metamorpherrat | 5d029d827c3af7a0465416c60385d09c72ad34a600a6c1ba7e3ebf12d3ff0e22

General

Target

2561b7a1603462034ddf1da1bd2fed20N.exe
Size

78KB
MD5

2561b7a1603462034ddf1da1bd2fed20
SHA1

634c9f4bfa9073ac5a68676ea7fdf1f260fde473
SHA256

5d029d827c3af7a0465416c60385d09c72ad34a600a6c1ba7e3ebf12d3ff0e22
SHA512

876a89488c7dd5aa0cec2e32d4171dd77750ca6e6132ecdeac01e1247be14c94c93ed6a048013c8ef7057c76c1471e4b5d305bab3e27f7187c46b89396a00e03
SSDEEP

1536:KsHFo6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtt9/X1tn:KsHFo53Ln7N041Qqhgt9/n

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Deletes itself 1 IoCs

Processes:

tmpC3DB.tmp.exe

pid process

2908 tmpC3DB.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmpC3DB.tmp.exe

pid process

2908 tmpC3DB.tmp.exe
Loads dropped DLL 2 IoCs

Processes:

2561b7a1603462034ddf1da1bd2fed20N.exe

pid process

2420 2561b7a1603462034ddf1da1bd2fed20N.exe
2420 2561b7a1603462034ddf1da1bd2fed20N.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2908	tmpC3DB.tmp.exe

pid	process
2908	tmpC3DB.tmp.exe

pid	process
2420	2561b7a1603462034ddf1da1bd2fed20N.exe
2420	2561b7a1603462034ddf1da1bd2fed20N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpC3DB.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpC3DB.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2561b7a1603462034ddf1da1bd2fed20N.exetmpC3DB.tmp.exe

description pid process

Token: SeDebugPrivilege 2420 2561b7a1603462034ddf1da1bd2fed20N.exe
Token: SeDebugPrivilege 2908 tmpC3DB.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2420	2561b7a1603462034ddf1da1bd2fed20N.exe
Token: SeDebugPrivilege	2908	tmpC3DB.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

2561b7a1603462034ddf1da1bd2fed20N.exevbc.exe

description	pid	process	target process
PID 2420 wrote to memory of 3056	2420	2561b7a1603462034ddf1da1bd2fed20N.exe	vbc.exe
PID 2420 wrote to memory of 3056	2420	2561b7a1603462034ddf1da1bd2fed20N.exe	vbc.exe
PID 2420 wrote to memory of 3056	2420	2561b7a1603462034ddf1da1bd2fed20N.exe	vbc.exe
PID 2420 wrote to memory of 3056	2420	2561b7a1603462034ddf1da1bd2fed20N.exe	vbc.exe
PID 3056 wrote to memory of 2416	3056	vbc.exe	cvtres.exe
PID 3056 wrote to memory of 2416	3056	vbc.exe	cvtres.exe
PID 3056 wrote to memory of 2416	3056	vbc.exe	cvtres.exe
PID 3056 wrote to memory of 2416	3056	vbc.exe	cvtres.exe
PID 2420 wrote to memory of 2908	2420	2561b7a1603462034ddf1da1bd2fed20N.exe	tmpC3DB.tmp.exe
PID 2420 wrote to memory of 2908	2420	2561b7a1603462034ddf1da1bd2fed20N.exe	tmpC3DB.tmp.exe
PID 2420 wrote to memory of 2908	2420	2561b7a1603462034ddf1da1bd2fed20N.exe	tmpC3DB.tmp.exe
PID 2420 wrote to memory of 2908	2420	2561b7a1603462034ddf1da1bd2fed20N.exe	tmpC3DB.tmp.exe

C:\Users\Admin\AppData\Local\Temp\2561b7a1603462034ddf1da1bd2fed20N.exe
"C:\Users\Admin\AppData\Local\Temp\2561b7a1603462034ddf1da1bd2fed20N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w2cdh77j.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:3056

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC4F5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC4F4.tmp"
3⤵
PID:2416

C:\Users\Admin\AppData\Local\Temp\tmpC3DB.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpC3DB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2561b7a1603462034ddf1da1bd2fed20N.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2908

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC4F5.tmp
Filesize
1KB

MD5
5396a6867178ec873a350c83e08fd6de

SHA1
df822d77fcc803db1ce8c63e7f44e60e97476883

SHA256
6f4b48a0af9da97afbf4c2e036583702187a7a9eabd7fc6dbf79199623b95dc7

SHA512
0b217dc0bbc800eea8001530cb6d75f7af1dd49a9ed29e88045b86c2d0f7236549106e92c0beda2d34613d603eee21dd0a950eb092d4900caab53a3cd59af174

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC3DB.tmp.exe
Filesize
78KB

MD5
897448f51a8a3f0d26da66d14c11cf06

SHA1
2e704c0382404a7dad92d5ead13d59a8fecbecd9

SHA256
d6c819f1bdb2296e9c5fb4dffce7a5531fdd337aa479b3432a3242a78df0e0eb

SHA512
4ecdc80986c8d1451953c4a1dd6e4e05df94e88a454d7fde140121fa22ed629723fd6df155b3ea88e7edf8e8aed5df17cec651b5997fb116fd4e371e4c90766c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC4F4.tmp
Filesize
660B

MD5
e64f9fa747851e9215931ce73618b274

SHA1
8fb41ad49cf070609473ced2a985ca930d68d559

SHA256
332b5d6fbbb7d311ad130384d4ffcb8a2ac08b9ea8699eb0c626d6b9bd0ed7ae

SHA512
73618c3e3202d147e93c81951cfe7f30f675322ef41e92bb98cdd4dcb4c0299935b619e382beaf00deea7140fb506bccd54bb6b44de42dc4a29d098197bfe8ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\w2cdh77j.0.vb
Filesize
15KB

MD5
4e96b0edbfd33ce2046ff57c7e129961

SHA1
a6b402fdf2d556b9ad36ff19d3370b524f25078f

SHA256
0dbbcdba3e21e41fef50e986e4b14e6473fd877c56e97c6358660f275785464b

SHA512
05fa3d742cb0627dfb53c8a9ff7a30bd94d9865b02b23791a9df70af9cf08f82e73bde7e1306fce9b11f0b21edf9ea1cd91b7585ce2a259eb8f29a3d2d4dc8af

Download Submit
C:\Users\Admin\AppData\Local\Temp\w2cdh77j.cmdline
Filesize
266B

MD5
b58ee7c72301282530c875b011d133b1

SHA1
3f581411183a0a47c654c8d623b4c5b4dc5c7cbf

SHA256
f22c24548d225507d55936db1bfb93cbf7c3202ee4029cf2dc76af144b0f735c

SHA512
c313f57286b17fb9dff46b868852c125d4a3fe9064b98caa7e94733d4f20552f6371cc2d2843483e510f50dd6f7ebfb1c2417885918d2fb877da0394799304f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2420-0-0x0000000074C21000-0x0000000074C22000-memory.dmp

Filesize
4KB

Download
memory/2420-1-0x0000000074C20000-0x00000000751CB000-memory.dmp

Filesize
5.7MB

Download
memory/2420-2-0x0000000074C20000-0x00000000751CB000-memory.dmp

Filesize
5.7MB

Download
memory/2420-24-0x0000000074C20000-0x00000000751CB000-memory.dmp

Filesize
5.7MB

Download
memory/3056-9-0x0000000074C20000-0x00000000751CB000-memory.dmp

Filesize
5.7MB

Download
memory/3056-18-0x0000000074C20000-0x00000000751CB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads