39349acdbd65fea

SHA256
9af98e33e4698aa5c6aca24b619e50e5532a3b1e758d0dc07bb592182233da7d

SHA512
8d272db13219227ca5303fee7077edfbaf96b0fafd93827d4ef04734467308ca6fa5dbf503a724be608df263ac8f1dd80ac7475837ba3d29607e94d36b183101

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB7675E8E2D08412B814063D96B886517.TMP
Filesize
660B

MD5
c1f0a6fe39680054aa586be17e1fcb0e

SHA1
4750550a5d33658acda2540cb270aed9f0cbda14

SHA256
4073747a9f4331fca3c985ea30ccee168c041a911d17909a989c883b474f091f

SHA512
a3a53bbcf23eb612adae23843b5658430e441f8999b173041b14c1f5ea1762a419caad2527157e3a501208e16e9f366d6053917e33c4cc0397f74df7a9b431d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/456-139-0x0000000000000000-mapping.dmp

Download
memory/456-142-0x0000000074910000-0x0000000074EC1000-memory.dmp

Filesize
5.7MB

Download
memory/456-143-0x0000000074910000-0x0000000074EC1000-memory.dmp

Filesize
5.7MB

Download
memory/2760-135-0x0000000000000000-mapping.dmp

Download
memory/4504-130-0x0000000000000000-mapping.dmp

Download
memory/4628-133-0x0000000074910000-0x0000000074EC1000-memory.dmp

Filesize
5.7MB

Download
memory/4628-141-0x0000000074910000-0x0000000074EC1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads