metamorpherrat | 384e3970d7a4d9a1644f47ba61bef95a6687a3d9c2345aa52899c3ac9d556959

General

Target

4055902531fb7712981860ed1279b730N.exe
Size

78KB
MD5

4055902531fb7712981860ed1279b730
SHA1

f900ddadbcb024f2c285d18d3eb88e1553967b42
SHA256

384e3970d7a4d9a1644f47ba61bef95a6687a3d9c2345aa52899c3ac9d556959
SHA512

fa73bc74ed256b7fd7fce0eb9ce20b6c38de7920c202720d6ab3c7e354cf33c4c9d81ad6187a095689703763e0468d9294a83883d5166ced743d8698cb591222
SSDEEP

1536:1e58cdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC64w9/a/k1+Q:1e58rn7N041Qqhggw9/ay

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmpC66B.tmp.exe

pid process

1588 tmpC66B.tmp.exe
Loads dropped DLL 2 IoCs

Processes:

4055902531fb7712981860ed1279b730N.exe

pid process

3064 4055902531fb7712981860ed1279b730N.exe
3064 4055902531fb7712981860ed1279b730N.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1588	tmpC66B.tmp.exe

pid	process
3064	4055902531fb7712981860ed1279b730N.exe
3064	4055902531fb7712981860ed1279b730N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpC66B.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpC66B.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

4055902531fb7712981860ed1279b730N.exetmpC66B.tmp.exe

description pid process

Token: SeDebugPrivilege 3064 4055902531fb7712981860ed1279b730N.exe
Token: SeDebugPrivilege 1588 tmpC66B.tmp.exe

description	pid	process
Token: SeDebugPrivilege	3064	4055902531fb7712981860ed1279b730N.exe
Token: SeDebugPrivilege	1588	tmpC66B.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

4055902531fb7712981860ed1279b730N.exevbc.exe

description	pid	process	target process
PID 3064 wrote to memory of 2304	3064	4055902531fb7712981860ed1279b730N.exe	vbc.exe
PID 3064 wrote to memory of 2304	3064	4055902531fb7712981860ed1279b730N.exe	vbc.exe
PID 3064 wrote to memory of 2304	3064	4055902531fb7712981860ed1279b730N.exe	vbc.exe
PID 3064 wrote to memory of 2304	3064	4055902531fb7712981860ed1279b730N.exe	vbc.exe
PID 2304 wrote to memory of 1284	2304	vbc.exe	cvtres.exe
PID 2304 wrote to memory of 1284	2304	vbc.exe	cvtres.exe
PID 2304 wrote to memory of 1284	2304	vbc.exe	cvtres.exe
PID 2304 wrote to memory of 1284	2304	vbc.exe	cvtres.exe
PID 3064 wrote to memory of 1588	3064	4055902531fb7712981860ed1279b730N.exe	tmpC66B.tmp.exe
PID 3064 wrote to memory of 1588	3064	4055902531fb7712981860ed1279b730N.exe	tmpC66B.tmp.exe
PID 3064 wrote to memory of 1588	3064	4055902531fb7712981860ed1279b730N.exe	tmpC66B.tmp.exe
PID 3064 wrote to memory of 1588	3064	4055902531fb7712981860ed1279b730N.exe	tmpC66B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\4055902531fb7712981860ed1279b730N.exe
"C:\Users\Admin\AppData\Local\Temp\4055902531fb7712981860ed1279b730N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h7axlf21.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2304

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC7D2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC7D1.tmp"
3⤵
PID:1284

C:\Users\Admin\AppData\Local\Temp\tmpC66B.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpC66B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4055902531fb7712981860ed1279b730N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1588

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC7D2.tmp
Filesize
1KB

MD5
58795e5264392e16d11ed63637615326

SHA1
c0b34c910eb837fe38fff4644b61b25ba7d15a08

SHA256
100238945829f7202151e952fb202da8b8cf72e3ddf1da9fb61767a4af25cec5

SHA512
0f7ab653d3682b7e1655973d7f874485e144b53b97b5e79924120c31251d166c65b3ffbf580eba6d8a45719b140e7ad2f7c3ef1a8ef9669921bcbaa988f3411a

Download Submit
C:\Users\Admin\AppData\Local\Temp\h7axlf21.0.vb
Filesize
14KB

MD5
599ec997ac2d176ca8af0ef2f101c6df

SHA1
76cbf8c5333a15d49168613277ee8b329b670248

SHA256
9ac14b31d369ea0d5b71cd895f17fe8ead017e18e9bc301e3ab4648b8d4c5c6f

SHA512
f87f2c0536a34c7fb2f92f384909010164117f7839531560cc9b9ce97e1de71cfe9364b20d734697cd9a49aadcdac2e6adf7fa6a2dc0b6846fae03fc2539634d

Download Submit
C:\Users\Admin\AppData\Local\Temp\h7axlf21.cmdline
Filesize
266B

MD5
09a84233097010ef918366f2f0b96874

SHA1
5e892a621115c541126d1a7f02b1dac3f43d4d66

SHA256
486fcc2d21ca2c81154807badf0437c06493bce76db2e1ed50845d44efd23e8f

SHA512
5586c851f941faf8283f4c866a3e4d6166aeb496e5a0ac2ce2a3ef9fa700ad0db9db212fa34dee65be5f2c11a99e8b1b6e3e589bcc1b27d189274aa34ee6f66a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC66B.tmp.exe
Filesize
78KB

MD5
8f1f272e8165e86222de5c38beeeb8c7

SHA1
45b662042dbc71b2be8d2773e7cc3148b457188f

SHA256
0075da70be44d3d1479919c35f4d517ac78beaa98592d6c72a854575ace68392

SHA512
1a00902cc54b6fab08b750d84aa2e3e8ff940c55fc9a21d3fd7f6b7ba378aca1a3893640bbb245e6452f34c1ed779b6ca2c0989c5ff2c99f80f221cd4134c077

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC7D1.tmp
Filesize
660B

MD5
a88622bccea08eb5d33d6e216639fffe

SHA1
46ab66f77fc57762c555c4a43939ce2f93013ed5

SHA256
1641b786bc199f171b648c028bf562898d83e90f2f6f24ae3e36d9ba36939e9d

SHA512
7a674f4da3bca0f7747eb96b4afaf360fcec6080abc3f18bf782b3e0a7f92c328ca41b577fb0e9e1d1741f5becd3bcd3da08eb3d7f5a07c81b5a0fe3bdea4913

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2304-8-0x0000000074820000-0x0000000074DCB000-memory.dmp

Filesize
5.7MB

Download
memory/2304-18-0x0000000074820000-0x0000000074DCB000-memory.dmp

Filesize
5.7MB

Download
memory/3064-0-0x0000000074821000-0x0000000074822000-memory.dmp

Filesize
4KB

Download
memory/3064-1-0x0000000074820000-0x0000000074DCB000-memory.dmp

Filesize
5.7MB

Download
memory/3064-2-0x0000000074820000-0x0000000074DCB000-memory.dmp

Filesize
5.7MB

Download
memory/3064-24-0x0000000074820000-0x0000000074DCB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads