metamorpherrat | 85a35530eabc89c14ff95fb1ab1848c9749c4714bde250d3e798e77f211a627a

General

Target

ae210788bd768ba5045a507e693a8163.exe
Size

78KB
MD5

ae210788bd768ba5045a507e693a8163
SHA1

9023d28eee827c8cf87bca3aa68df61c0426a5ca
SHA256

85a35530eabc89c14ff95fb1ab1848c9749c4714bde250d3e798e77f211a627a
SHA512

1296f39c090d2f56ec192dbcb54b3a86ba953dc614dae97a096c70eae3d89b0b7e5d3999f460a3ddf74783ed661325f2dd8834dba1a4a1f11794826b53334d1f
SSDEEP

1536:dPWV58FXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtC639/F1j5:dPWV58FSyRxvY3md+dWWZyP9/d

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2660	tmp9AB9.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2784	ae210788bd768ba5045a507e693a8163.exe
2784	ae210788bd768ba5045a507e693a8163.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp9AB9.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2784	ae210788bd768ba5045a507e693a8163.exe
Token: SeDebugPrivilege	2660	tmp9AB9.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 2576	2784	ae210788bd768ba5045a507e693a8163.exe	27
PID 2784 wrote to memory of 2576	2784	ae210788bd768ba5045a507e693a8163.exe	27
PID 2784 wrote to memory of 2576	2784	ae210788bd768ba5045a507e693a8163.exe	27
PID 2784 wrote to memory of 2576	2784	ae210788bd768ba5045a507e693a8163.exe	27
PID 2576 wrote to memory of 2572	2576	vbc.exe	29
PID 2576 wrote to memory of 2572	2576	vbc.exe	29
PID 2576 wrote to memory of 2572	2576	vbc.exe	29
PID 2576 wrote to memory of 2572	2576	vbc.exe	29
PID 2784 wrote to memory of 2660	2784	ae210788bd768ba5045a507e693a8163.exe	30
PID 2784 wrote to memory of 2660	2784	ae210788bd768ba5045a507e693a8163.exe	30
PID 2784 wrote to memory of 2660	2784	ae210788bd768ba5045a507e693a8163.exe	30
PID 2784 wrote to memory of 2660	2784	ae210788bd768ba5045a507e693a8163.exe	30

C:\Users\Admin\AppData\Local\Temp\ae210788bd768ba5045a507e693a8163.exe
"C:\Users\Admin\AppData\Local\Temp\ae210788bd768ba5045a507e693a8163.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\utmg3zf9.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9C60.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9C4F.tmp"
    3⤵
    PID:2572
- C:\Users\Admin\AppData\Local\Temp\tmp9AB9.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9AB9.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ae210788bd768ba5045a507e693a8163.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9C60.tmp

Filesize
1KB

MD5
74182a60c8fba7254f81edbb49f2dd74

SHA1
8bbb5c50e09ad2cb4c0bd5add07ee7a0ebb1fc07

SHA256
b78901e0578613b2c71354fb7361102a64685787a2c369d5292423ba4a0b1caa

SHA512
897e0a9ad356fc45e397dd65d70de470dd7c61339b992b9867d7bc3e1177ee792fb324394b4c904859a1a7e43311fa085cc10c8479ec7ce5447ea40fc7a50452

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9AB9.tmp.exe

Filesize
78KB

MD5
329c79e51ce4f072eb3fe0f24cb06afe

SHA1
89cc5a3dc6fdffa84b0c8c3451d7441a58408860

SHA256
c1083f2af475c54fc149b20df6a0ea974829993cb149d8ec13e6821ceaa52ab0

SHA512
83045233fe0ca90cefaceea234e01a2080ead26e3ee6e201538a27613caae0cec5e40abfd267ffee9b50e829db0290dd8ce3385e58e629f76eaea75e5d2d162e

Download Submit
C:\Users\Admin\AppData\Local\Temp\utmg3zf9.0.vb

Filesize
14KB

MD5
a19d769ce531a7bbc9b2843f857a5352

SHA1
733a9862dea87814484ab99bb1824a46f5b90e3d

SHA256
696c94533509f50d1b07346a530b63568f078a1c99993c4540b983c0f30f7e28

SHA512
e8f29744abd85f616f0607f76a6c690173a3f6d66053834ff291bc561b46a48985fe274cb2bcea63bac2a2e79b31c403ed7d9e0be5684ddfb9f770f40b08e077

Download Submit
C:\Users\Admin\AppData\Local\Temp\utmg3zf9.cmdline

Filesize
266B

MD5
c6e057baab0a44697d42a96fea614370

SHA1
3afbc2fc08df508c43b74be26eaad88b65c323e7

SHA256
f82b4b819e0546ac69f9ccac9c773e4a568c976906de10e757b6508a12931371

SHA512
194a40fe24e2b89de0430180e5f31324191d7c500897b89536acf7cb11ffdba1e85c1e5f53a9e03f4489a0a0ba00a44f30a617341bc9d8296d05c84339f0416a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9C4F.tmp

Filesize
660B

MD5
99dcd86ec0843ea94dd6847ebf850237

SHA1
2b2f2b2794af04223e02e931ff687b8ad395f0fe

SHA256
3ee1ce404508f7aff28393722a954b8b6b8cb565bf30a2c3ed0c36fdbfa623ec

SHA512
35e0cd56cec52c2d8c38238cf05204b3dcecbbaebee2ecf9782abe15c332ec8f18a63c022eb11ce737f6a861cc2a5e2a14bd34f6a5a99d41138a80979607e4a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/2660-25-0x0000000073DE0000-0x000000007438B000-memory.dmp

Filesize
5.7MB

Download
memory/2660-29-0x0000000073DE0000-0x000000007438B000-memory.dmp

Filesize
5.7MB

Download
memory/2660-28-0x00000000021A0000-0x00000000021E0000-memory.dmp

Filesize
256KB

Download
memory/2660-27-0x00000000021A0000-0x00000000021E0000-memory.dmp

Filesize
256KB

Download
memory/2660-23-0x0000000073DE0000-0x000000007438B000-memory.dmp

Filesize
5.7MB

Download
memory/2660-24-0x00000000021A0000-0x00000000021E0000-memory.dmp

Filesize
256KB

Download
memory/2784-2-0x00000000006B0000-0x00000000006F0000-memory.dmp

Filesize
256KB

Download
memory/2784-22-0x0000000073DE0000-0x000000007438B000-memory.dmp

Filesize
5.7MB

Download
memory/2784-1-0x0000000073DE0000-0x000000007438B000-memory.dmp

Filesize
5.7MB

Download
memory/2784-0-0x0000000073DE0000-0x000000007438B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads