metamorpherrat | 07a77b0fc3132d39ee41ab4dbd1bbbdf15ffe8ebfe576cf914a1ec2132dcdcbe

General

Target

099cef853def114c5177030cdfe69c60N.exe
Size

78KB
MD5

099cef853def114c5177030cdfe69c60
SHA1

8b42410fb5e14ff02ff975ff7cf53250acdfb16e
SHA256

07a77b0fc3132d39ee41ab4dbd1bbbdf15ffe8ebfe576cf914a1ec2132dcdcbe
SHA512

0a252b31fe7f3073351fced73d3d7860c1fbbd47479f697237da1477792cf22fa3e7b0fcfcd8e7edb1d9ef8f3a17d461eaa3ce8dbbeba1e4a9ef48234df2b42f
SSDEEP

1536:tcPCHFo6uaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qta9/Vs:2PCHFoI3ZAtWDDILJLovbicqOq3o+nao

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmpF98B.tmp.exe

pid process

2780 tmpF98B.tmp.exe
Loads dropped DLL 2 IoCs

Processes:

099cef853def114c5177030cdfe69c60N.exe

pid process

1712 099cef853def114c5177030cdfe69c60N.exe
1712 099cef853def114c5177030cdfe69c60N.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2780	tmpF98B.tmp.exe

pid	process
1712	099cef853def114c5177030cdfe69c60N.exe
1712	099cef853def114c5177030cdfe69c60N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpF98B.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpF98B.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

099cef853def114c5177030cdfe69c60N.exetmpF98B.tmp.exe

description pid process

Token: SeDebugPrivilege 1712 099cef853def114c5177030cdfe69c60N.exe
Token: SeDebugPrivilege 2780 tmpF98B.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1712	099cef853def114c5177030cdfe69c60N.exe
Token: SeDebugPrivilege	2780	tmpF98B.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

099cef853def114c5177030cdfe69c60N.exevbc.exe

description	pid	process	target process
PID 1712 wrote to memory of 1820	1712	099cef853def114c5177030cdfe69c60N.exe	vbc.exe
PID 1712 wrote to memory of 1820	1712	099cef853def114c5177030cdfe69c60N.exe	vbc.exe
PID 1712 wrote to memory of 1820	1712	099cef853def114c5177030cdfe69c60N.exe	vbc.exe
PID 1712 wrote to memory of 1820	1712	099cef853def114c5177030cdfe69c60N.exe	vbc.exe
PID 1820 wrote to memory of 2664	1820	vbc.exe	cvtres.exe
PID 1820 wrote to memory of 2664	1820	vbc.exe	cvtres.exe
PID 1820 wrote to memory of 2664	1820	vbc.exe	cvtres.exe
PID 1820 wrote to memory of 2664	1820	vbc.exe	cvtres.exe
PID 1712 wrote to memory of 2780	1712	099cef853def114c5177030cdfe69c60N.exe	tmpF98B.tmp.exe
PID 1712 wrote to memory of 2780	1712	099cef853def114c5177030cdfe69c60N.exe	tmpF98B.tmp.exe
PID 1712 wrote to memory of 2780	1712	099cef853def114c5177030cdfe69c60N.exe	tmpF98B.tmp.exe
PID 1712 wrote to memory of 2780	1712	099cef853def114c5177030cdfe69c60N.exe	tmpF98B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\099cef853def114c5177030cdfe69c60N.exe
"C:\Users\Admin\AppData\Local\Temp\099cef853def114c5177030cdfe69c60N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jhobbybq.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFAE3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFAE2.tmp"
3⤵
PID:2664

C:\Users\Admin\AppData\Local\Temp\tmpF98B.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpF98B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\099cef853def114c5177030cdfe69c60N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2780

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESFAE3.tmp
Filesize
1KB

MD5
b05b3eb950d57d293826d3bf46244be6

SHA1
88451f62a2665f58d3c00681adf5b31a127098b8

SHA256
01f52b62b3187bfc76946c0ad7beb10d36f1c48e0f9c70e75b50e0cb72b3c904

SHA512
1f251ea094980e1b72f4d89b8af65bebcf1c07580f1a70d67f46ab3e46e4a6ca5516222147004368be80327474c559761f5030f70d38695f14d23a648d45894a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhobbybq.0.vb
Filesize
15KB

MD5
33362e1c392c21cf22b1e0b79c783692

SHA1
0074dcdc090764019899b77a18c33652482c0b5a

SHA256
d5e8fefb6d9bc823cceda8c8d8b3e5955b2a89972058fd8a364a981cbbd15c1d

SHA512
46f2b3e60f0956dbd6ca001785f5cc2fa6db457a7080c24d160b90d290c0f6d41f2b9b45f0fe7ce8409d06048970d82b7cff82c43bc3534906473cab984a7e18

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhobbybq.cmdline
Filesize
266B

MD5
128c753c1cd3205a83f7788c877ac3fc

SHA1
ec01983880ed803ad90bc5f718040cadf10db63b

SHA256
becb592f803eb19450a7689799fe74f8d274541a106682b6aec4a2f9d07e1f3b

SHA512
c5d092125bf7f15247dd04d2e916c2ecf4c1cab2ee132e56dce1fdbfaac4c3ab50098c70576e775d453ded7a4f02709f991a162f8f7f084e6fd520216e5b360a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF98B.tmp.exe
Filesize
78KB

MD5
4eae4a3c3d6d64af1b16970737aaa8cb

SHA1
11010d32ce2afe2a5eeb77305943b75cc536b1bd

SHA256
3600217e3181924d42ab8f51e8686fc95d00f8a9ec45bc3dd6e59fcfc8714384

SHA512
b602248a64bed3fa6dc880676bca7a846b4a3d7b8b272954bba94d99c847685a370ada78d7f21312eb1003a3a7c948a9b96e128dc482487d256c0d53b7035ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFAE2.tmp
Filesize
660B

MD5
01764201cfefef6dbd61d7d1ecc4ef7f

SHA1
b70d3652d2ad2eae7b05b06b9229a059d5d4280a

SHA256
4f71cdff8642601c489bb172775faf5aeb1217825df6182ee1228c91448d332b

SHA512
fcefc82dbc1ad6f2c8be09a79cbeda124417d1692e93c765a21bb87b5a6e9242a71b657a790fe4f7932f5ff8958344a62b07150c6a61ea4411f6f1a49cc0164a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/1712-0-0x0000000074951000-0x0000000074952000-memory.dmp

Filesize
4KB

Download
memory/1712-1-0x0000000074950000-0x0000000074EFB000-memory.dmp

Filesize
5.7MB

Download
memory/1712-2-0x0000000074950000-0x0000000074EFB000-memory.dmp

Filesize
5.7MB

Download
memory/1712-24-0x0000000074950000-0x0000000074EFB000-memory.dmp

Filesize
5.7MB

Download
memory/1820-8-0x0000000074950000-0x0000000074EFB000-memory.dmp

Filesize
5.7MB

Download
memory/1820-18-0x0000000074950000-0x0000000074EFB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads