metamorpherrat | b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e

General

Target

b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe
Size

78KB
MD5

a458a860cc198d046bd160f8dce82e13
SHA1

98b3e2bb8224e751135e9c2b74ed8a7f428cd66a
SHA256

b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e
SHA512

bb9f213bb110615733628807537616bba34fb9895b3363516b97396a126942f003fe69a0808bcef7a410e58bba81430183b33187f292b0659377f39bb92d3891
SSDEEP

1536:8i5jSNpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtM699/0C19e:55jS7JywQjDgTLopLwdCFJzv9/e

Score

10^/10

metamorpherrat rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Drops file in Windows directory 1 IoCs

Processes:

dw20.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	dw20.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exedw20.exe

description	pid	process
Token: SeDebugPrivilege	3420	b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe
Token: SeRestorePrivilege	984	dw20.exe
Token: SeBackupPrivilege	984	dw20.exe
Token: SeBackupPrivilege	984	dw20.exe
Token: SeBackupPrivilege	984	dw20.exe
Token: SeBackupPrivilege	984	dw20.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exevbc.exe

description	pid	process	target process
PID 3420 wrote to memory of 4900	3420	b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe	vbc.exe
PID 3420 wrote to memory of 4900	3420	b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe	vbc.exe
PID 3420 wrote to memory of 4900	3420	b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe	vbc.exe
PID 4900 wrote to memory of 4236	4900	vbc.exe	cvtres.exe
PID 4900 wrote to memory of 4236	4900	vbc.exe	cvtres.exe
PID 4900 wrote to memory of 4236	4900	vbc.exe	cvtres.exe
PID 3420 wrote to memory of 984	3420	b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe	dw20.exe
PID 3420 wrote to memory of 984	3420	b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe	dw20.exe
PID 3420 wrote to memory of 984	3420	b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe
"C:\Users\Admin\AppData\Local\Temp\b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3420

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7tm3mqro.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4900

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB87.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc29ACA4A62CAF411C89483E7928297D1B.TMP"
3⤵
PID:4236

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 980
2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:984

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7tm3mqro.0.vb
Filesize
14KB

MD5
c9ac861d8b336c67ce019e166cfc1c35

SHA1
04c40377a02ee0f481e836131737fde465cde45b

SHA256
f83889504b6e4b7f9b1856693ee6a4452d7b4afcb0fe6d6613df5bed0b6f1c9d

SHA512
fe7b8369f79731e542967bfbdd2bfe7dae4438933a6f9dfa808ef0c76a191dd487494de62aa6332fd0d98ced1fa628bd5821034c471c9987d3f430096b3a8eeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7tm3mqro.cmdline
Filesize
266B

MD5
e1511a87643d1a31569b93c24bd52b9b

SHA1
034d59b34e3df2f2fc2264a3d870825e6f08bc50

SHA256
eaa3555c93de07e66e52dea8d683e9d989dbc02dcffd34caf12de88fd470041e

SHA512
458919f111e749d64dcf77b429a9c1e77a799d7f26f039aa19f992e2250824a0e8e2d5ba86aad3011b7ad0e1b4100c54a1f226398977b53bcbe1d80d540870e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAB87.tmp
Filesize
1KB

MD5
730db9bbd8eb1bc7bf8c6c5452ab5be1

SHA1
8b1369d48a89b7e1a77de319556fe4793e29ad09

SHA256
25bbb579fdb74f2f54fd63b5f687a97fe98e9a53b9861df5a35a859b8d7bbf6f

SHA512
eb625dd1cab705c14bbb28c7dd2087eedbafaa326e259297e1bc7f1b3346a343d564d81c04a7071b10bc41fff2b15bc38804b0a0ca0b83272fa1434bed4a87cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc29ACA4A62CAF411C89483E7928297D1B.TMP
Filesize
660B

MD5
43b72633f3c5dded7c0876cff33a05b4

SHA1
a3d50c765db069cff02b04f05d97b30a76e458da

SHA256
89427e2ad67e41dfb8d08aff65db2e4b8b691d05258424600712ac9f88163400

SHA512
82d02509d2af5294aab2823de0923d8efe39261e809aad0f4807697875e08c4b364d16a87711304bcfb069498898c3e06eb3a5070aa69a8c602e42dd9312150b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/984-143-0x0000000000000000-mapping.dmp

Download
memory/3420-135-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/3420-144-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/4236-140-0x0000000000000000-mapping.dmp

Download
memory/4900-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads