metamorpherrat | b4a8c8b2a1e0fc7f526d176b18b4f24b9b72a430d7b337f0943bd06afc12710e

General

Target

3ccb4c53ebcc6db5b38ff12d401f84b0N.exe
Size

78KB
MD5

3ccb4c53ebcc6db5b38ff12d401f84b0
SHA1

098f9412b85ea0c6f6391414a36de41ecc2ae4ca
SHA256

b4a8c8b2a1e0fc7f526d176b18b4f24b9b72a430d7b337f0943bd06afc12710e
SHA512

a2a076c3ad0f77d93f053eae5f9df2e0863faa95be41e2f0f3d172221fae5051f6dba4402120ee5d0d5aef50bf102253473de06bc0bf21f15dcee741554e04f4
SSDEEP

1536:XzHY6uaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtLR9/ga1P:DHYI3ZAtWDDILJLovbicqOq3o+nLR9/J

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp7ADB.tmp.exe

pid process

2616 tmp7ADB.tmp.exe
Loads dropped DLL 2 IoCs

Processes:

3ccb4c53ebcc6db5b38ff12d401f84b0N.exe

pid process

2556 3ccb4c53ebcc6db5b38ff12d401f84b0N.exe
2556 3ccb4c53ebcc6db5b38ff12d401f84b0N.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2616	tmp7ADB.tmp.exe

pid	process
2556	3ccb4c53ebcc6db5b38ff12d401f84b0N.exe
2556	3ccb4c53ebcc6db5b38ff12d401f84b0N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp7ADB.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp7ADB.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

3ccb4c53ebcc6db5b38ff12d401f84b0N.exetmp7ADB.tmp.exe

description pid process

Token: SeDebugPrivilege 2556 3ccb4c53ebcc6db5b38ff12d401f84b0N.exe
Token: SeDebugPrivilege 2616 tmp7ADB.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2556	3ccb4c53ebcc6db5b38ff12d401f84b0N.exe
Token: SeDebugPrivilege	2616	tmp7ADB.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

3ccb4c53ebcc6db5b38ff12d401f84b0N.exevbc.exe

description	pid	process	target process
PID 2556 wrote to memory of 2736	2556	3ccb4c53ebcc6db5b38ff12d401f84b0N.exe	vbc.exe
PID 2556 wrote to memory of 2736	2556	3ccb4c53ebcc6db5b38ff12d401f84b0N.exe	vbc.exe
PID 2556 wrote to memory of 2736	2556	3ccb4c53ebcc6db5b38ff12d401f84b0N.exe	vbc.exe
PID 2556 wrote to memory of 2736	2556	3ccb4c53ebcc6db5b38ff12d401f84b0N.exe	vbc.exe
PID 2736 wrote to memory of 2760	2736	vbc.exe	cvtres.exe
PID 2736 wrote to memory of 2760	2736	vbc.exe	cvtres.exe
PID 2736 wrote to memory of 2760	2736	vbc.exe	cvtres.exe
PID 2736 wrote to memory of 2760	2736	vbc.exe	cvtres.exe
PID 2556 wrote to memory of 2616	2556	3ccb4c53ebcc6db5b38ff12d401f84b0N.exe	tmp7ADB.tmp.exe
PID 2556 wrote to memory of 2616	2556	3ccb4c53ebcc6db5b38ff12d401f84b0N.exe	tmp7ADB.tmp.exe
PID 2556 wrote to memory of 2616	2556	3ccb4c53ebcc6db5b38ff12d401f84b0N.exe	tmp7ADB.tmp.exe
PID 2556 wrote to memory of 2616	2556	3ccb4c53ebcc6db5b38ff12d401f84b0N.exe	tmp7ADB.tmp.exe

C:\Users\Admin\AppData\Local\Temp\3ccb4c53ebcc6db5b38ff12d401f84b0N.exe
"C:\Users\Admin\AppData\Local\Temp\3ccb4c53ebcc6db5b38ff12d401f84b0N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\acyebonl.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2736

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7BD5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7BD4.tmp"
3⤵
PID:2760

C:\Users\Admin\AppData\Local\Temp\tmp7ADB.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp7ADB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3ccb4c53ebcc6db5b38ff12d401f84b0N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2616

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7BD5.tmp
Filesize
1KB

MD5
9a1831b3897d71d110f3d12e3605c78d

SHA1
ce87e274efa0ac0005ecbfc3e85e3b30d273749e

SHA256
c0ccc4f5412d9475f66d8972f21e15fb17b95b5e03b9b658713a722246ebe446

SHA512
ed9f645f17fa9017fb766922957624538cd31b31450fd0450f1625b2094d8ea52e354c158e9317ad75d5248d6b997242234e6db4454546515b37b8833775b425

Download Submit
C:\Users\Admin\AppData\Local\Temp\acyebonl.0.vb
Filesize
15KB

MD5
d614db9353247741bd0c67074bb055ba

SHA1
92c7512432bbd6ff935eee6185fa78a9624a4c80

SHA256
645a73932ec163c8b456ab9ab809769b4b1c17c86fe1d313a7d116f2e9b76229

SHA512
ba066d0344dc27729aad287ede2f6ffa8fced3f9264187aa95dcb63c83d54c36a678825a34dd70ce177328d5f38066695e55bb6c87fe43b931901537ff6ec7ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\acyebonl.cmdline
Filesize
266B

MD5
93fd2eb235cbc1ff289871f7c8888404

SHA1
d8935c6f528d9b29a723c3b47f26978a3f430377

SHA256
cfb06a072c24991e75b0e3206743bf949e339692a1bce275f92e3b4fa1aa77a3

SHA512
f87cdf4819d8c3ac3ea147bc96d10a267db98b0c42a8542b9dba1e9b7baa8c6078b26ad3c76e31c7de2bd8aa4b4537a0060405ca0e1a1b46b737a3548756111d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7ADB.tmp.exe
Filesize
78KB

MD5
89f631c42c0a54d3bdb1af1ce9d45da3

SHA1
7db1170bfbea68e3fe81124470f48eeeae7489d6

SHA256
be23c33176d3a8d38d12e47f69b943a99ca7673ac7aa4d8ed3a9ece1764f6436

SHA512
4e1677c23e6502e5bf996e42adb13f2535256558c0c9226fa23c2e261f152f3adf61bb9c69c33018481e03c4401a9a62918ec0d0cfcadd4422a74750da891123

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7BD4.tmp
Filesize
660B

MD5
57c6b22693e7aa569ee3237bbd1a4bb8

SHA1
5488cf1dc11478a7052f6b53a0a05b7afe1c742b

SHA256
263c16f8271b8cce2cc502637deb7511c0e86734e1e33fb88a1b4cd45896d719

SHA512
6cff989ac0df3a19093608e4f6b8276519a2469b54b176434353696dc61e18a783570ff9c958dc1678ba9e2838650cc8212520bb8ca7b538942af86d913a790e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/2556-0-0x0000000074611000-0x0000000074612000-memory.dmp

Filesize
4KB

Download
memory/2556-1-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/2556-2-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/2556-24-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/2736-8-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/2736-18-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads