metamorpherrat | 11574a8a11d48c306015020925fba5011bb5735f7ee9334d3eb30449421bfede

General

Target

70d9dd0f7c7d09155683ce83ae720215.exe
Size

78KB
MD5

70d9dd0f7c7d09155683ce83ae720215
SHA1

e650f6a12f350c3688982a457bcb45fb5ba35db3
SHA256

11574a8a11d48c306015020925fba5011bb5735f7ee9334d3eb30449421bfede
SHA512

4feaf54c34863ed87c93f987fb4993842b95b51633f25e7b1a6af1ecd80e9962efd4e108b064beea4b8537bceee552248bdd469040bc8d4a1081c62b54c08a5e
SSDEEP

1536:Ue5YXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtC6r9/q1a6:Ue5gSyRxvY3md+dWWZyD9/O

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Deletes itself 1 IoCs

pid	Process
2740	tmp6CC7.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2740	tmp6CC7.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2092	70d9dd0f7c7d09155683ce83ae720215.exe
2092	70d9dd0f7c7d09155683ce83ae720215.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp6CC7.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2092	70d9dd0f7c7d09155683ce83ae720215.exe
Token: SeDebugPrivilege	2740	tmp6CC7.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2028	2092	70d9dd0f7c7d09155683ce83ae720215.exe	27
PID 2092 wrote to memory of 2028	2092	70d9dd0f7c7d09155683ce83ae720215.exe	27
PID 2092 wrote to memory of 2028	2092	70d9dd0f7c7d09155683ce83ae720215.exe	27
PID 2092 wrote to memory of 2028	2092	70d9dd0f7c7d09155683ce83ae720215.exe	27
PID 2028 wrote to memory of 2876	2028	vbc.exe	29
PID 2028 wrote to memory of 2876	2028	vbc.exe	29
PID 2028 wrote to memory of 2876	2028	vbc.exe	29
PID 2028 wrote to memory of 2876	2028	vbc.exe	29
PID 2092 wrote to memory of 2740	2092	70d9dd0f7c7d09155683ce83ae720215.exe	30
PID 2092 wrote to memory of 2740	2092	70d9dd0f7c7d09155683ce83ae720215.exe	30
PID 2092 wrote to memory of 2740	2092	70d9dd0f7c7d09155683ce83ae720215.exe	30
PID 2092 wrote to memory of 2740	2092	70d9dd0f7c7d09155683ce83ae720215.exe	30

C:\Users\Admin\AppData\Local\Temp\70d9dd0f7c7d09155683ce83ae720215.exe
"C:\Users\Admin\AppData\Local\Temp\70d9dd0f7c7d09155683ce83ae720215.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\swieuiqt.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6EBB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6EBA.tmp"
    3⤵
    PID:2876
- C:\Users\Admin\AppData\Local\Temp\tmp6CC7.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp6CC7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\70d9dd0f7c7d09155683ce83ae720215.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6EBB.tmp

Filesize
1KB

MD5
d86839bf5d3a975926998968b190d8f6

SHA1
5015560d52d937bd1737a0a1b1b32ac3a7bcfd00

SHA256
0205defd02f87af43aecaa0646266007661b988479007ffa5202e71ea5191d5a

SHA512
7f6cb60165a018b503796cee0ee343a317fbaf96b972459fcee6d243a77d1fab4f868f46e4952de937888bb5f37fcda559513a19f94c0d19194fad205148bf49

Download Submit
C:\Users\Admin\AppData\Local\Temp\swieuiqt.0.vb

Filesize
14KB

MD5
d177e06bdbd570a01dc372a3cf61a0fa

SHA1
fe5aa88fd7bf778bf3f669b935b1668e65c6b759

SHA256
c49359124d3f59c161e68e7d60ccd0560f9fff74de7a41f45ac6760d38a3da68

SHA512
71b8f07fe7ecac50802cda1c319fdc77760db5b89073e974fc7c4ed30f90c1153fe1a0913af720a76cdad8a1f605ed531e8fab72e47943acb7bbcc7d647838a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\swieuiqt.cmdline

Filesize
266B

MD5
8e60afb61c8df58cbf80a0305dea6558

SHA1
4929304f37190c587f1cdd3d8a5ae883db56b532

SHA256
33e750cc400dca980ecb7e508d8b4204f13968e3f1af8e0987093af50de98431

SHA512
cc8c3ec8ad7e30bcdb81a36165e072428d74beb0adf4eb8c7f0a807318981eeada45929137c9aa509f36236fdc2a8e46de2f10075e3b0c0fa10c8bed5fc9b3d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6CC7.tmp.exe

Filesize
78KB

MD5
e4571207f588284ac64b60bbd5665677

SHA1
135c0c5e842a7798d0bb782a42cbdcc05ed57510

SHA256
c5ddd6ca0b2ba322d0108eced1cb5022994ea60f20423a88ceb7b3e89c6ecdc0

SHA512
87fcc27f99d536c85ae9c80f6abb16cebea8e3ef3cc64cd3982ea162a5dba58e3e24da3940aa7057750fdfd99a666cba5f1dcf36408278529dfba561874a7394

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6EBA.tmp

Filesize
660B

MD5
9446e94795c10df4e46ea4689db74077

SHA1
12699f528975bf6edc02fe3b76afb4a81ceabb2c

SHA256
093fd650226e5291db73d42b34dd9b765daf6681ea27be53200d46d8b9ace42d

SHA512
f4a86173b016562b11f8965f64f62704d84c029210b854f17f8c4a37fe06f4738f63ddb80a06396ec338c1e89e2eb5e5ecfdd997fa1955fd5f3693f042e5555b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/2092-2-0x0000000000120000-0x0000000000160000-memory.dmp

Filesize
256KB

Download
memory/2092-1-0x0000000074910000-0x0000000074EBB000-memory.dmp

Filesize
5.7MB

Download
memory/2092-0-0x0000000074910000-0x0000000074EBB000-memory.dmp

Filesize
5.7MB

Download
memory/2092-22-0x0000000074910000-0x0000000074EBB000-memory.dmp

Filesize
5.7MB

Download
memory/2740-23-0x0000000074910000-0x0000000074EBB000-memory.dmp

Filesize
5.7MB

Download
memory/2740-24-0x0000000000410000-0x0000000000450000-memory.dmp

Filesize
256KB

Download
memory/2740-25-0x0000000074910000-0x0000000074EBB000-memory.dmp

Filesize
5.7MB

Download
memory/2740-27-0x0000000000410000-0x0000000000450000-memory.dmp

Filesize
256KB

Download
memory/2740-28-0x0000000074910000-0x0000000074EBB000-memory.dmp

Filesize
5.7MB

Download
memory/2740-29-0x0000000074910000-0x0000000074EBB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads