metamorpherrat | 0238d2e72264c3f0d27138a844504645148afbd5180a97ceaa50c14003bcc249

General

Target

c8a5290632bf7cf24d441c6e5fe2c958.exe
Size

78KB
MD5

c8a5290632bf7cf24d441c6e5fe2c958
SHA1

6812bc07c1d98100d0b49f37b097ee1b1151eea3
SHA256

0238d2e72264c3f0d27138a844504645148afbd5180a97ceaa50c14003bcc249
SHA512

6348d7bdfe8c1a0b957a52570b84dce12785ec5ccb541ac86a50d24b299e827016ef08160130fe9745a9be36c8823178bb456ae513cd15e10a9b98aa4578f41c
SSDEEP

1536:xy5jYdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQt96N9/41LL:xy5jnn7N041Qqhgu9/e

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2640	tmp8575.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1996	c8a5290632bf7cf24d441c6e5fe2c958.exe
1996	c8a5290632bf7cf24d441c6e5fe2c958.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp8575.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1996	c8a5290632bf7cf24d441c6e5fe2c958.exe
Token: SeDebugPrivilege	2640	tmp8575.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 2504	1996	c8a5290632bf7cf24d441c6e5fe2c958.exe	28
PID 1996 wrote to memory of 2504	1996	c8a5290632bf7cf24d441c6e5fe2c958.exe	28
PID 1996 wrote to memory of 2504	1996	c8a5290632bf7cf24d441c6e5fe2c958.exe	28
PID 1996 wrote to memory of 2504	1996	c8a5290632bf7cf24d441c6e5fe2c958.exe	28
PID 2504 wrote to memory of 2628	2504	vbc.exe	30
PID 2504 wrote to memory of 2628	2504	vbc.exe	30
PID 2504 wrote to memory of 2628	2504	vbc.exe	30
PID 2504 wrote to memory of 2628	2504	vbc.exe	30
PID 1996 wrote to memory of 2640	1996	c8a5290632bf7cf24d441c6e5fe2c958.exe	31
PID 1996 wrote to memory of 2640	1996	c8a5290632bf7cf24d441c6e5fe2c958.exe	31
PID 1996 wrote to memory of 2640	1996	c8a5290632bf7cf24d441c6e5fe2c958.exe	31
PID 1996 wrote to memory of 2640	1996	c8a5290632bf7cf24d441c6e5fe2c958.exe	31

C:\Users\Admin\AppData\Local\Temp\c8a5290632bf7cf24d441c6e5fe2c958.exe
"C:\Users\Admin\AppData\Local\Temp\c8a5290632bf7cf24d441c6e5fe2c958.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ouceot8h.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9290.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc928F.tmp"
    3⤵
    PID:2628
- C:\Users\Admin\AppData\Local\Temp\tmp8575.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8575.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c8a5290632bf7cf24d441c6e5fe2c958.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9290.tmp

Filesize
1KB

MD5
b4de2d63945c16005eac1f9d1aac4e27

SHA1
6d89cb41105983ed043f71f1dc6a9462c995a392

SHA256
29ecff44ca0f9fac7b0547d9959fbefd7f409aec6a8c78733175f75c07683b15

SHA512
37a4ce35bb4eab9d9c26fbc41b41e9f76b6af21d297c5a3307f9ba20671c47edf8aa0b46590dea8dad252c3d2789164327ea524b4aa1e26d709c6b4411fc42b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ouceot8h.0.vb

Filesize
14KB

MD5
304f6b610cdba1541acfe465e2830fbd

SHA1
ac3908efc04c413d9cedc46ab22f676824f0fc20

SHA256
a026e2103f5aa5dba444446d2728df1e2c522d5a0cc0c35e70f342080c767e73

SHA512
7c00bdcc5f259cb9a975730011c251b56030aac7122833d7dc72e2441d5e5f8aa05501ebfa6768678652057fed6af13779dd314fa83a23499d8dc8cdaf3b3ecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ouceot8h.cmdline

Filesize
266B

MD5
e4975e1ff631baa6b1b328a3d53ba93c

SHA1
7e2add38595d6618e6f71de858f56d69a7e0a066

SHA256
33186855cb5db74fa00bedabf5b47677f6510d6ae51e2fffc2049f40186904bc

SHA512
abd2b44795e8f49e904570a8065652b696bfa60f8ed048bb0a41a1118e64c747b4f41ecf6f18a89df27d8c1f35bf8e1ddc75acc944fa1d072644e37891017502

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8575.tmp.exe

Filesize
78KB

MD5
3847ab64f835d10fc6d11fc661fe83ec

SHA1
e76a51aa7407c672d35153bd16a51197ffce8d00

SHA256
1298502827338e67c81bd6cbc1c41d5dbca972e51a9d6e89acb3f5c2080a601b

SHA512
3c0157c5b818dad1039e13139f3ff3cf5cdb7a44e1aa9e9f8154a4897ba291ce928a4d592bed11f39d6f7391241a31190e3724f32ae1bf6f89a11cf5fbf1495d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc928F.tmp

Filesize
660B

MD5
2d4345fd1d87b2d7dd7f6d1cc9834313

SHA1
cbcc0f7e356c7728bf51a20b5c7bf57e6e8ca8a1

SHA256
44597929b82f6b690d3d9ebe153ee8d4dd9c46e73c962733d017e66c8ccc9a55

SHA512
a1cbf12b1032b616e7ed3031e6bb7526dc02014b3ed783728661e273dd7e4c17399126b5ecf866ab500850962d4874bc9e781966a98fa01352522cea29221f41

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/1996-23-0x0000000074780000-0x0000000074D2B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-1-0x0000000074780000-0x0000000074D2B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-2-0x00000000000E0000-0x0000000000120000-memory.dmp

Filesize
256KB

Download
memory/1996-0-0x0000000074780000-0x0000000074D2B000-memory.dmp

Filesize
5.7MB

Download
memory/2504-8-0x0000000002050000-0x0000000002090000-memory.dmp

Filesize
256KB

Download
memory/2640-24-0x0000000074780000-0x0000000074D2B000-memory.dmp

Filesize
5.7MB

Download
memory/2640-25-0x0000000000B50000-0x0000000000B90000-memory.dmp

Filesize
256KB

Download
memory/2640-26-0x0000000074780000-0x0000000074D2B000-memory.dmp

Filesize
5.7MB

Download
memory/2640-28-0x0000000000B50000-0x0000000000B90000-memory.dmp

Filesize
256KB

Download
memory/2640-29-0x0000000074780000-0x0000000074D2B000-memory.dmp

Filesize
5.7MB

Download
memory/2640-30-0x0000000000B50000-0x0000000000B90000-memory.dmp

Filesize
256KB

Download
memory/2640-31-0x0000000000B50000-0x0000000000B90000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads