metamorpherrat | 2e548d6fa2b335d39db8ff5f2cc529089e423d6345d5db49a663b5c910671699

General

Target

2e548d6fa2b335d39db8ff5f2cc529089e423d6345d5db49a663b5c910671699.exe
Size

78KB
MD5

42c15c189c4ac429f658668e3ac742a7
SHA1

93e00f46114bf5b6e7d3e2f288ba3ab9746f5565
SHA256

2e548d6fa2b335d39db8ff5f2cc529089e423d6345d5db49a663b5c910671699
SHA512

2b22b40ef58051286f22431bcddef45e8730a2c3266f03048aef1c03f8f8efc0a233e0119bff462f1f599e8951f45834bc368797920ba4dd5b083d92d1b46947
SSDEEP

1536:WuHH638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtei9/X1cK:WuHa3Ln7N041Qqhgei9/x

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp1B2E.tmp.exe

pid process

2764 tmp1B2E.tmp.exe

pid	process
2764	tmp1B2E.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

2e548d6fa2b335d39db8ff5f2cc529089e423d6345d5db49a663b5c910671699.exe

pid	process
2180	2e548d6fa2b335d39db8ff5f2cc529089e423d6345d5db49a663b5c910671699.exe
2180	2e548d6fa2b335d39db8ff5f2cc529089e423d6345d5db49a663b5c910671699.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp1B2E.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp1B2E.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2e548d6fa2b335d39db8ff5f2cc529089e423d6345d5db49a663b5c910671699.exetmp1B2E.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2180	2e548d6fa2b335d39db8ff5f2cc529089e423d6345d5db49a663b5c910671699.exe
Token: SeDebugPrivilege	2764	tmp1B2E.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

2e548d6fa2b335d39db8ff5f2cc529089e423d6345d5db49a663b5c910671699.exevbc.exe

description	pid	process	target process
PID 2180 wrote to memory of 3056	2180	2e548d6fa2b335d39db8ff5f2cc529089e423d6345d5db49a663b5c910671699.exe	vbc.exe
PID 2180 wrote to memory of 3056	2180	2e548d6fa2b335d39db8ff5f2cc529089e423d6345d5db49a663b5c910671699.exe	vbc.exe
PID 2180 wrote to memory of 3056	2180	2e548d6fa2b335d39db8ff5f2cc529089e423d6345d5db49a663b5c910671699.exe	vbc.exe
PID 2180 wrote to memory of 3056	2180	2e548d6fa2b335d39db8ff5f2cc529089e423d6345d5db49a663b5c910671699.exe	vbc.exe
PID 3056 wrote to memory of 2136	3056	vbc.exe	cvtres.exe
PID 3056 wrote to memory of 2136	3056	vbc.exe	cvtres.exe
PID 3056 wrote to memory of 2136	3056	vbc.exe	cvtres.exe
PID 3056 wrote to memory of 2136	3056	vbc.exe	cvtres.exe
PID 2180 wrote to memory of 2764	2180	2e548d6fa2b335d39db8ff5f2cc529089e423d6345d5db49a663b5c910671699.exe	tmp1B2E.tmp.exe
PID 2180 wrote to memory of 2764	2180	2e548d6fa2b335d39db8ff5f2cc529089e423d6345d5db49a663b5c910671699.exe	tmp1B2E.tmp.exe
PID 2180 wrote to memory of 2764	2180	2e548d6fa2b335d39db8ff5f2cc529089e423d6345d5db49a663b5c910671699.exe	tmp1B2E.tmp.exe
PID 2180 wrote to memory of 2764	2180	2e548d6fa2b335d39db8ff5f2cc529089e423d6345d5db49a663b5c910671699.exe	tmp1B2E.tmp.exe

C:\Users\Admin\AppData\Local\Temp\2e548d6fa2b335d39db8ff5f2cc529089e423d6345d5db49a663b5c910671699.exe
"C:\Users\Admin\AppData\Local\Temp\2e548d6fa2b335d39db8ff5f2cc529089e423d6345d5db49a663b5c910671699.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\palwjrzs.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:3056

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1C39.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1C38.tmp"
3⤵
PID:2136

C:\Users\Admin\AppData\Local\Temp\tmp1B2E.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp1B2E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2e548d6fa2b335d39db8ff5f2cc529089e423d6345d5db49a663b5c910671699.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2764

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1C39.tmp
Filesize
1KB

MD5
cca1daeabafe25f3950a69a943012c54

SHA1
fb8a7c8f1b3847e37932730b1b7019085458d96f

SHA256
2e35c916acdae182956d423bd0b8b9e27cc68b86489068658f00fc1184d0a685

SHA512
02d5b215acf30bbb12a4cfdc3e81aaa4c90011fde65478a7c922b81cb23f68fc13ce33ee5064613db9d380dec5b18fe6215b77092b83c52f5b454db27d93e9e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\palwjrzs.0.vb
Filesize
15KB

MD5
a7f4039e2f07cd663d9ab7e12cf09e48

SHA1
52be5a00ac5193e8eadd0dea0659ef88bbc13a7e

SHA256
eb21f553f9a8f3da4e23aca4f48cb91f9e00ceed50266897146c30ed1f611b1f

SHA512
68f77be60862eca815adf1f072504563601689a66874401b287b83962e6b1b981e021517a60bb58941b67cfcdcd31386e0553f6c1970f9619d7db84b20da6ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\palwjrzs.cmdline
Filesize
266B

MD5
2b0cb34c94cfb89df9b09ff785c3d099

SHA1
deb6a9c05b32faf2d0884a0218ad8e2f698073d2

SHA256
9f43d4c3744a73623e399e99c16b853561ced941f4d86ca8bc1b9ec195d1782e

SHA512
30c2f3084496b8bb7f4300bc1dea98c5d4d253f441702a6025c78a477047d64b0c3a27018f70eae77390f393dbd4967b4654730bba447f79d877061235ab1ec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1B2E.tmp.exe
Filesize
78KB

MD5
cb84476c948dfbd5d29d38c6cd0fda8d

SHA1
9083ac23e9f983b9a0095bbac58fd950cb3c8c37

SHA256
2f85b120316bf8bbd8e176ccbafe185900ecd63161011c510f1b06381bb23401

SHA512
d120d9ae44b1f60d6069cb7629ef110b9964864d82d6ac8d0ebaea701499bf61c18805ef6d4f55017bfbed2940ddd18da1aae6743ebe495c2cd74546b35c2b6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1C38.tmp
Filesize
660B

MD5
b088f75a3a1201aab8319f5511704b83

SHA1
d99925dcb68f6260a9c65264ee48de26ac8590f9

SHA256
c4d52a01035e68c242c628be7424e3b45520ba0a7b557c4405062320e90c29fb

SHA512
7dc836ddbe95ff0ec85e2fd8aa460889544dfdc12240201021603e648ac4b1c6b098b2b6d9ae844686971499fc93ed38244fc2e1fe4dbc917ce120be0631cb4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2180-0-0x0000000074811000-0x0000000074812000-memory.dmp

Filesize
4KB

Download
memory/2180-1-0x0000000074810000-0x0000000074DBB000-memory.dmp

Filesize
5.7MB

Download
memory/2180-2-0x0000000074810000-0x0000000074DBB000-memory.dmp

Filesize
5.7MB

Download
memory/2180-24-0x0000000074810000-0x0000000074DBB000-memory.dmp

Filesize
5.7MB

Download
memory/3056-8-0x0000000074810000-0x0000000074DBB000-memory.dmp

Filesize
5.7MB

Download
memory/3056-18-0x0000000074810000-0x0000000074DBB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads