metamorpherrat | 1bb2a9b749605532bf627755427e3df50996b58a26ec317335e94dc41bf7c9b9

General

Target

1bb2a9b749605532bf627755427e3df50996b58a26ec317335e94dc41bf7c9b9.exe
Size

78KB
MD5

97a09ad71ea8eab6d55d1c3ef2bacf13
SHA1

c69ebf264aeceaffed59fdeb5b0111968f8cd163
SHA256

1bb2a9b749605532bf627755427e3df50996b58a26ec317335e94dc41bf7c9b9
SHA512

7d89ee6531fbbff24fd80d6867012577180cc8be06ccb34d894db29ff01d6820ccfccc93cb1762808bf18d5581d024163ed0da56b815b7c25ec5b64ef9641fd1
SSDEEP

1536:uWV589dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6f9/B1BQ:uWV58on7N041QqhgX9/O

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2008	tmp1A25.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1972	1bb2a9b749605532bf627755427e3df50996b58a26ec317335e94dc41bf7c9b9.exe
1972	1bb2a9b749605532bf627755427e3df50996b58a26ec317335e94dc41bf7c9b9.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp1A25.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1972	1bb2a9b749605532bf627755427e3df50996b58a26ec317335e94dc41bf7c9b9.exe
Token: SeDebugPrivilege	2008	tmp1A25.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2348	1972	1bb2a9b749605532bf627755427e3df50996b58a26ec317335e94dc41bf7c9b9.exe	28
PID 1972 wrote to memory of 2348	1972	1bb2a9b749605532bf627755427e3df50996b58a26ec317335e94dc41bf7c9b9.exe	28
PID 1972 wrote to memory of 2348	1972	1bb2a9b749605532bf627755427e3df50996b58a26ec317335e94dc41bf7c9b9.exe	28
PID 1972 wrote to memory of 2348	1972	1bb2a9b749605532bf627755427e3df50996b58a26ec317335e94dc41bf7c9b9.exe	28
PID 2348 wrote to memory of 2180	2348	vbc.exe	30
PID 2348 wrote to memory of 2180	2348	vbc.exe	30
PID 2348 wrote to memory of 2180	2348	vbc.exe	30
PID 2348 wrote to memory of 2180	2348	vbc.exe	30
PID 1972 wrote to memory of 2008	1972	1bb2a9b749605532bf627755427e3df50996b58a26ec317335e94dc41bf7c9b9.exe	31
PID 1972 wrote to memory of 2008	1972	1bb2a9b749605532bf627755427e3df50996b58a26ec317335e94dc41bf7c9b9.exe	31
PID 1972 wrote to memory of 2008	1972	1bb2a9b749605532bf627755427e3df50996b58a26ec317335e94dc41bf7c9b9.exe	31
PID 1972 wrote to memory of 2008	1972	1bb2a9b749605532bf627755427e3df50996b58a26ec317335e94dc41bf7c9b9.exe	31

C:\Users\Admin\AppData\Local\Temp\1bb2a9b749605532bf627755427e3df50996b58a26ec317335e94dc41bf7c9b9.exe
"C:\Users\Admin\AppData\Local\Temp\1bb2a9b749605532bf627755427e3df50996b58a26ec317335e94dc41bf7c9b9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gv37n3ap.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1AB3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1AB2.tmp"
    3⤵
    PID:2180
- C:\Users\Admin\AppData\Local\Temp\tmp1A25.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp1A25.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1bb2a9b749605532bf627755427e3df50996b58a26ec317335e94dc41bf7c9b9.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1AB3.tmp

Filesize
1KB

MD5
a68dd8c23c6c948c6b280999001afdc9

SHA1
214a3b15e15cdf056dccd818cbdb328150a65549

SHA256
fac35c23abe182c4172418b15c40f70ed60beeafe8e6bd83ed0ac31142d3da25

SHA512
e80164fae59bde6b8e8ec87ba36ba4f88a377c569280c80e02e93286a120f5c941b93746f1299b7eead16ba3203b5fd679cd140e5b0dd3db48093d7e5048a98b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gv37n3ap.0.vb

Filesize
14KB

MD5
bc742f914d98c46268790fc6ebf01d86

SHA1
0edc24f536757bba646332c5063808ca83ca75e9

SHA256
8e4fb9dd3c8d5b82a794a05788e700b10d1c6d6ed6e57ccfbe494de57d7f7911

SHA512
e16ef189caad12b542f95c02d39cafa22bf895c86624e700edf4dbe5570d38412b2daf1d6459d60f287f850ebad5301374a0a2a35e34e0d9917e35d7d2fa76cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\gv37n3ap.cmdline

Filesize
266B

MD5
c1a1b48f7e94e74f1750108d21928eae

SHA1
8f8b58e4f82038b2945d4347f3537efce1a0fa15

SHA256
49d18bf829b6067bb13f405996d4ea85724ef13c25236fac07a137f8f23ba698

SHA512
db5fd580fc004f6cf79d84dc5918503012fd5eee4ae6f71b7f4405e2779c56270cda30b2969652c17b2339611e6e3a88e9983248f7c1c2b1235ae256d6f05672

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1A25.tmp.exe

Filesize
78KB

MD5
e2b05376344c8686f28f4804d1b78bc3

SHA1
4845dc79b901fc7d3f5d8bfbf1cf29b79622124c

SHA256
2a06616eec39150cc9df98c8149ebb65d6ebfa500270736c13b0d41faefb96d7

SHA512
704951312c36c397a5b2ced9321dc842c13ee39943c9c61c18d0d1830ab6b3e7049942c9e452d9ec18ea4b9d870574dd77e46c9afbbeec118f99b89e45886aa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1AB2.tmp

Filesize
660B

MD5
15911a821024a83d131b1c6c73efb9b8

SHA1
10e811ddd9d957b57f6949ee45affe97225f7b9f

SHA256
0a05d1db2f762813df9dcd8082d048103bd672365f19ba1b2a3c16d464065748

SHA512
ff827a88a8618a4c472aa005959615cf4bfb9601c7d3de5c211cb491e808e910034da20a34cd36a7337ae4b6e5e8df5a89bad7b0d60d935d66b501ea9bb01ad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/1972-0-0x0000000074B91000-0x0000000074B92000-memory.dmp

Filesize
4KB

Download
memory/1972-1-0x0000000074B90000-0x000000007513B000-memory.dmp

Filesize
5.7MB

Download
memory/1972-2-0x0000000074B90000-0x000000007513B000-memory.dmp

Filesize
5.7MB

Download
memory/1972-24-0x0000000074B90000-0x000000007513B000-memory.dmp

Filesize
5.7MB

Download
memory/2348-18-0x0000000074B90000-0x000000007513B000-memory.dmp

Filesize
5.7MB

Download
memory/2348-8-0x0000000074B90000-0x000000007513B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads