metamorpherrat | a32ee6a1016da3fa161567b7c6076f04349bbf68dd8d0121216dc87d945a8291

General

Target

86708573785c3eaff0a6a5295bdb2b61.exe
Size

78KB
MD5

86708573785c3eaff0a6a5295bdb2b61
SHA1

218eb32d41e4506c327c47e21e1ded982fc89db4
SHA256

a32ee6a1016da3fa161567b7c6076f04349bbf68dd8d0121216dc87d945a8291
SHA512

932e1ef0b38eebad4ecc355a52350c7f998262af132817c0a27833e961eeb6b6602cb6acedb0dd2cc4bca21d5bb6e0935a63ea2f7db7858db07176616b7f6c98
SSDEEP

1536:sCHFo6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQten9/S1/p:sCHFon3xSyRxvY3md+dWWZyen9/y

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2820	tmp7649.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2416	86708573785c3eaff0a6a5295bdb2b61.exe
2416	86708573785c3eaff0a6a5295bdb2b61.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp7649.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2416	86708573785c3eaff0a6a5295bdb2b61.exe
Token: SeDebugPrivilege	2820	tmp7649.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2644	2416	86708573785c3eaff0a6a5295bdb2b61.exe	28
PID 2416 wrote to memory of 2644	2416	86708573785c3eaff0a6a5295bdb2b61.exe	28
PID 2416 wrote to memory of 2644	2416	86708573785c3eaff0a6a5295bdb2b61.exe	28
PID 2416 wrote to memory of 2644	2416	86708573785c3eaff0a6a5295bdb2b61.exe	28
PID 2644 wrote to memory of 2812	2644	vbc.exe	30
PID 2644 wrote to memory of 2812	2644	vbc.exe	30
PID 2644 wrote to memory of 2812	2644	vbc.exe	30
PID 2644 wrote to memory of 2812	2644	vbc.exe	30
PID 2416 wrote to memory of 2820	2416	86708573785c3eaff0a6a5295bdb2b61.exe	31
PID 2416 wrote to memory of 2820	2416	86708573785c3eaff0a6a5295bdb2b61.exe	31
PID 2416 wrote to memory of 2820	2416	86708573785c3eaff0a6a5295bdb2b61.exe	31
PID 2416 wrote to memory of 2820	2416	86708573785c3eaff0a6a5295bdb2b61.exe	31

C:\Users\Admin\AppData\Local\Temp\86708573785c3eaff0a6a5295bdb2b61.exe
"C:\Users\Admin\AppData\Local\Temp\86708573785c3eaff0a6a5295bdb2b61.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\prvofnb0.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES78BA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc78B9.tmp"
    3⤵
    PID:2812
- C:\Users\Admin\AppData\Local\Temp\tmp7649.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7649.tmp.exe" C:\Users\Admin\AppData\Local\Temp\86708573785c3eaff0a6a5295bdb2b61.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES78BA.tmp

Filesize
1KB

MD5
745c5549e202dfb6bb47e2cfc93285ec

SHA1
9fa7b1f66c43f8bb517cd6a6a04b433d0940093c

SHA256
c8222aa0e7ebaf0eddd067e2cb2310429e584785280680146dfb903c8154d178

SHA512
d7f4400659dd510a6864e9679e9ffea3db9dace67aeee322d0914b3c59a461f485e2e0819a14b75f427d1a69ba7eac9f8b2550946a14d67abd5d23db55a41495

Download Submit
C:\Users\Admin\AppData\Local\Temp\prvofnb0.0.vb

Filesize
15KB

MD5
6123350d90b5fbe51b4a9263cb73655c

SHA1
a50efc928552d44ebb0294600702191078b11f31

SHA256
7c9636c739acf4948111d249e83bb50322c988f0ad862342adeb2a62415be45f

SHA512
4e59db1a852f6d6e5e5188a320859433a3de9055c8b0e385578c29f34c2d2ae38a4b309b07c8e65ca6feea2550f24d543f7f760f0cbec4b397f036f48e290fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\prvofnb0.cmdline

Filesize
266B

MD5
c787c8cfcb15657f12e4624666400bf2

SHA1
f1308bc2a14a36ffe957af78478408715b4e4310

SHA256
bf9285851ecdaff3bc3c0e56248a547981bd0e7634b4c81e4cf7f8750193227a

SHA512
9a7439e5ad8c53b80074bcbe63164e892eae196c13cf677cac9e11e60dd14700d69dda15b49dbbcee226a02f0e7ef53ba8e258e504b0525191c697a232e60710

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7649.tmp.exe

Filesize
78KB

MD5
04c18a6d3f32f24f4c7cfb12e2f51c87

SHA1
bc14bd0de5c7674e35c39901665654203433a551

SHA256
b4b4fb231d28ce500845e367b7487f630e6ebc1a849765e130bac3917a4af3d1

SHA512
e1e5e91a1460e062e89db22265a1fc41fafccae530dfef96005818c5dfbc83218da632c037c47357b61aa31b4c6c06623fba52317eba283b261db2ba635e8d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc78B9.tmp

Filesize
660B

MD5
505bb13f003b9830245165c4cb66ba58

SHA1
5995e5280453389e98cbaa4a543c1f47f413aa6e

SHA256
3e2c02f6af77e5d8b52c04ef4ac8a40fdf4934aa3ea8714b0379c571b930cf2b

SHA512
02f6dfda1b7729451382787160888962638a1dc12fa2e879ceaea448d7708c4e73ee78c7cff837870c3cecadfc2bd28d957129e7ee2905c98ed98a9729a59286

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/2416-2-0x0000000000C90000-0x0000000000CD0000-memory.dmp

Filesize
256KB

Download
memory/2416-1-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2416-0-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2416-23-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2644-8-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2820-24-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2820-25-0x0000000000C10000-0x0000000000C50000-memory.dmp

Filesize
256KB

Download
memory/2820-27-0x0000000000C10000-0x0000000000C50000-memory.dmp

Filesize
256KB

Download
memory/2820-28-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads