metamorpherrat | c8df9b4050d59764f248e18f9e10afffa657565cf9f21873f99fdbdb1889affc

General

Target

cc4488c6362d1f9e95587139bacb4d06.exe
Size

78KB
MD5

cc4488c6362d1f9e95587139bacb4d06
SHA1

cacb23d594e543851e57ccb24b8cf9473ff31e56
SHA256

c8df9b4050d59764f248e18f9e10afffa657565cf9f21873f99fdbdb1889affc
SHA512

bff49c1308a833785098b494b26348c14c1097a73fa8a36f5e33aaa79dac071cf0d22188de025a11eb7ddc7e3fe787e6b199ad1080b8e53ed3e902cf5c8f8d70
SSDEEP

1536:0sHY6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtg9/s1M+:0sHYn3xSyRxvY3md+dWWZyg9/O

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2884	tmpAAB1.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2320	cc4488c6362d1f9e95587139bacb4d06.exe
2320	cc4488c6362d1f9e95587139bacb4d06.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpAAB1.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2320	cc4488c6362d1f9e95587139bacb4d06.exe
Token: SeDebugPrivilege	2884	tmpAAB1.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2228	2320	cc4488c6362d1f9e95587139bacb4d06.exe	28
PID 2320 wrote to memory of 2228	2320	cc4488c6362d1f9e95587139bacb4d06.exe	28
PID 2320 wrote to memory of 2228	2320	cc4488c6362d1f9e95587139bacb4d06.exe	28
PID 2320 wrote to memory of 2228	2320	cc4488c6362d1f9e95587139bacb4d06.exe	28
PID 2228 wrote to memory of 3020	2228	vbc.exe	30
PID 2228 wrote to memory of 3020	2228	vbc.exe	30
PID 2228 wrote to memory of 3020	2228	vbc.exe	30
PID 2228 wrote to memory of 3020	2228	vbc.exe	30
PID 2320 wrote to memory of 2884	2320	cc4488c6362d1f9e95587139bacb4d06.exe	31
PID 2320 wrote to memory of 2884	2320	cc4488c6362d1f9e95587139bacb4d06.exe	31
PID 2320 wrote to memory of 2884	2320	cc4488c6362d1f9e95587139bacb4d06.exe	31
PID 2320 wrote to memory of 2884	2320	cc4488c6362d1f9e95587139bacb4d06.exe	31

C:\Users\Admin\AppData\Local\Temp\cc4488c6362d1f9e95587139bacb4d06.exe
"C:\Users\Admin\AppData\Local\Temp\cc4488c6362d1f9e95587139bacb4d06.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qtfxnlsv.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD9E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAD8E.tmp"
    3⤵
    PID:3020
- C:\Users\Admin\AppData\Local\Temp\tmpAAB1.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpAAB1.tmp.exe" C:\Users\Admin\AppData\Local\Temp\cc4488c6362d1f9e95587139bacb4d06.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESAD9E.tmp

Filesize
1KB

MD5
0d3fca4d9a6ab843d0892c70fce7339a

SHA1
0e834a37ac4f2ce93e481039c82fd55fbf715647

SHA256
18610a6586d85269565220614c20bb96e76fc0f40b9842742d3e3dcf79e6c1a3

SHA512
2977414e86a3fb77fa94d065135ec72c24dcc4c2ae654c65eaf8c7f79ff47a970082cd53b8ba5143aff945cf8a19c4f46f9ea33c2531730c484ac884f457a827

Download Submit
C:\Users\Admin\AppData\Local\Temp\qtfxnlsv.0.vb

Filesize
15KB

MD5
8c0ec2fd32e8678a70cc1384820e0adc

SHA1
20e749baa7dc9f5bd5dea4ce0f715dccb4da541e

SHA256
d74df1c688ee0d18245c7a8b87ff26ac8adb53dfc912c4da2cb25c5649a448d8

SHA512
40a17c479d66389673ed22e6ac56c8e3f71aafd947fd738e0a34151eb87231b2363c1bcb4da058cb2e59849fe2e7c28cb7a8d62e8a8eaabb7d8a3f120af58ed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\qtfxnlsv.cmdline

Filesize
266B

MD5
23e9788015977036e1529bf18c63821d

SHA1
bd701e11c384401c8c01beb852ff5704df886978

SHA256
607b3c34113a9f7b3606c3a622c0c5bc24af17b35f4db651b02793af5abd0308

SHA512
fe0698a40515cde38baf9e6254080be04b15957cd0bc94f0cb6c10d68cbea56d2e28f1f9548c2a8904942647e64c23729393eb10b0aa4ac0ae027650916921e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAAB1.tmp.exe

Filesize
78KB

MD5
8a5566fc73e052e021ffb1152d828851

SHA1
ef6411cba2389af6be6ed271b90565589a486438

SHA256
dbcb3a8194e140473bc26a1d5a2325a256ab48ae797ba8ab0f42ad221a41ae80

SHA512
d9270a56a8c4648aeb375026bbf972866eecf955dfc4f1f81d1eefdf949ae1aa97bf435051ace7e04e3468d696d73b52b26c9c3fa9b78d5ba5f04c77fc7c3e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAD8E.tmp

Filesize
660B

MD5
fcfa464b8a93b8f81106fdf9f20f6ee9

SHA1
d47c77507a6a7c4e11da7e2d8e0301342e4419c9

SHA256
a746afc50b13329dcc923b58aae685096ec1483f3a7cf3238ee84ca1e36fcfb4

SHA512
805ce0dac80d7d204126eac49a618311f95b07822adb83a7be8f50ec180543e0e61c9c7ec4e55d96f24956cb8f0daaf0f9ef9c215b47a61973176d294390c8b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/2228-8-0x0000000002010000-0x0000000002050000-memory.dmp

Filesize
256KB

Download
memory/2320-0-0x0000000074E60000-0x000000007540B000-memory.dmp

Filesize
5.7MB

Download
memory/2320-2-0x0000000000A40000-0x0000000000A80000-memory.dmp

Filesize
256KB

Download
memory/2320-1-0x0000000074E60000-0x000000007540B000-memory.dmp

Filesize
5.7MB

Download
memory/2320-23-0x0000000074E60000-0x000000007540B000-memory.dmp

Filesize
5.7MB

Download
memory/2884-24-0x0000000074E60000-0x000000007540B000-memory.dmp

Filesize
5.7MB

Download
memory/2884-25-0x0000000001E80000-0x0000000001EC0000-memory.dmp

Filesize
256KB

Download
memory/2884-26-0x0000000074E60000-0x000000007540B000-memory.dmp

Filesize
5.7MB

Download
memory/2884-28-0x0000000001E80000-0x0000000001EC0000-memory.dmp

Filesize
256KB

Download
memory/2884-29-0x0000000074E60000-0x000000007540B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads