metamorpherrat | e487ec7bf8779743f7c733d6fb79c189f9fa84186a9782a2f1576b7a3e484243

General

Target

0002bcc0491b271edc25aff61de80f00N.exe
Size

78KB
MD5

0002bcc0491b271edc25aff61de80f00
SHA1

d9dcb3ade7946c494f6d41d374b5d994e24d2157
SHA256

e487ec7bf8779743f7c733d6fb79c189f9fa84186a9782a2f1576b7a3e484243
SHA512

af8e2cb5e2b37165e30d217d7c1c5b0a31d16ed9ee36df6309041ae33e832cee85268fc2f9d25e00c008a6f307d4acdb57e1406a036fb1c30ef2250219ede467
SSDEEP

1536:VCHF3M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtc9/U1WA:VCHF8hASyRxvhTzXPvCbW2Uc9/e

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp1F44.tmp.exe

pid process

2736 tmp1F44.tmp.exe
Loads dropped DLL 2 IoCs

Processes:

0002bcc0491b271edc25aff61de80f00N.exe

pid process

1996 0002bcc0491b271edc25aff61de80f00N.exe
1996 0002bcc0491b271edc25aff61de80f00N.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2736	tmp1F44.tmp.exe

pid	process
1996	0002bcc0491b271edc25aff61de80f00N.exe
1996	0002bcc0491b271edc25aff61de80f00N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp1F44.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp1F44.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0002bcc0491b271edc25aff61de80f00N.exetmp1F44.tmp.exe

description pid process

Token: SeDebugPrivilege 1996 0002bcc0491b271edc25aff61de80f00N.exe
Token: SeDebugPrivilege 2736 tmp1F44.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1996	0002bcc0491b271edc25aff61de80f00N.exe
Token: SeDebugPrivilege	2736	tmp1F44.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

0002bcc0491b271edc25aff61de80f00N.exevbc.exe

description	pid	process	target process
PID 1996 wrote to memory of 2484	1996	0002bcc0491b271edc25aff61de80f00N.exe	vbc.exe
PID 1996 wrote to memory of 2484	1996	0002bcc0491b271edc25aff61de80f00N.exe	vbc.exe
PID 1996 wrote to memory of 2484	1996	0002bcc0491b271edc25aff61de80f00N.exe	vbc.exe
PID 1996 wrote to memory of 2484	1996	0002bcc0491b271edc25aff61de80f00N.exe	vbc.exe
PID 2484 wrote to memory of 2216	2484	vbc.exe	cvtres.exe
PID 2484 wrote to memory of 2216	2484	vbc.exe	cvtres.exe
PID 2484 wrote to memory of 2216	2484	vbc.exe	cvtres.exe
PID 2484 wrote to memory of 2216	2484	vbc.exe	cvtres.exe
PID 1996 wrote to memory of 2736	1996	0002bcc0491b271edc25aff61de80f00N.exe	tmp1F44.tmp.exe
PID 1996 wrote to memory of 2736	1996	0002bcc0491b271edc25aff61de80f00N.exe	tmp1F44.tmp.exe
PID 1996 wrote to memory of 2736	1996	0002bcc0491b271edc25aff61de80f00N.exe	tmp1F44.tmp.exe
PID 1996 wrote to memory of 2736	1996	0002bcc0491b271edc25aff61de80f00N.exe	tmp1F44.tmp.exe

C:\Users\Admin\AppData\Local\Temp\0002bcc0491b271edc25aff61de80f00N.exe
"C:\Users\Admin\AppData\Local\Temp\0002bcc0491b271edc25aff61de80f00N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_girkcpn.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2484

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2222.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2221.tmp"
3⤵
PID:2216

C:\Users\Admin\AppData\Local\Temp\tmp1F44.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp1F44.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0002bcc0491b271edc25aff61de80f00N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2736

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES2222.tmp
Filesize
1KB

MD5
41e81242535f34b05ea4308492317f20

SHA1
9a1bbf3d7d1f4965aa1337492f47890e47eea709

SHA256
518eac1348510baf219c9c3f786fc6b30e76bb9e142e4283936b2a64bfe357b4

SHA512
686f15f8eb4302cb08a440d71889891a0390aa0110ac1694b9acfdcc4b6d572973b5cc71c801ae78c610de8deadcda6b666cc98a360c4628583cfcc7ba2e45fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_girkcpn.0.vb
Filesize
15KB

MD5
d0f5163def0d4686de6ce2c1a62a5d9e

SHA1
77e072cb6281d495c1e9c49c81d2226bcb921a81

SHA256
e6298be1816407a418e8ebbc7a2da348825f9efa9cd255e8f31ea7f866cbdc5a

SHA512
54fc42ae4f7e0d3dff6a2737a8b5683a8d40c8a14dce33d9cfb47aae6cdd1a35f351d171a327396fbd934bf3813ff301cac952cb2bd923e3d33e301bf0ace3b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_girkcpn.cmdline
Filesize
266B

MD5
157e5dd65c28870a94273a0606c2767a

SHA1
ffb5589dce46f903bd076b01c36bc2955a951d27

SHA256
cf318de772047621a26ad710092a915718eb3e6d0b0dc44434c5c1a07cf77de0

SHA512
05e66265236e046a2d9af85701fdeffe1f993761940025acbfaf1c4f71f42d6ed9427ed9379cb78c44e5dace23702a5a96b632e3696fa95cd2e475b6049198c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1F44.tmp.exe
Filesize
78KB

MD5
e50c66277e6d2c4e3f7e2564469f43a6

SHA1
132033fd86c467e7da212cc68d6c9d8359cc6e98

SHA256
c30f1fe733eed4a32b4830c78d47eb990e0e0f9b72c4ef469026d1497e8d417e

SHA512
ac68c729be3ac2973bd637e18010f782ccd7b90696927b8b3800d76460ec43c33803abebb93518155c823cc97fb11a109c7150cee3128dc5a6797ab2dba78fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2221.tmp
Filesize
660B

MD5
160009c71f443c319cf2dfc3fa266c6b

SHA1
e1467a03914b95a8539d5814719079fa5da67ebf

SHA256
e0eabff6a8b2f8b07935621556b629ba8fb91d0f88d196c611fd9850641aaed4

SHA512
57330b490a951d2e2d9e2064d2781e88948b8e72d247012cd17a9e6bc5eaa901c382b410aca1a24a3fecc5df47d8947793a19cd5874ddd5e2b0cf84811a5d8b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1996-0-0x00000000749A1000-0x00000000749A2000-memory.dmp

Filesize
4KB

Download
memory/1996-1-0x00000000749A0000-0x0000000074F4B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-2-0x00000000749A0000-0x0000000074F4B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-24-0x00000000749A0000-0x0000000074F4B000-memory.dmp

Filesize
5.7MB

Download
memory/2484-9-0x00000000749A0000-0x0000000074F4B000-memory.dmp

Filesize
5.7MB

Download
memory/2484-18-0x00000000749A0000-0x0000000074F4B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads