metamorpherrat | 655584d79282fc1d930fefde09cf190ae2e9ff72cab59a828b73f6e86101b316

General

Target

a159cb41fb774addaa90dcd79ad5bdc3.exe
Size

78KB
MD5

a159cb41fb774addaa90dcd79ad5bdc3
SHA1

a5440ae698758676f7a9cfad55969f898b45e9f2
SHA256

655584d79282fc1d930fefde09cf190ae2e9ff72cab59a828b73f6e86101b316
SHA512

f1ca3b602a01f5f7aecc848bf4519e6e1927fa94d59ad54126ffcbf51e8e66d86093df6612761ab7c17d5ad5c504f15611b01cc6638eb84668c2a3b1d1ff942c
SSDEEP

1536:EPWV5jScdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6j9/2S1EP:EPWV5jSrn7N041QqhgL9/I

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2564	tmp43C4.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2044	a159cb41fb774addaa90dcd79ad5bdc3.exe
2044	a159cb41fb774addaa90dcd79ad5bdc3.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp43C4.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2044	a159cb41fb774addaa90dcd79ad5bdc3.exe
Token: SeDebugPrivilege	2564	tmp43C4.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 2020	2044	a159cb41fb774addaa90dcd79ad5bdc3.exe	28
PID 2044 wrote to memory of 2020	2044	a159cb41fb774addaa90dcd79ad5bdc3.exe	28
PID 2044 wrote to memory of 2020	2044	a159cb41fb774addaa90dcd79ad5bdc3.exe	28
PID 2044 wrote to memory of 2020	2044	a159cb41fb774addaa90dcd79ad5bdc3.exe	28
PID 2020 wrote to memory of 2660	2020	vbc.exe	30
PID 2020 wrote to memory of 2660	2020	vbc.exe	30
PID 2020 wrote to memory of 2660	2020	vbc.exe	30
PID 2020 wrote to memory of 2660	2020	vbc.exe	30
PID 2044 wrote to memory of 2564	2044	a159cb41fb774addaa90dcd79ad5bdc3.exe	31
PID 2044 wrote to memory of 2564	2044	a159cb41fb774addaa90dcd79ad5bdc3.exe	31
PID 2044 wrote to memory of 2564	2044	a159cb41fb774addaa90dcd79ad5bdc3.exe	31
PID 2044 wrote to memory of 2564	2044	a159cb41fb774addaa90dcd79ad5bdc3.exe	31

C:\Users\Admin\AppData\Local\Temp\a159cb41fb774addaa90dcd79ad5bdc3.exe
"C:\Users\Admin\AppData\Local\Temp\a159cb41fb774addaa90dcd79ad5bdc3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1evta2ys.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4599.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4598.tmp"
    3⤵
    PID:2660
- C:\Users\Admin\AppData\Local\Temp\tmp43C4.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp43C4.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a159cb41fb774addaa90dcd79ad5bdc3.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1evta2ys.0.vb

Filesize
14KB

MD5
cca9fb6a7814f07fdbf228d7f564e895

SHA1
f6858d91dc87c20413685ce8ef9db3ac84b871ec

SHA256
e97e22435834aca159d8f263d4aa7612202bde89e156e5ea631e4970ce519b80

SHA512
d60da3d22f2f6735948beca31a9977793dc8d75103b1b9c895a365e38b9801beaf466bd4f50818737c70a93ca389c1c085bad3b4b71456bec667a7b418af7232

Download Submit
C:\Users\Admin\AppData\Local\Temp\1evta2ys.cmdline

Filesize
266B

MD5
a31be829460d01e0054148c4cff8dded

SHA1
5a00d50b74fc5aec0205d2c282c8515a7c098e49

SHA256
20528d25483e6728a287e38a52bf65c56ee166c3e9226b1e5cd3e5c011b747da

SHA512
97b041cf91ff523dc680d7b97c109ae80a9b451d70c01c0ba2f9fa04c9199a1fec55cd7fd1d6ae07c7cd06b5f764a3c05cc0789e07739efa825f64d9fee51247

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4599.tmp

Filesize
1KB

MD5
fb046f38a5bed30f18cb4296a748c797

SHA1
89d4827158ad2beab860b19003caf79fec39223c

SHA256
42b4af32b3f979952408e07a5e4b30e06077d97b04fcf8f41edc7d8f35e76048

SHA512
4457231d8897accf143e06de7537b6d5057644599f0452e16799a5d1f481d61c53cf5bf7b8ea4c987f7634d6b71eb4657822ae41c264a76b908900515d59580c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp43C4.tmp.exe

Filesize
78KB

MD5
bef7821bd2ba68650f0574e6ed3beeca

SHA1
6d5013ae18a858835228eff99dc37ab91d3e9815

SHA256
0c62980b6a2e7948def95e0eddade4190f0a7bb70b23de02e1c8651123b22d7b

SHA512
09e2ec98466c1cb2c46ebd096c8cf335e6915eb49160611fc08e99ac1c34343b5ea70387b2bed8558f577038fc564d2cdc48a9ebd402aac797ef9296d46bdfb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4598.tmp

Filesize
660B

MD5
c6d088ab360464f837d5e40b6192ac63

SHA1
7b3ea1f364b63ba8895771f61ba1dd6b7b802a92

SHA256
6ece574cbc02b4c02fb8e91da194c204a9c0a5681a39f3b59852bc796fd09e26

SHA512
75c81b6777f67c0c50b6ce48988a2a8601e9c5c77ee636694d79e2879bba04ba53384ec3f4befbc33388469a858a3bc3eee2696e6eff1bfdac7ef448fe16b36b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2020-8-0x0000000001FF0000-0x0000000002030000-memory.dmp

Filesize
256KB

Download
memory/2044-0-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/2044-2-0x0000000000A00000-0x0000000000A40000-memory.dmp

Filesize
256KB

Download
memory/2044-1-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/2044-23-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/2564-24-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/2564-25-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/2564-27-0x0000000000CD0000-0x0000000000D10000-memory.dmp

Filesize
256KB

Download
memory/2564-28-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/2564-29-0x0000000000CD0000-0x0000000000D10000-memory.dmp

Filesize
256KB

Download
memory/2564-30-0x0000000000CD0000-0x0000000000D10000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads