metamorpherrat | d57f156c23c0429dc51ccd8d1dfbedb700466ec89ee03c8722bad9df9c182774

General

Target

376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe
Size

78KB
MD5

376dedca7b965f4e92d716915589dfe0
SHA1

441da49f039e2376cd9d6054bce8ad8f9613239c
SHA256

d57f156c23c0429dc51ccd8d1dfbedb700466ec89ee03c8722bad9df9c182774
SHA512

cb80adaa04be365626feeb046ca411600f92c23700ecb98cdb281cd1e2f181451459278a0bc55ed5f6bd17f51a79b454957832f854352044273ddf838435be77
SSDEEP

1536:1PWV5qLT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQti6h9/op1pT:1PWV5UE2EwR4uY41HyvYZ9/o

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp1861.tmp.exe

pid process

2632 tmp1861.tmp.exe
Loads dropped DLL 2 IoCs

Processes:

376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe

pid process

2932 376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe
2932 376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2632	tmp1861.tmp.exe

pid	process
2932	376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe
2932	376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp1861.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmp1861.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exetmp1861.tmp.exe

description pid process

Token: SeDebugPrivilege 2932 376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe
Token: SeDebugPrivilege 2632 tmp1861.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2932	376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe
Token: SeDebugPrivilege	2632	tmp1861.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 2932 wrote to memory of 2004	2932	376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe	vbc.exe
PID 2932 wrote to memory of 2004	2932	376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe	vbc.exe
PID 2932 wrote to memory of 2004	2932	376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe	vbc.exe
PID 2932 wrote to memory of 2004	2932	376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe	vbc.exe
PID 2004 wrote to memory of 1732	2004	vbc.exe	cvtres.exe
PID 2004 wrote to memory of 1732	2004	vbc.exe	cvtres.exe
PID 2004 wrote to memory of 1732	2004	vbc.exe	cvtres.exe
PID 2004 wrote to memory of 1732	2004	vbc.exe	cvtres.exe
PID 2932 wrote to memory of 2632	2932	376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe	tmp1861.tmp.exe
PID 2932 wrote to memory of 2632	2932	376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe	tmp1861.tmp.exe
PID 2932 wrote to memory of 2632	2932	376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe	tmp1861.tmp.exe
PID 2932 wrote to memory of 2632	2932	376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe	tmp1861.tmp.exe

C:\Users\Admin\AppData\Local\Temp\376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\by9gqhyw.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES18FE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc18FD.tmp"
3⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\tmp1861.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp1861.tmp.exe" C:\Users\Admin\AppData\Local\Temp\376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES18FE.tmp
Filesize
1KB

MD5
4ec1c09e8752d6a6ee9b4a92210b4f3c

SHA1
7453e2efdfd504c21b8a76f4d52213ebca0c2266

SHA256
72e5bac3f13a31b6f431d6e6d5ba0077ead6a6364fd64b8de400337eb085a46b

SHA512
05be78a87d9199cc7c2e9bd0bd17e6af19a425fdeae9c8963bed829b66d0f7fa07dd1e7cbf8362a318b982fee35d01f647357ba9333d916de8186f8cabe2cde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\by9gqhyw.0.vb
Filesize
14KB

MD5
68aed454fce6cddbd0fab4490ce17ac3

SHA1
b9784956038d70935d8b2c5b60f4aa9201a80785

SHA256
ecbe3b55bd63b699fe46a90547a9b807ad83c9d2cde596d47d860999c48a39fc

SHA512
37d3a01dacc669ee483421a170dcaab91b42d2aa5f409021e02d534d40460fe665ae40be735655a4c121692362d9dc06f5bddc78e0019280418cb2dc8d5b5a19

Download Submit
C:\Users\Admin\AppData\Local\Temp\by9gqhyw.cmdline
Filesize
266B

MD5
573ff44d20c1be59b30c0b06e1154305

SHA1
642787df4bafb3d75359d1ffeecf14ddbaf89c3c

SHA256
53f26d44a133bc64df6949f37660c4ca070ef36351c757a59122df246db59ac7

SHA512
c5dfea54bbf39240389abcd2680d861fc35cbff38e68058e8a89f726d8de1393164ee0b32e222cdff80d800b050df12ee9d7fdcb2ba4b1788a5a52ae50fea0e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1861.tmp.exe
Filesize
78KB

MD5
640d7f1d5fccb78028b17500fc2ae51e

SHA1
47d3a58cd4cc9239e7bde1ee47986db3124db52a

SHA256
dfa172afcc2fddb2f5c8d9f043eea156b242f7da6d12090f2f7fcd95e6d65d7b

SHA512
918d88d399117652d07de4c948b966a838933ba775f64b21d19ecf4a4088c873c2671f87b37f4bb02e0c6ec38344a4d80a118835e99b768c89cfdf9d45edba08

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc18FD.tmp
Filesize
660B

MD5
59090ffd5676263a75ff384fd2d057ed

SHA1
6ec8771841dc154571df771fdac4031dcd571825

SHA256
523a587985ff866c98d475e5b4673de6109a61587eb30b6b831fc3064c4ceab0

SHA512
5d02699a8cdc0e4b4cafa72123746e595b109703128a34ed166cae5ea526478b01b53f36ce937e49253fd34802e976ffba27ff81185e79866f773f52c7179bde

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/2004-9-0x00000000743A0000-0x000000007494B000-memory.dmp

Filesize
5.7MB

Download
memory/2004-18-0x00000000743A0000-0x000000007494B000-memory.dmp

Filesize
5.7MB

Download
memory/2932-0-0x00000000743A1000-0x00000000743A2000-memory.dmp

Filesize
4KB

Download
memory/2932-1-0x00000000743A0000-0x000000007494B000-memory.dmp

Filesize
5.7MB

Download
memory/2932-2-0x00000000743A0000-0x000000007494B000-memory.dmp

Filesize
5.7MB

Download
memory/2932-24-0x00000000743A0000-0x000000007494B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads