metamorpherrat | 8acf8a241adb9b57f2fc336f6b2e3cc93376eb374da73350873b2aca5b36d36e

General

Target

8acf8a241adb9b57f2fc336f6b2e3cc93376eb374da73350873b2aca5b36d36e.exe
Size

78KB
MD5

9de5f6153622535b6cef04354364a3bc
SHA1

d2ca662e5cf9bb19490127d49ee872e8c51acfa2
SHA256

8acf8a241adb9b57f2fc336f6b2e3cc93376eb374da73350873b2aca5b36d36e
SHA512

c065cf0f511ef2e2fcd96e6d82214d1fc2a935ac9af10cc15a9569d73a06afbb8ab1162cc63dbac88d801e62db861489d88fe314d518e16ec61f280b5a9b6b83
SSDEEP

1536:SPWtHFo6uaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtB9/d1da:SPWtHFoI3DJywQjDgTLopLwdCFJzB9/0

Score

10^/10

metamorpherrat rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Drops file in Windows directory 1 IoCs

Processes:

dw20.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	dw20.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

8acf8a241adb9b57f2fc336f6b2e3cc93376eb374da73350873b2aca5b36d36e.exedw20.exe

description	pid	process
Token: SeDebugPrivilege	800	8acf8a241adb9b57f2fc336f6b2e3cc93376eb374da73350873b2aca5b36d36e.exe
Token: SeRestorePrivilege	5032	dw20.exe
Token: SeBackupPrivilege	5032	dw20.exe
Token: SeBackupPrivilege	5032	dw20.exe
Token: SeBackupPrivilege	5032	dw20.exe
Token: SeBackupPrivilege	5032	dw20.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

8acf8a241adb9b57f2fc336f6b2e3cc93376eb374da73350873b2aca5b36d36e.exevbc.exe

description	pid	process	target process
PID 800 wrote to memory of 1112	800	8acf8a241adb9b57f2fc336f6b2e3cc93376eb374da73350873b2aca5b36d36e.exe	vbc.exe
PID 800 wrote to memory of 1112	800	8acf8a241adb9b57f2fc336f6b2e3cc93376eb374da73350873b2aca5b36d36e.exe	vbc.exe
PID 800 wrote to memory of 1112	800	8acf8a241adb9b57f2fc336f6b2e3cc93376eb374da73350873b2aca5b36d36e.exe	vbc.exe
PID 1112 wrote to memory of 2784	1112	vbc.exe	cvtres.exe
PID 1112 wrote to memory of 2784	1112	vbc.exe	cvtres.exe
PID 1112 wrote to memory of 2784	1112	vbc.exe	cvtres.exe
PID 800 wrote to memory of 5032	800	8acf8a241adb9b57f2fc336f6b2e3cc93376eb374da73350873b2aca5b36d36e.exe	dw20.exe
PID 800 wrote to memory of 5032	800	8acf8a241adb9b57f2fc336f6b2e3cc93376eb374da73350873b2aca5b36d36e.exe	dw20.exe
PID 800 wrote to memory of 5032	800	8acf8a241adb9b57f2fc336f6b2e3cc93376eb374da73350873b2aca5b36d36e.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\8acf8a241adb9b57f2fc336f6b2e3cc93376eb374da73350873b2aca5b36d36e.exe
"C:\Users\Admin\AppData\Local\Temp\8acf8a241adb9b57f2fc336f6b2e3cc93376eb374da73350873b2aca5b36d36e.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:800

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rk_ywqgu.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES812B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc709750C859284AFFB522BC4CD8132D82.TMP"
3⤵
PID:2784

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 984
2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:5032

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES812B.tmp
Filesize
1KB

MD5
595e5184a4618e8a3b9424c9aa6d4a21

SHA1
36b041a09037dc0df818231d341da024bc0ed312

SHA256
f842c51fc3f10abe27a8b98fb42e8eab6e6dedc8a53240726af260248923b55a

SHA512
cdc978793a04c8ebb02ca745a21d02e5d4682d9eef19e092a96e90c776d4c34ecf8a89574ea65246ac48346bb603ccc7b5a21c0b657439d7f530a54dd4d6e8b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rk_ywqgu.0.vb
Filesize
15KB

MD5
e97ed47bba3e25e43a3a6529c3644e9b

SHA1
cc5fd24779d56b4c5e02c70206948cd2bf426d7b

SHA256
7373d67a3342cb915275d04fc9150eb8d349b9bb7b9b7b3395b5f6976240af5b

SHA512
b492cee182c885be9fca6c1856ae5e879265c124ce60509cad1b833e9f8604c726c80a776c19dab12759fbcd9aedb689d2958f860b8af9257e67b0df2a030c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rk_ywqgu.cmdline
Filesize
266B

MD5
1f51ce859852d373ef34a85121c658d6

SHA1
3d40bd5b7cb3d5090824943a2c11abaeba55d227

SHA256
ecf732aa414c579c1000956a5f285633ac197354ceaa7757c960cb0f05ee2457

SHA512
128d754f3eeb8991e98bebc13b1e7315db5ce84b35bf612c7aa4c516b4be0cb22b70e085f6252ab7202f5d1d870a62b0bd5ee9c13d0600fab54380a0482f5354

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc709750C859284AFFB522BC4CD8132D82.TMP
Filesize
660B

MD5
331826bcd5c11a39789cb8ed1edbbaa3

SHA1
cf63cbc0f52dc95f0db374348aadd7fec18f0c9a

SHA256
24d4e0fd61516f15867f5f13b6876916da223063e3e7c31e7347b518870770b6

SHA512
179e52867c049c57e0f9b99214300ef29590e46b3eb7022e0953f2e98a8c09a07f51661fa8f6a5b784126cc5f92aa17c4ed5a5ea41a0dbf939247779d4c77597

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/800-132-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/800-141-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/1112-133-0x0000000000000000-mapping.dmp

Download
memory/2784-137-0x0000000000000000-mapping.dmp

Download
memory/5032-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads