metamorpherrat | 004842faaa5d44c233f6b8b9b873cb8ece34f82c3e560a47ddedb3cf7eaea685

General

Target

004b1bf039d5156a874ba3d8cfeef360N.exe
Size

78KB
MD5

004b1bf039d5156a874ba3d8cfeef360
SHA1

d1c8bf057b2eb71b34ae55cf4d2a0505ae9fa461
SHA256

004842faaa5d44c233f6b8b9b873cb8ece34f82c3e560a47ddedb3cf7eaea685
SHA512

a54a5ef26685cde8321aeda0d2e5465e8b7cc7a3dfd942ce22d27664f813341b60988b82ff4d04a656e056040e3726ecbf017fbc1bfcc8508a7b1974b42979bb
SSDEEP

1536:BPCHY6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtAU9/k1v+:BPCHY53Ln7N041QqhgAU9/f

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp2710.tmp.exe

pid process

2700 tmp2710.tmp.exe
Loads dropped DLL 2 IoCs

Processes:

004b1bf039d5156a874ba3d8cfeef360N.exe

pid process

2256 004b1bf039d5156a874ba3d8cfeef360N.exe
2256 004b1bf039d5156a874ba3d8cfeef360N.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2700	tmp2710.tmp.exe

pid	process
2256	004b1bf039d5156a874ba3d8cfeef360N.exe
2256	004b1bf039d5156a874ba3d8cfeef360N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp2710.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp2710.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

004b1bf039d5156a874ba3d8cfeef360N.exetmp2710.tmp.exe

description pid process

Token: SeDebugPrivilege 2256 004b1bf039d5156a874ba3d8cfeef360N.exe
Token: SeDebugPrivilege 2700 tmp2710.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2256	004b1bf039d5156a874ba3d8cfeef360N.exe
Token: SeDebugPrivilege	2700	tmp2710.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

004b1bf039d5156a874ba3d8cfeef360N.exevbc.exe

description	pid	process	target process
PID 2256 wrote to memory of 3024	2256	004b1bf039d5156a874ba3d8cfeef360N.exe	vbc.exe
PID 2256 wrote to memory of 3024	2256	004b1bf039d5156a874ba3d8cfeef360N.exe	vbc.exe
PID 2256 wrote to memory of 3024	2256	004b1bf039d5156a874ba3d8cfeef360N.exe	vbc.exe
PID 2256 wrote to memory of 3024	2256	004b1bf039d5156a874ba3d8cfeef360N.exe	vbc.exe
PID 3024 wrote to memory of 2172	3024	vbc.exe	cvtres.exe
PID 3024 wrote to memory of 2172	3024	vbc.exe	cvtres.exe
PID 3024 wrote to memory of 2172	3024	vbc.exe	cvtres.exe
PID 3024 wrote to memory of 2172	3024	vbc.exe	cvtres.exe
PID 2256 wrote to memory of 2700	2256	004b1bf039d5156a874ba3d8cfeef360N.exe	tmp2710.tmp.exe
PID 2256 wrote to memory of 2700	2256	004b1bf039d5156a874ba3d8cfeef360N.exe	tmp2710.tmp.exe
PID 2256 wrote to memory of 2700	2256	004b1bf039d5156a874ba3d8cfeef360N.exe	tmp2710.tmp.exe
PID 2256 wrote to memory of 2700	2256	004b1bf039d5156a874ba3d8cfeef360N.exe	tmp2710.tmp.exe

C:\Users\Admin\AppData\Local\Temp\004b1bf039d5156a874ba3d8cfeef360N.exe
"C:\Users\Admin\AppData\Local\Temp\004b1bf039d5156a874ba3d8cfeef360N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jmfa7irm.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2A3D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2A3C.tmp"
3⤵
PID:2172

C:\Users\Admin\AppData\Local\Temp\tmp2710.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp2710.tmp.exe" C:\Users\Admin\AppData\Local\Temp\004b1bf039d5156a874ba3d8cfeef360N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2700

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES2A3D.tmp
Filesize
1KB

MD5
0f7605dedac41a14a4e9fdfb501a05bd

SHA1
47f25da513e4b1e6b2ec814d4b6bed8063297562

SHA256
c21212147871135fb9355ddbf8536a6068ef495a1419007435c432f96799a679

SHA512
4d34abffbefde18bfe13df025079d44c85dfe4c66dce560a67aaf7bb58be0f829c1ea930641afc4b0789ecc395ed9c06054a58c3a1afd3b0062f30774184ac8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\jmfa7irm.0.vb
Filesize
15KB

MD5
a0ed08202668a8e1211d6c91ef2a4fe4

SHA1
eaa36d3b4acf9709170f90d77750ecffbe666773

SHA256
194c6d2777885eba6db8d865c5e345e7ccadd00c02a030874a53b65ad627e0c7

SHA512
907a922a02c503b01c9ffacd39bdf568cd7a9cb137907327c956ff8d35c6fd673d31c979e6d7642d3bf6de3771feb272fc3e96a37226853afeaa4ba00283de09

Download Submit
C:\Users\Admin\AppData\Local\Temp\jmfa7irm.cmdline
Filesize
266B

MD5
119ca2aff88029d0eaedbf2806931b6f

SHA1
00e8cc2e0d050d4f7aeb3d41d7be87bb2307fac0

SHA256
f9ee5f9356fa2c2c0068b3c726c7c52030e4196cafb5f786cfe1c7283c076900

SHA512
6a70be5b8efa150b102944921efb5b0f7eead5c26120304e279107a3040dd2104a6d6ea670b1632c9969a85a19eed3f09da0822b8e564cb40ec5572cc0dee8aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2710.tmp.exe
Filesize
78KB

MD5
5d8370491f10ac8a30e7d1b9bc18d5ea

SHA1
e82fddabdb74fa1860efe86a0acd29a4a18e86d1

SHA256
547168016c1dd85e539f037c532d6f6454844ea3333120fdbf81df95444cb7d0

SHA512
aef6ab255494f6266ed599c2583aa25bdb9b44c70cd949bd218b260234b5e07f1e781275de1a5bd20ec335a772c2cbd3aacb093d1b67a50488a9efde472bac61

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2A3C.tmp
Filesize
660B

MD5
2c545739e11ec75b43c732be224e9c06

SHA1
69831d194d37506ff53449e3959e686aaef69818

SHA256
087f59c330af14282e40d58d100af4c7bf0edfa93b6084a3114bc8c06a95613c

SHA512
877dd1e393b00b5aa8f1f6dc62723a49b343497d4ba897e3a4612ba10d98d868e1959b77fbfa2503e540d88b6afad91b9ccff3a3dfdd0d360044bd329c16f81c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2256-0-0x0000000073E91000-0x0000000073E92000-memory.dmp

Filesize
4KB

Download
memory/2256-1-0x0000000073E90000-0x000000007443B000-memory.dmp

Filesize
5.7MB

Download
memory/2256-2-0x0000000073E90000-0x000000007443B000-memory.dmp

Filesize
5.7MB

Download
memory/2256-24-0x0000000073E90000-0x000000007443B000-memory.dmp

Filesize
5.7MB

Download
memory/3024-9-0x0000000073E90000-0x000000007443B000-memory.dmp

Filesize
5.7MB

Download
memory/3024-18-0x0000000073E90000-0x000000007443B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads