metamorpherrat | 9da05953d618d04d2a59501cf1f56cbe212c2b7cc2f31ce0298d6534600e4a2b

Analysis

max time kernel
1s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
05-01-2024 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44923726297473ca80cdf655e865948f.exe
Size

78KB
MD5

44923726297473ca80cdf655e865948f
SHA1

1b5fdeb057be925dc89ff451dd8475ff9b2414e7
SHA256

9da05953d618d04d2a59501cf1f56cbe212c2b7cc2f31ce0298d6534600e4a2b
SHA512

91abc84d4a2d0cf3067c888824941fb7de3fe64fd2859c505d3e423e951fe1158360c7313d9040bc258759cae537879a3fab5328bb67786010ca68d2112c812e
SSDEEP

1536:ZHFo6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQt69/ty1p5:ZHFon3xSyRxvY3md+dWWZy69/a

Score

10^/10

metamorpherrat rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2100	44923726297473ca80cdf655e865948f.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 4972	2100	44923726297473ca80cdf655e865948f.exe	21
PID 2100 wrote to memory of 4972	2100	44923726297473ca80cdf655e865948f.exe	21
PID 2100 wrote to memory of 4972	2100	44923726297473ca80cdf655e865948f.exe	21
PID 4972 wrote to memory of 2204	4972	vbc.exe	25
PID 4972 wrote to memory of 2204	4972	vbc.exe	25
PID 4972 wrote to memory of 2204	4972	vbc.exe	25

C:\Users\Admin\AppData\Local\Temp\44923726297473ca80cdf655e865948f.exe
"C:\Users\Admin\AppData\Local\Temp\44923726297473ca80cdf655e865948f.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jhcfykpt.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5728.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBC68EE589BC1480FADE2C5377070A1C0.TMP"
    3⤵
    PID:2204
- C:\Users\Admin\AppData\Local\Temp\tmp566D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp566D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\44923726297473ca80cdf655e865948f.exe
  2⤵
  PID:4496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jhcfykpt.cmdline

Filesize
266B

MD5
9d1a69ef4e8d5ee524f61881605af370

SHA1
dbdd332e73d9ba9bf5a48d6b0faf477791d90c0e

SHA256
af04ef07d99ee75c500ec40e393aeb890d9a448fbe4a69bd40b95d3b197fdca8

SHA512
0ac2e60328db7baf1027da1ac5683236a342c5ee627042629e7a0c3cd9b956a06986e1e4029a4c0de27aac6ccd091e5417d4ec8bf754499ca955a5250fd7130d

Download Submit
memory/2100-0-0x0000000075020000-0x00000000755D1000-memory.dmp

Filesize
5.7MB

Download
memory/2100-2-0x0000000075020000-0x00000000755D1000-memory.dmp

Filesize
5.7MB

Download
memory/2100-21-0x0000000075020000-0x00000000755D1000-memory.dmp

Filesize
5.7MB

Download
memory/2100-1-0x0000000000BC0000-0x0000000000BD0000-memory.dmp

Filesize
64KB

Download
memory/4496-23-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/4496-24-0x0000000075020000-0x00000000755D1000-memory.dmp

Filesize
5.7MB

Download
memory/4496-22-0x0000000075020000-0x00000000755D1000-memory.dmp

Filesize
5.7MB

Download
memory/4496-26-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/4496-28-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/4496-27-0x0000000075020000-0x00000000755D1000-memory.dmp

Filesize
5.7MB

Download
memory/4496-29-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/4972-8-0x0000000000640000-0x0000000000650000-memory.dmp

Filesize
64KB

Download