metamorpherrat | 777ee8728510bc40496d40fff073848081d19135c4ae88210e4a1d8c3196a007

General

Target

818455c49d4f7d1ac72755eab5482b20N.exe
Size

78KB
MD5

818455c49d4f7d1ac72755eab5482b20
SHA1

c944c539adb88a3bf2a7f3cf16147e5d1d027fb2
SHA256

777ee8728510bc40496d40fff073848081d19135c4ae88210e4a1d8c3196a007
SHA512

fe8212b80a27324821e3490961efb46648d0f741273e328ad344a694763e1c9d6a069887087b9381800941752104537b252c286230ddddc130b7862cb2ba63b0
SSDEEP

1536:8A5jStAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qti629/P1TN:Z5jStAtWDDILJLovbicqOq3o+n+9//

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmpBA79.tmp.exe

pid process

2892 tmpBA79.tmp.exe
Loads dropped DLL 2 IoCs

Processes:

818455c49d4f7d1ac72755eab5482b20N.exe

pid process

1660 818455c49d4f7d1ac72755eab5482b20N.exe
1660 818455c49d4f7d1ac72755eab5482b20N.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2892	tmpBA79.tmp.exe

pid	process
1660	818455c49d4f7d1ac72755eab5482b20N.exe
1660	818455c49d4f7d1ac72755eab5482b20N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpBA79.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpBA79.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

818455c49d4f7d1ac72755eab5482b20N.exetmpBA79.tmp.exe

description pid process

Token: SeDebugPrivilege 1660 818455c49d4f7d1ac72755eab5482b20N.exe
Token: SeDebugPrivilege 2892 tmpBA79.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1660	818455c49d4f7d1ac72755eab5482b20N.exe
Token: SeDebugPrivilege	2892	tmpBA79.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

818455c49d4f7d1ac72755eab5482b20N.exevbc.exe

description	pid	process	target process
PID 1660 wrote to memory of 2972	1660	818455c49d4f7d1ac72755eab5482b20N.exe	vbc.exe
PID 1660 wrote to memory of 2972	1660	818455c49d4f7d1ac72755eab5482b20N.exe	vbc.exe
PID 1660 wrote to memory of 2972	1660	818455c49d4f7d1ac72755eab5482b20N.exe	vbc.exe
PID 1660 wrote to memory of 2972	1660	818455c49d4f7d1ac72755eab5482b20N.exe	vbc.exe
PID 2972 wrote to memory of 2252	2972	vbc.exe	cvtres.exe
PID 2972 wrote to memory of 2252	2972	vbc.exe	cvtres.exe
PID 2972 wrote to memory of 2252	2972	vbc.exe	cvtres.exe
PID 2972 wrote to memory of 2252	2972	vbc.exe	cvtres.exe
PID 1660 wrote to memory of 2892	1660	818455c49d4f7d1ac72755eab5482b20N.exe	tmpBA79.tmp.exe
PID 1660 wrote to memory of 2892	1660	818455c49d4f7d1ac72755eab5482b20N.exe	tmpBA79.tmp.exe
PID 1660 wrote to memory of 2892	1660	818455c49d4f7d1ac72755eab5482b20N.exe	tmpBA79.tmp.exe
PID 1660 wrote to memory of 2892	1660	818455c49d4f7d1ac72755eab5482b20N.exe	tmpBA79.tmp.exe

C:\Users\Admin\AppData\Local\Temp\818455c49d4f7d1ac72755eab5482b20N.exe
"C:\Users\Admin\AppData\Local\Temp\818455c49d4f7d1ac72755eab5482b20N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gycjxmlv.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2972

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB45.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBB44.tmp"
3⤵
PID:2252

C:\Users\Admin\AppData\Local\Temp\tmpBA79.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpBA79.tmp.exe" C:\Users\Admin\AppData\Local\Temp\818455c49d4f7d1ac72755eab5482b20N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2892

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBB45.tmp
Filesize
1KB

MD5
fc8a69990dbbae7111b84143df7c1f64

SHA1
cd227f611f9acb21dc91c00d16ae974de0ad3697

SHA256
79d7b0845eb99367fd367379dcb22df594a563e07908f2c3ba4ce44d6ee16d74

SHA512
1386622358d687ae025e92d001452700d52b74fb2319527593393df0da7c13627ac891996b4007b95efcffab1b6ae03d5bc3fc9e0940a41ea3f0463fce70e87e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gycjxmlv.0.vb
Filesize
14KB

MD5
a52659b7319956b906f5bf581c50649b

SHA1
db14dd0a8e92e5f4ab1fd67d296e2ca569f178c1

SHA256
7594947f13dcb6178fe0bee6ed20f60f48e412ff4447db8f6f1eddc962d69431

SHA512
5df43ae0ae78ba1ffa19b981662c5b79402d8f378a2e497ce1ae0c4ca48a364beecd2faeef283ea397a872524d55991a3617269800ce8643fb22a9191ff50fbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\gycjxmlv.cmdline
Filesize
266B

MD5
c21b3f309fb822bf77657ad1a0a29964

SHA1
37477acff8eb006668a126fc6cfe05ffd6a62dcf

SHA256
d82afaf8ed880d4d61724c8b29591533b7d7d6ddbf82bde1e644950f2d70e609

SHA512
7fd023f99ad54429247e2b57357bdbcb6c3510cdb6a88d3c21e12d5a72278340156a1baff92ec1c7e82407a7de50e0fb8d8ca3d21be878edf7f6a95c7e40fbee

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBA79.tmp.exe
Filesize
78KB

MD5
6f2fbf5213721452e53d53605951b323

SHA1
14b0d0ee0be59edde32b06f4bfd2e1808162eb52

SHA256
e64f526a2377a885390224853e8b275920554f6e260bf17bb7e757ab313ebc29

SHA512
9bc3c2ffaafe7d4dd8610dc9e03956c57ccc00b57bf0908dfb2032cbbb7a4eaede411ba84946b66522411f272716d88f3437be87b65c701d41e5c8b90b43c373

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBB44.tmp
Filesize
660B

MD5
ceccd025c8f66d733af7c74d959e40fc

SHA1
ebfb86372ee69b6bb8ea588c99de8869ed7f5df8

SHA256
d4a18d99f2b681576ebc6e6cb5a8dc8568d4a56fa3212e58388a6b933f505819

SHA512
f59dc32d866ddbb4d338c6ee252648e5bc4ca2cb073f95fadd5ae1ca18f12e7f97cf9a698b81fbf7b62fc77eff2de22ed2e0500aef065ecc1da206bb7e3eb2bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/1660-0-0x0000000074501000-0x0000000074502000-memory.dmp

Filesize
4KB

Download
memory/1660-1-0x0000000074500000-0x0000000074AAB000-memory.dmp

Filesize
5.7MB

Download
memory/1660-2-0x0000000074500000-0x0000000074AAB000-memory.dmp

Filesize
5.7MB

Download
memory/1660-24-0x0000000074500000-0x0000000074AAB000-memory.dmp

Filesize
5.7MB

Download
memory/2972-8-0x0000000074500000-0x0000000074AAB000-memory.dmp

Filesize
5.7MB

Download
memory/2972-18-0x0000000074500000-0x0000000074AAB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads