metamorpherrat | aa8deb75c9f50318e05c4f7d9899d9ce5071da30d4f4e63070ec501bbb25651d

General

Target

087127699707ac6a2ed047227ed0c909.exe
Size

78KB
MD5

087127699707ac6a2ed047227ed0c909
SHA1

b587c245978c2a67cb934501a2f9b54adf6d2a39
SHA256

aa8deb75c9f50318e05c4f7d9899d9ce5071da30d4f4e63070ec501bbb25651d
SHA512

3fc626feb40f5c538a13b6e630639861c9d525bf6d01d28c8a75fd6a9de6aa819ed462efa5f0a908fb5b278b4b5d58ac0f19f2d17b11cd0ef9cb79e52efe7b86
SSDEEP

1536:Ac5jSYLT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQti6E9/hb1yH:Ac5jS+E2EwR4uY41HyvYM9/w

Score

10^/10

metamorpherrat rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Deletes itself 1 IoCs

pid	Process
2844	tmp1D70.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2844	tmp1D70.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1756	087127699707ac6a2ed047227ed0c909.exe
1756	087127699707ac6a2ed047227ed0c909.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1756	087127699707ac6a2ed047227ed0c909.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 2556	1756	087127699707ac6a2ed047227ed0c909.exe	18
PID 1756 wrote to memory of 2556	1756	087127699707ac6a2ed047227ed0c909.exe	18
PID 1756 wrote to memory of 2556	1756	087127699707ac6a2ed047227ed0c909.exe	18
PID 1756 wrote to memory of 2556	1756	087127699707ac6a2ed047227ed0c909.exe	18
PID 2556 wrote to memory of 2424	2556	vbc.exe	20
PID 2556 wrote to memory of 2424	2556	vbc.exe	20
PID 2556 wrote to memory of 2424	2556	vbc.exe	20
PID 2556 wrote to memory of 2424	2556	vbc.exe	20
PID 1756 wrote to memory of 2844	1756	087127699707ac6a2ed047227ed0c909.exe	19
PID 1756 wrote to memory of 2844	1756	087127699707ac6a2ed047227ed0c909.exe	19
PID 1756 wrote to memory of 2844	1756	087127699707ac6a2ed047227ed0c909.exe	19
PID 1756 wrote to memory of 2844	1756	087127699707ac6a2ed047227ed0c909.exe	19

C:\Users\Admin\AppData\Local\Temp\087127699707ac6a2ed047227ed0c909.exe
"C:\Users\Admin\AppData\Local\Temp\087127699707ac6a2ed047227ed0c909.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wikjbqba.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1DFD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1DFC.tmp"
    3⤵
    PID:2424
- C:\Users\Admin\AppData\Local\Temp\tmp1D70.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp1D70.tmp.exe" C:\Users\Admin\AppData\Local\Temp\087127699707ac6a2ed047227ed0c909.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1DFD.tmp

Filesize
1KB

MD5
4882ab50b584bc77c2d6f9ba61c38843

SHA1
9d866a9393ebb531df14e60d3051c52fe6355025

SHA256
42ef69bf57d0050c7809eb82809ca7cb1ece3c3c7c65657e55bbcafc00d2ea71

SHA512
c3fd924b53a7b025edd6ef5bcd9842e38404e9ef9a669884f328c09db20746abfa3714a6704e9a5cc49311e6464ba7af5dcf4d0c62edf315fe12ca8f5ff02561

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1D70.tmp.exe

Filesize
78KB

MD5
19e8635100777fd640e883cd3ccc9d09

SHA1
3f3adff38cf85441e4fbbadc5a6a255b40033331

SHA256
9189be204c90f77555caf67776fec64b9e6a0494721fadb2013419f143b8924f

SHA512
25de69645551855d0c724e074916c6aa46495beb7314a7f5f3b0b9db576d1b73795f11f9f6e5986073ace8ad85c8d10e21b4bf7c2c6934d820ba13e0f10a1552

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1DFC.tmp

Filesize
660B

MD5
ef2f4cb76e2bc432149cd5945e2bd512

SHA1
b456fc990da7dc4e3f824259191d8f493b3bc12d

SHA256
67fe48f41749124ca19674781245c9e249bf31a48044cebb137b8267d3013adf

SHA512
5d65e00ea894e50f1913475859f11960f0e1a592aa6d43b9174c55eb6426a7072640194b5d9c59d0475e24b1b5ce221c6fc0452927f55b721cbc6fa1adf8d6a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wikjbqba.0.vb

Filesize
14KB

MD5
7f05b8a73ae272fa614c98a3e0d1e2cd

SHA1
dd5b085932bfce6b2d7d5b9c0a7def3303a0544d

SHA256
8dacb9ae4913d29670dc47aa140bbc10a69669c027bd90b8a12ef9a060d2deb5

SHA512
a4b8827df7c9a575eaa580da712130d7ee4328545a9d8e656f6d4295da09f99dccad2fdb23f839a48e69934067ed41f3f73f304e00a2cc6f6f157f0fca17138d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/1756-23-0x0000000074560000-0x0000000074B0B000-memory.dmp

Filesize
5.7MB

Download
memory/1756-1-0x0000000002080000-0x00000000020C0000-memory.dmp

Filesize
256KB

Download
memory/1756-2-0x0000000074560000-0x0000000074B0B000-memory.dmp

Filesize
5.7MB

Download
memory/1756-0-0x0000000074560000-0x0000000074B0B000-memory.dmp

Filesize
5.7MB

Download
memory/2556-8-0x0000000000370000-0x00000000003B0000-memory.dmp

Filesize
256KB

Download
memory/2844-26-0x0000000074560000-0x0000000074B0B000-memory.dmp

Filesize
5.7MB

Download
memory/2844-24-0x0000000074560000-0x0000000074B0B000-memory.dmp

Filesize
5.7MB

Download
memory/2844-25-0x0000000000850000-0x0000000000890000-memory.dmp

Filesize
256KB

Download
memory/2844-28-0x0000000000850000-0x0000000000890000-memory.dmp

Filesize
256KB

Download
memory/2844-30-0x0000000000850000-0x0000000000890000-memory.dmp

Filesize
256KB

Download
memory/2844-29-0x0000000074560000-0x0000000074B0B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing