metamorpherrat | a43e885f7fca314ec3c2c711cdeba990a28a1601b67c052d8c1eab77f6cbd74e

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
01-11-2023 03:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.faf344cf24dd3dea047851ab50c7f7c0.exe
Size

78KB
MD5

faf344cf24dd3dea047851ab50c7f7c0
SHA1

ca47a5496cc82df44f07b23e0730edecd4000a80
SHA256

a43e885f7fca314ec3c2c711cdeba990a28a1601b67c052d8c1eab77f6cbd74e
SHA512

d957ac9ca87e6e47851fff2fac011459540573c34a4722caf6b90ef81a86bd52fbc986363ccaf364b83c7bea790c8ab3446394a7d1b32fe125b3b9085d018fb2
SSDEEP

1536:oVe582pJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtt6F9/Ym1SO:ke58oJywQjDgTLopLwdCFJzG9/YS

Score

10^/10

metamorpherrat rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp3D2F.tmp.exe

pid process

2132 tmp3D2F.tmp.exe
Loads dropped DLL 2 IoCs

Processes:

NEAS.faf344cf24dd3dea047851ab50c7f7c0.exe

pid process

2244 NEAS.faf344cf24dd3dea047851ab50c7f7c0.exe
2244 NEAS.faf344cf24dd3dea047851ab50c7f7c0.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

NEAS.faf344cf24dd3dea047851ab50c7f7c0.exe

description pid process

Token: SeDebugPrivilege 2244 NEAS.faf344cf24dd3dea047851ab50c7f7c0.exe

pid	process
2132	tmp3D2F.tmp.exe

pid	process
2244	NEAS.faf344cf24dd3dea047851ab50c7f7c0.exe
2244	NEAS.faf344cf24dd3dea047851ab50c7f7c0.exe

description	pid	process
Token: SeDebugPrivilege	2244	NEAS.faf344cf24dd3dea047851ab50c7f7c0.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

NEAS.faf344cf24dd3dea047851ab50c7f7c0.exevbc.exe

description	pid	process	target process
PID 2244 wrote to memory of 2944	2244	NEAS.faf344cf24dd3dea047851ab50c7f7c0.exe	vbc.exe
PID 2244 wrote to memory of 2944	2244	NEAS.faf344cf24dd3dea047851ab50c7f7c0.exe	vbc.exe
PID 2244 wrote to memory of 2944	2244	NEAS.faf344cf24dd3dea047851ab50c7f7c0.exe	vbc.exe
PID 2244 wrote to memory of 2944	2244	NEAS.faf344cf24dd3dea047851ab50c7f7c0.exe	vbc.exe
PID 2944 wrote to memory of 1712	2944	vbc.exe	cvtres.exe
PID 2944 wrote to memory of 1712	2944	vbc.exe	cvtres.exe
PID 2944 wrote to memory of 1712	2944	vbc.exe	cvtres.exe
PID 2944 wrote to memory of 1712	2944	vbc.exe	cvtres.exe
PID 2244 wrote to memory of 2132	2244	NEAS.faf344cf24dd3dea047851ab50c7f7c0.exe	tmp3D2F.tmp.exe
PID 2244 wrote to memory of 2132	2244	NEAS.faf344cf24dd3dea047851ab50c7f7c0.exe	tmp3D2F.tmp.exe
PID 2244 wrote to memory of 2132	2244	NEAS.faf344cf24dd3dea047851ab50c7f7c0.exe	tmp3D2F.tmp.exe
PID 2244 wrote to memory of 2132	2244	NEAS.faf344cf24dd3dea047851ab50c7f7c0.exe	tmp3D2F.tmp.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.faf344cf24dd3dea047851ab50c7f7c0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.faf344cf24dd3dea047851ab50c7f7c0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ozesrtqe.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2944

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3EE5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3EE4.tmp"
3⤵
PID:1712

C:\Users\Admin\AppData\Local\Temp\tmp3D2F.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp3D2F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\NEAS.faf344cf24dd3dea047851ab50c7f7c0.exe
2⤵
- Executes dropped EXE
PID:2132

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES3EE5.tmp
Filesize
1KB

MD5
da21425381fe38ccf8e1518f0b1692aa

SHA1
f3ef5bd3ae0c97a5578f1db6d5cd56e6a8a5a78a

SHA256
d8713ce44b765e5adcfe504fdda6aef076c38c76374e0019997c627a851a5d98

SHA512
905e6d60ad0ab6affd2961e2c20f47427deb5ee5db8309438a4d4aad7966c37c2564b18a2a8d6c7224418bb93707c66b0183bc6a40b6b7f6f6df4d920c76b72c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ozesrtqe.0.vb
Filesize
14KB

MD5
09c442ce103a35fa28611533e62140d5

SHA1
349236c84706180b5bfdc81a1cf7160d3838c6ff

SHA256
222303fc2326e8103d546bf48cbd6724ee7066c6fb2d0fdc88300488c403bbbc

SHA512
71f229cd0d068a76f430aaeeec75f24e0bca5db3bccbe7e71e225f182f421ba6fe44f63ab67871c7f5996a1df0e4f398c3f133b91d98aec49b2ff3142b94dc09

Download Submit
C:\Users\Admin\AppData\Local\Temp\ozesrtqe.cmdline
Filesize
266B

MD5
0d411a86f6b00e4127c0936337dc981f

SHA1
41159e32e945b7280f75d86539200030232b15b0

SHA256
d3105842b232d983bc29945dc4bd7fbf14f13df330d88f650a751b9167740142

SHA512
2adeb8f1f2fd520fed46dee971a36491493a7513d771943a5c5398818b08e87216e3f8fc75bb3b789e0123d2aaf7c5396fa8fe98bc4249434b596e968390076d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3D2F.tmp.exe
Filesize
78KB

MD5
f5dda037f1d1e5db45317810496bc08c

SHA1
d858e732709cc0f9b529a3bba77aec79ac00cc14

SHA256
f2e343fdea9638b929ea01fbf457438710c0cd83f86fab5dbdc012e3a73b4776

SHA512
bb748cc7b400b71ccc1ab7c48b2bb786018b9e99ee399232ed5caad4816ffbc801d0806dfc64322bbbe514c4aae604327a04d2dad4631f4c41fb244d3692217f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3D2F.tmp.exe
Filesize
78KB

MD5
f5dda037f1d1e5db45317810496bc08c

SHA1
d858e732709cc0f9b529a3bba77aec79ac00cc14

SHA256
f2e343fdea9638b929ea01fbf457438710c0cd83f86fab5dbdc012e3a73b4776

SHA512
bb748cc7b400b71ccc1ab7c48b2bb786018b9e99ee399232ed5caad4816ffbc801d0806dfc64322bbbe514c4aae604327a04d2dad4631f4c41fb244d3692217f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3EE4.tmp
Filesize
660B

MD5
88afca7ec18aeff546ee28841a6ad1fe

SHA1
96c7bf06782d6c46732335912e13205f79b8f6fa

SHA256
3d57a5e0b335774760f52b6e51d5e42af5fb20c8bbe13fb0aac165643a08feac

SHA512
496467aba7948e3c1f63476a56d414553e7cd32ce7d264252d70ddbcf2f182854f9ce2389ac79b5d03ca817b76f6341b7ea00c8534e39e681cabc1185d4e53fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
\Users\Admin\AppData\Local\Temp\tmp3D2F.tmp.exe
Filesize
78KB

MD5
f5dda037f1d1e5db45317810496bc08c

SHA1
d858e732709cc0f9b529a3bba77aec79ac00cc14

SHA256
f2e343fdea9638b929ea01fbf457438710c0cd83f86fab5dbdc012e3a73b4776

SHA512
bb748cc7b400b71ccc1ab7c48b2bb786018b9e99ee399232ed5caad4816ffbc801d0806dfc64322bbbe514c4aae604327a04d2dad4631f4c41fb244d3692217f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp3D2F.tmp.exe
Filesize
78KB

MD5
f5dda037f1d1e5db45317810496bc08c

SHA1
d858e732709cc0f9b529a3bba77aec79ac00cc14

SHA256
f2e343fdea9638b929ea01fbf457438710c0cd83f86fab5dbdc012e3a73b4776

SHA512
bb748cc7b400b71ccc1ab7c48b2bb786018b9e99ee399232ed5caad4816ffbc801d0806dfc64322bbbe514c4aae604327a04d2dad4631f4c41fb244d3692217f

Download Submit
memory/2132-24-0x0000000074D30000-0x00000000752DB000-memory.dmp

Filesize
5.7MB

Download
memory/2132-25-0x00000000003F0000-0x0000000000430000-memory.dmp

Filesize
256KB

Download
memory/2132-26-0x0000000074D30000-0x00000000752DB000-memory.dmp

Filesize
5.7MB

Download
memory/2132-28-0x00000000003F0000-0x0000000000430000-memory.dmp

Filesize
256KB

Download
memory/2132-27-0x0000000074D30000-0x00000000752DB000-memory.dmp

Filesize
5.7MB

Download
memory/2132-29-0x00000000003F0000-0x0000000000430000-memory.dmp

Filesize
256KB

Download
memory/2132-30-0x0000000074D30000-0x00000000752DB000-memory.dmp

Filesize
5.7MB

Download
memory/2244-0-0x0000000074D30000-0x00000000752DB000-memory.dmp

Filesize
5.7MB

Download
memory/2244-2-0x0000000000480000-0x00000000004C0000-memory.dmp

Filesize
256KB

Download
memory/2244-1-0x0000000074D30000-0x00000000752DB000-memory.dmp

Filesize
5.7MB

Download
memory/2244-23-0x0000000074D30000-0x00000000752DB000-memory.dmp

Filesize
5.7MB

Download
memory/2944-8-0x0000000000610000-0x0000000000650000-memory.dmp

Filesize
256KB

Download