metamorpherrat | 281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0

General

Target

281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe
Size

78KB
MD5

c9f4e2314818da2b06658920b8a1eb83
SHA1

3b8b409fd7321aa8453c59e5dd99c1665622ab5c
SHA256

281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0
SHA512

b047082b905b3be99090a26ec12354fbdf1bc0cca6263a9982575047784d0eab641ca1d842a1491ca54ff9d255e700931faef53ceb67fe405cc4cf64ae3c8987

Score

10^/10

metamorpherrat rat stealer suricata trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

tmpD631.tmp.exe

pid process

2352 tmpD631.tmp.exe

pid	process
2352	tmpD631.tmp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exetmpD631.tmp.exe

description	pid	process
Token: SeDebugPrivilege	3460	281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe
Token: SeDebugPrivilege	2352	tmpD631.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exevbc.exe

description	pid	process	target process
PID 3460 wrote to memory of 2960	3460	281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe	vbc.exe
PID 3460 wrote to memory of 2960	3460	281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe	vbc.exe
PID 3460 wrote to memory of 2960	3460	281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe	vbc.exe
PID 2960 wrote to memory of 1972	2960	vbc.exe	cvtres.exe
PID 2960 wrote to memory of 1972	2960	vbc.exe	cvtres.exe
PID 2960 wrote to memory of 1972	2960	vbc.exe	cvtres.exe
PID 3460 wrote to memory of 2352	3460	281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe	tmpD631.tmp.exe
PID 3460 wrote to memory of 2352	3460	281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe	tmpD631.tmp.exe
PID 3460 wrote to memory of 2352	3460	281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe	tmpD631.tmp.exe

C:\Users\Admin\AppData\Local\Temp\281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe
"C:\Users\Admin\AppData\Local\Temp\281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3460

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4xtbmchj.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2960

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFC95.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA1A7010FA3EE45379A9D4D2DEE3E6BF.TMP"
3⤵
PID:1972

C:\Users\Admin\AppData\Local\Temp\tmpD631.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpD631.tmp.exe" C:\Users\Admin\AppData\Local\Temp\281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2352

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4xtbmchj.0.vb
Filesize
15KB

MD5
4eef10d527c11d6df6303e8c9d818ce9

SHA1
5c62442259676fb8c68cbc0ea0b51e5d8654bc71

SHA256
25949eabaccfa693d84e63556a60554ed26b675b9078efcc9ea1e172de6e6ad7

SHA512
fcb2afd8756d7a0d05f09d1a7b9fcad857ea6b237e9167eb2b9a557129a63699017ac3657e463909a93868cc91db46b836f9870147507d29455d1122f2c3be8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4xtbmchj.cmdline
Filesize
266B

MD5
bff061fee28c1b6499d47d5f81cda00e

SHA1
cfb4a8c24bb621d488a53564c37f648bad2992b1

SHA256
ae429e05d1de4389afd43faad351b4485ae62e4ecb832864a55acef0663289f2

SHA512
13f74260d09871f903bb5cce58a62c841cc747a1657e4db077e405620512aa8740c1420fa98699c49941819d742dba0882282a9d2a58c02c7f1949493fd78fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFC95.tmp
Filesize
1KB

MD5
3bff7e31a6f12045bdd9fd632007868e

SHA1
6af172f4811e4335e6fbfe3f26ea150813cb711a

SHA256
c62d2c958eb0939408524a07080820196dedce883a9c8ffb8b150a80798542d0

SHA512
b7a65a6e51d96a0e273e2fc75dd4191cb957c45be482319f91e3f370ff0ce4c9bbb580772d79c4f72d2babd2dc9493a77bafc1fd85f09cdcbe14da8b1c969927

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD631.tmp.exe
Filesize
78KB

MD5
3bfd4d2bfac328de39bac6219d751e2c

SHA1
af55466fdac3c24b58d31a9c26e38ade986c78da

SHA256
0bbd270126466350edd99859aec34daaecac30ddbde221f093e9f9776b3bf1b0

SHA512
86db096a854e4982e5540c4d659e8bed9ae496d8a9f6f365baeec5202f577f2e4a3813d677bcad7bfe20664c37828256cc20b7f0d8b8c4195b1c1e5557bae58c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD631.tmp.exe
Filesize
78KB

MD5
3bfd4d2bfac328de39bac6219d751e2c

SHA1
af55466fdac3c24b58d31a9c26e38ade986c78da

SHA256
0bbd270126466350edd99859aec34daaecac30ddbde221f093e9f9776b3bf1b0

SHA512
86db096a854e4982e5540c4d659e8bed9ae496d8a9f6f365baeec5202f577f2e4a3813d677bcad7bfe20664c37828256cc20b7f0d8b8c4195b1c1e5557bae58c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA1A7010FA3EE45379A9D4D2DEE3E6BF.TMP
Filesize
660B

MD5
9514b575c2ed195e6a1d788f672e86c4

SHA1
63eeca7c885440411bfea19ee878376175039774

SHA256
dbf98da595106abdf203ca7f2182fa99ff42af5fed45330764a86cbaf673d03d

SHA512
4ce1ad2141a942340e6a068758170dcf6afbbd7ec9236ff09008005da6b6875760a0ffec6b5f117100947817ab4812d382d4f1f16cac29d51d72da262389fecf

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/1972-136-0x0000000000000000-mapping.dmp

Download
memory/2352-140-0x0000000000000000-mapping.dmp

Download
memory/2352-143-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/2352-144-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/2960-132-0x0000000000000000-mapping.dmp

Download
memory/3460-131-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/3460-130-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/3460-142-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads