metamorpherrat | b77ffa2d207284169106d837b65f41fae1fc40335d6d561f16a519507b819fcc

General

Target

b7e955b408896bd111883b2797b5206d.exe
Size

78KB
MD5

b7e955b408896bd111883b2797b5206d
SHA1

fd564fe92e456cd0777b8f6468a4cee8499c313d
SHA256

b77ffa2d207284169106d837b65f41fae1fc40335d6d561f16a519507b819fcc
SHA512

461b0bc42f32123fc0bf08cd008985ea9a760588daf00db5a225667baf7e9f38d5d69918f0cf639f218f6b7ab20fae27919392d8cd50f745f78e98deb886c9d8
SSDEEP

1536:APWtHY6JJteVdv5wyFppaVs+aYTCgtWzYXxxiMrBnP5oYZNQtT9/21Lp:APWtHYO3e/vqyA11XYUBxprBPjcT9/y

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2456	tmp909C.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2720	b7e955b408896bd111883b2797b5206d.exe
2720	b7e955b408896bd111883b2797b5206d.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System.Management = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sbscmp20_mscorlib.exe\""	tmp909C.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2720	b7e955b408896bd111883b2797b5206d.exe
Token: SeDebugPrivilege	2456	tmp909C.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2676	2720	b7e955b408896bd111883b2797b5206d.exe	28
PID 2720 wrote to memory of 2676	2720	b7e955b408896bd111883b2797b5206d.exe	28
PID 2720 wrote to memory of 2676	2720	b7e955b408896bd111883b2797b5206d.exe	28
PID 2720 wrote to memory of 2676	2720	b7e955b408896bd111883b2797b5206d.exe	28
PID 2676 wrote to memory of 2528	2676	vbc.exe	30
PID 2676 wrote to memory of 2528	2676	vbc.exe	30
PID 2676 wrote to memory of 2528	2676	vbc.exe	30
PID 2676 wrote to memory of 2528	2676	vbc.exe	30
PID 2720 wrote to memory of 2456	2720	b7e955b408896bd111883b2797b5206d.exe	31
PID 2720 wrote to memory of 2456	2720	b7e955b408896bd111883b2797b5206d.exe	31
PID 2720 wrote to memory of 2456	2720	b7e955b408896bd111883b2797b5206d.exe	31
PID 2720 wrote to memory of 2456	2720	b7e955b408896bd111883b2797b5206d.exe	31

C:\Users\Admin\AppData\Local\Temp\b7e955b408896bd111883b2797b5206d.exe
"C:\Users\Admin\AppData\Local\Temp\b7e955b408896bd111883b2797b5206d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\he73k8ty.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9232.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9222.tmp"
    3⤵
    PID:2528
- C:\Users\Admin\AppData\Local\Temp\tmp909C.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp909C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b7e955b408896bd111883b2797b5206d.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9232.tmp

Filesize
1KB

MD5
17a3ddf781606e7c137e6eed5045c423

SHA1
1ad74b1093509171f7bf8d534a531b92318e8ed4

SHA256
37f4326060b4d028cca9a3319d8c3d23304f51710905b0285394812d40ad8125

SHA512
0ffb35e64bb12fc637990cfdd46c514e29b77fbe1ccbe6e6b11a413cf4761d2626882ba6f705518c394231dd451e9b536f6646c9cc28576c5197e1a73a0b6736

Download Submit
C:\Users\Admin\AppData\Local\Temp\he73k8ty.0.vb

Filesize
15KB

MD5
a91cdd7173a3d8d00b18f34ac5f616f6

SHA1
f5c65ad38d30fea4cdb776981647b878c856178d

SHA256
3afb790491723b2c68c59b1219013a5a0769c93faf4cb4c0de8dfbe61ccc6b72

SHA512
0202ae19eadbb3247a2d2103c1cea188ea4a7022b5b3f6ae652e05a37d43d25408c8164d8c49d2055fe6e0b2ce4e803c1e3ee03083b84772a060cee85df13c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\he73k8ty.cmdline

Filesize
266B

MD5
ffc7faec883db618a13a38f299da25b5

SHA1
c1b023c2623df83205db7446596b70bca9dae483

SHA256
c2d22b05b8bba998b814e52589ca374a7fa9e419cc5b5b516db5c6c6664fadf3

SHA512
36269081aef3f7c8e5d7f2c84c5cea39f4930a7845361245178000ccfec8061a8183bf730da774f4406e712271208dad2305dc54bbc8450854dd906d6bf05917

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp909C.tmp.exe

Filesize
78KB

MD5
79c4d112a6cc3b885eba211c1c7ccd1d

SHA1
5c7a04e664b8afe780fe75af24e7fe55eee0480f

SHA256
638b2d81d09195f60d0090e93e3c436784c175b7d3a68d6119372e1e37faa4d5

SHA512
4de7c0bc1469ac861086cb4552d20081f23c38b7a39237180fc5cd09dec44f01be1b224a026d4533cf9be22730a76cfc1238517907db402e25a73df6fded846e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9222.tmp

Filesize
660B

MD5
8d2c9e4bb5bda5ea547bb5db8cd42eff

SHA1
f75cac531a5fe78246670bf16ba677c71489bb27

SHA256
352560a222abf4329f73f1a5c9806fc4f8dca20f46e040234b2e393e372d2472

SHA512
5447b677d8b74d9a01421ddb404e4d5b9e57ad0e700d91f000ef456a10c16dd38e0ea5a000df20edd56d0a70c3540b59158f15e81671fc25178a6fb7f59a9d0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8481b7e4924c14743ffc0d34075e2ce3

SHA1
e8e7ef480499ba85190b8d5f8e43f761850b0ef3

SHA256
6110931ed1cb1b1a141d4a12044a062646f14be3566a286106e5f59ceaddc4ac

SHA512
3c4ee8221c5238aed57e4fdbcd74833edcf46d5ed602840b5265438538405b4378a1966e9cd0c34a5ce52d0afe7bd7e0d9aac6b420e515fe1ea52477f957a7e1

Download Submit
memory/2456-27-0x00000000744A0000-0x0000000074A4B000-memory.dmp

Filesize
5.7MB

Download
memory/2456-30-0x0000000000490000-0x00000000004D0000-memory.dmp

Filesize
256KB

Download
memory/2456-29-0x0000000000490000-0x00000000004D0000-memory.dmp

Filesize
256KB

Download
memory/2456-23-0x00000000744A0000-0x0000000074A4B000-memory.dmp

Filesize
5.7MB

Download
memory/2456-28-0x0000000000490000-0x00000000004D0000-memory.dmp

Filesize
256KB

Download
memory/2456-24-0x0000000000490000-0x00000000004D0000-memory.dmp

Filesize
256KB

Download
memory/2456-25-0x00000000744A0000-0x0000000074A4B000-memory.dmp

Filesize
5.7MB

Download
memory/2720-1-0x00000000744A0000-0x0000000074A4B000-memory.dmp

Filesize
5.7MB

Download
memory/2720-22-0x00000000744A0000-0x0000000074A4B000-memory.dmp

Filesize
5.7MB

Download
memory/2720-2-0x0000000002120000-0x0000000002160000-memory.dmp

Filesize
256KB

Download
memory/2720-0-0x00000000744A0000-0x0000000074A4B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads