metamorpherrat | 662ae2b794e8775927d6f8af0d7df19514dd2e3958db545dd048f2b79d4dda6d

General

Target

56fda1a225279bc1a477cd3f82fd34a0N.exe
Size

78KB
MD5

56fda1a225279bc1a477cd3f82fd34a0
SHA1

c9a62f04247fad125ed89e95e7c452ba0a75ebdf
SHA256

662ae2b794e8775927d6f8af0d7df19514dd2e3958db545dd048f2b79d4dda6d
SHA512

ac053631dd1808072071ad0d9975ad3fe738550a266517d1d07c32171b0143881ce3b830434c82abf75ca7a1bd8143d05bd89ebd3e31e30c7d4e569331b368f2
SSDEEP

1536:YuHY6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQteh9/XyJ1sA:YuHYnhASyRxvhTzXPvCbW2Ueh9/XyV

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp9C01.tmp.exe

pid process

2860 tmp9C01.tmp.exe
Loads dropped DLL 2 IoCs

Processes:

56fda1a225279bc1a477cd3f82fd34a0N.exe

pid process

2180 56fda1a225279bc1a477cd3f82fd34a0N.exe
2180 56fda1a225279bc1a477cd3f82fd34a0N.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2860	tmp9C01.tmp.exe

pid	process
2180	56fda1a225279bc1a477cd3f82fd34a0N.exe
2180	56fda1a225279bc1a477cd3f82fd34a0N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp9C01.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp9C01.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

56fda1a225279bc1a477cd3f82fd34a0N.exetmp9C01.tmp.exe

description pid process

Token: SeDebugPrivilege 2180 56fda1a225279bc1a477cd3f82fd34a0N.exe
Token: SeDebugPrivilege 2860 tmp9C01.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2180	56fda1a225279bc1a477cd3f82fd34a0N.exe
Token: SeDebugPrivilege	2860	tmp9C01.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

56fda1a225279bc1a477cd3f82fd34a0N.exevbc.exe

description	pid	process	target process
PID 2180 wrote to memory of 2496	2180	56fda1a225279bc1a477cd3f82fd34a0N.exe	vbc.exe
PID 2180 wrote to memory of 2496	2180	56fda1a225279bc1a477cd3f82fd34a0N.exe	vbc.exe
PID 2180 wrote to memory of 2496	2180	56fda1a225279bc1a477cd3f82fd34a0N.exe	vbc.exe
PID 2180 wrote to memory of 2496	2180	56fda1a225279bc1a477cd3f82fd34a0N.exe	vbc.exe
PID 2496 wrote to memory of 3008	2496	vbc.exe	cvtres.exe
PID 2496 wrote to memory of 3008	2496	vbc.exe	cvtres.exe
PID 2496 wrote to memory of 3008	2496	vbc.exe	cvtres.exe
PID 2496 wrote to memory of 3008	2496	vbc.exe	cvtres.exe
PID 2180 wrote to memory of 2860	2180	56fda1a225279bc1a477cd3f82fd34a0N.exe	tmp9C01.tmp.exe
PID 2180 wrote to memory of 2860	2180	56fda1a225279bc1a477cd3f82fd34a0N.exe	tmp9C01.tmp.exe
PID 2180 wrote to memory of 2860	2180	56fda1a225279bc1a477cd3f82fd34a0N.exe	tmp9C01.tmp.exe
PID 2180 wrote to memory of 2860	2180	56fda1a225279bc1a477cd3f82fd34a0N.exe	tmp9C01.tmp.exe

C:\Users\Admin\AppData\Local\Temp\56fda1a225279bc1a477cd3f82fd34a0N.exe
"C:\Users\Admin\AppData\Local\Temp\56fda1a225279bc1a477cd3f82fd34a0N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2wwl0clx.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2496

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9D98.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9D87.tmp"
3⤵
PID:3008

C:\Users\Admin\AppData\Local\Temp\tmp9C01.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp9C01.tmp.exe" C:\Users\Admin\AppData\Local\Temp\56fda1a225279bc1a477cd3f82fd34a0N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2860

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2wwl0clx.0.vb
Filesize
15KB

MD5
d243e73a90102ec91eb37ce01f3067d5

SHA1
0bae02e6b06484dbc05747b7da97fd73135942cf

SHA256
11bb501db250ec8fdc6e401039ae8183bc00c335bab0affe86d952d7f18a8fca

SHA512
b7e9c2671e367454e7781070a60567b1fcd4360fd264e72c0139a847c753463f47c2cd8725e4e3e182690b9b58e124e480ea02279f75012de6c476d44be8ae18

Download Submit
C:\Users\Admin\AppData\Local\Temp\2wwl0clx.cmdline
Filesize
266B

MD5
831484d493db3a3858c58465458c75d3

SHA1
d79b7bada2537ad14e3eb97e23987f2cbd28581d

SHA256
6061dbd90babb165baaff7f75ecfd00391138dddb4fb763836603721d8d7c51a

SHA512
228723683b504eff2c31dfcccc76e4b103b84856fda85a4dc262d493d31a4d199c0333f8963d7b2d78c52e81aee8df8a69fcae8916a63432898db87ad5d79261

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9D98.tmp
Filesize
1KB

MD5
eecd4a509af43bdf12f1dded1acb23a1

SHA1
b018bee0d1af1ff85bbaf375f1ff71e656a8f230

SHA256
bdeb4cdcbdd7ae4d47074996481f6f743341b3a11c5d053758561a7a37bdc958

SHA512
8e6c71f307f63dfd16e71c818bcb4c5bfd3afd533bc15740e6ac40e60d2f84b75af53dc071c17f8a92dc0212ae3bc9397ce7bde1e0fb8e6456a5c3858c7ac407

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9C01.tmp.exe
Filesize
78KB

MD5
948910d9b4ab2f0816a5c8643f9ed5e1

SHA1
ebf10c8ee97e1acfb7c02a52709d0727d0a170b1

SHA256
afbaa29d80627c88ecc0aeaa24223b851546245958d65947e9e9dc40d063f124

SHA512
f0e5e1e42e6b20ec34fd886264c18c478093d12d616add8d4b74554d20d9a0b80fbb85565d6d3e952cbe685b0e14df4683b4443d55d55da449deec0785fb29e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9D87.tmp
Filesize
660B

MD5
9bd54e5929e6a092c96baccae22c2588

SHA1
ec0e8a3eb472b2d964e01d4cb02bdbfd97ed3896

SHA256
45f3b0f72c29d06b8bad3935ae4db1acbad0c5272ca736601eec203691c8e849

SHA512
9b2686a91437428eb0058c46d024ec89f514be8fc23b7f36dc62c73b93d7d3b2edd0daa8d6034b8c479c57ad4f4d12daa097f450fef309d4e387f5c67f53ca28

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2180-0-0x0000000074161000-0x0000000074162000-memory.dmp

Filesize
4KB

Download
memory/2180-1-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/2180-2-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/2180-24-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/2496-8-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/2496-18-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads