metamorpherrat | 4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e

General

Target

4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exe
Size

78KB
MD5

01870f77e360b7650820645411825ca5
SHA1

9257e1e7abdb47b7514d4a140a885905be573dfa
SHA256

4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e
SHA512

e116e8d947e2cc166e83e55ece6808bd674d62f8c077fb815955769b90d63897a5c380a745648160294058f94067b5d72f70cb61749605b39c925a4ccbfbff84
SSDEEP

1536:NtHY6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtW99/x1So:NtHY53Ln7N041QqhgW99/n

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp1786.tmp.exe

pid process

2904 tmp1786.tmp.exe

pid	process
2904	tmp1786.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exe

pid	process
2888	4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exe
2888	4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp1786.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp1786.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exetmp1786.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2888	4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exe
Token: SeDebugPrivilege	2904	tmp1786.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exevbc.exe

description	pid	process	target process
PID 2888 wrote to memory of 2392	2888	4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exe	vbc.exe
PID 2888 wrote to memory of 2392	2888	4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exe	vbc.exe
PID 2888 wrote to memory of 2392	2888	4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exe	vbc.exe
PID 2888 wrote to memory of 2392	2888	4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exe	vbc.exe
PID 2392 wrote to memory of 3052	2392	vbc.exe	cvtres.exe
PID 2392 wrote to memory of 3052	2392	vbc.exe	cvtres.exe
PID 2392 wrote to memory of 3052	2392	vbc.exe	cvtres.exe
PID 2392 wrote to memory of 3052	2392	vbc.exe	cvtres.exe
PID 2888 wrote to memory of 2904	2888	4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exe	tmp1786.tmp.exe
PID 2888 wrote to memory of 2904	2888	4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exe	tmp1786.tmp.exe
PID 2888 wrote to memory of 2904	2888	4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exe	tmp1786.tmp.exe
PID 2888 wrote to memory of 2904	2888	4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exe	tmp1786.tmp.exe

C:\Users\Admin\AppData\Local\Temp\4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exe
"C:\Users\Admin\AppData\Local\Temp\4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ag5zci8w.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2392

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1862.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1861.tmp"
3⤵
PID:3052

C:\Users\Admin\AppData\Local\Temp\tmp1786.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp1786.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2904

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1862.tmp
Filesize
1KB

MD5
11e20d5217654a58515a4d4764ea17cb

SHA1
c435bbc0fbf1cb02978dfe92fdcc189be5c6695e

SHA256
b9f25878641d0a9cbcbdc4580477505c970995d6baefc85c7f361856dcc6ed67

SHA512
c51a05a48d272aec602e4d85482d2248cceb4bcb853eeceebd698679c03554df4c3d2ddfbb2fff393b087ec8227809ea103b4cf8626e27794937bb048a855cb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ag5zci8w.0.vb
Filesize
15KB

MD5
8db4cd52cb94cba86919c978a084e260

SHA1
9ba34effc4611d13038824eee56796b2a38a6395

SHA256
70e74c838f52be5d89eb6de9c0c9d0d470f72e9222d643f5523f04ddaba700b6

SHA512
f6953fe6371db15492ab32a36d73960ef10068a595a8a9a246b36a96c8a6d18fa55d5c83b8104f910fec19c428262f6874c676bf0c6f4c780efd8cdd2c56a742

Download Submit
C:\Users\Admin\AppData\Local\Temp\ag5zci8w.cmdline
Filesize
266B

MD5
3ba1a0775c3b699ef74bd31ac4ec0726

SHA1
8ef284baae6a0ba503441f65440df659c766f335

SHA256
dcaf38bea809b428ce063ed1b2346df41187176ceca59aa920465bb4ce7e1ed8

SHA512
3c2235a7986a058dca08b57fc8014938692acfcd3a96e272ef2b490a6e92a4d6b17f851a5c4b0ba86ed58f5447f8a948881fa7b20169d701d2a208656c76bfb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1786.tmp.exe
Filesize
78KB

MD5
422eec47b45cd0e657d6ae7d8fc968d1

SHA1
4fa60458adb6fcc143f5d8c3404a09300205dccc

SHA256
d74a6236be451c0a3f167f2774fb3d2da6b97815177eb44e21194c03243a6131

SHA512
086a0c1069fa77de1197a8bfc3ba4870609e07775136a563e6d27602d963a350df36183d76336b449e3af77d6798fba049098e28e77a911c12a130ea4739aed3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1861.tmp
Filesize
660B

MD5
4df46ba0dd120b8e4f16d7335efeb36f

SHA1
8d5e85973ec0018da8510284a78e666c42323410

SHA256
b467fdaaf2f1b815363305a35d7c75787fb1596d99c1824177388644929c64df

SHA512
ac9ffdf248fc5913080610f4e6e14b60970f82fea00520e243716f7fa03dd8d2b55cc32ee5f8ff2acf3d3680725b8b502d5fc5d0aad4db3ebe0e0cf7a0d58b93

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2392-8-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/2392-18-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/2888-0-0x0000000073FE1000-0x0000000073FE2000-memory.dmp

Filesize
4KB

Download
memory/2888-1-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/2888-2-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/2888-24-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads