metamorpherrat | a2d7363e71cf851be15cf29c963532fdc740f2275a1a686fc1bd3a070730d663

General

Target

ea598db77a9a4bb6029715382d3ebdb0N.exe
Size

78KB
MD5

ea598db77a9a4bb6029715382d3ebdb0
SHA1

3c13d11d762d10162d7f027bc2819e5a1ec78119
SHA256

a2d7363e71cf851be15cf29c963532fdc740f2275a1a686fc1bd3a070730d663
SHA512

77b25e8fde6539968ed46c57732608dda58a249ef4946516e0de38cd23cfa8200a2bca5efdee23e6a83c93b998d56f233e02e605986cec4fa5c1ad99658c9dd1
SSDEEP

1536:4BWV5jSEAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qti6Mc9/G1JO:KWV5jSEAtWDDILJLovbicqOq3o+nkc9L

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmpD92F.tmp.exe

pid process

2636 tmpD92F.tmp.exe
Loads dropped DLL 2 IoCs

Processes:

ea598db77a9a4bb6029715382d3ebdb0N.exe

pid process

1712 ea598db77a9a4bb6029715382d3ebdb0N.exe
1712 ea598db77a9a4bb6029715382d3ebdb0N.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2636	tmpD92F.tmp.exe

pid	process
1712	ea598db77a9a4bb6029715382d3ebdb0N.exe
1712	ea598db77a9a4bb6029715382d3ebdb0N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpD92F.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpD92F.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ea598db77a9a4bb6029715382d3ebdb0N.exetmpD92F.tmp.exe

description pid process

Token: SeDebugPrivilege 1712 ea598db77a9a4bb6029715382d3ebdb0N.exe
Token: SeDebugPrivilege 2636 tmpD92F.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1712	ea598db77a9a4bb6029715382d3ebdb0N.exe
Token: SeDebugPrivilege	2636	tmpD92F.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

ea598db77a9a4bb6029715382d3ebdb0N.exevbc.exe

description	pid	process	target process
PID 1712 wrote to memory of 3020	1712	ea598db77a9a4bb6029715382d3ebdb0N.exe	vbc.exe
PID 1712 wrote to memory of 3020	1712	ea598db77a9a4bb6029715382d3ebdb0N.exe	vbc.exe
PID 1712 wrote to memory of 3020	1712	ea598db77a9a4bb6029715382d3ebdb0N.exe	vbc.exe
PID 1712 wrote to memory of 3020	1712	ea598db77a9a4bb6029715382d3ebdb0N.exe	vbc.exe
PID 3020 wrote to memory of 2116	3020	vbc.exe	cvtres.exe
PID 3020 wrote to memory of 2116	3020	vbc.exe	cvtres.exe
PID 3020 wrote to memory of 2116	3020	vbc.exe	cvtres.exe
PID 3020 wrote to memory of 2116	3020	vbc.exe	cvtres.exe
PID 1712 wrote to memory of 2636	1712	ea598db77a9a4bb6029715382d3ebdb0N.exe	tmpD92F.tmp.exe
PID 1712 wrote to memory of 2636	1712	ea598db77a9a4bb6029715382d3ebdb0N.exe	tmpD92F.tmp.exe
PID 1712 wrote to memory of 2636	1712	ea598db77a9a4bb6029715382d3ebdb0N.exe	tmpD92F.tmp.exe
PID 1712 wrote to memory of 2636	1712	ea598db77a9a4bb6029715382d3ebdb0N.exe	tmpD92F.tmp.exe

C:\Users\Admin\AppData\Local\Temp\ea598db77a9a4bb6029715382d3ebdb0N.exe
"C:\Users\Admin\AppData\Local\Temp\ea598db77a9a4bb6029715382d3ebdb0N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w0aqkplg.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:3020

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD9FB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD9FA.tmp"
3⤵
PID:2116

C:\Users\Admin\AppData\Local\Temp\tmpD92F.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpD92F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ea598db77a9a4bb6029715382d3ebdb0N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2636

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD9FB.tmp
Filesize
1KB

MD5
3127ddac0350f4fe545090a3f7df5891

SHA1
56f8e7dc62677f0724026c119793fb8200b5ed04

SHA256
23c3c1cd72d74d6eac2bb88f246c64ef88fe4d1eb23f7bcc09fa8f3a721087f5

SHA512
f42ebab1d2dd1587a17239fea6c11e1e4a6c4c031539843e173be5870b2eaaee5ad29655a4981992250f99b96cdb835511259a11e5115b13287079756142b82a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD92F.tmp.exe
Filesize
78KB

MD5
bf688f1a25878f3e8d80c24ead919551

SHA1
7f3c0988d0e7855c5cc5c59344d1206bdd5f8583

SHA256
d9e44e9a008f64404bbd426e70465f24165b9d28d6204a18bf81774a9f6a1b4e

SHA512
742fe8c9a226fd2cce116725032b35464330d10b983523284246f20c84a2dcdc5dc8d7f16c57570fed0e998478a0db79ae293f18633a1f576ef29e52c5fe5415

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD9FA.tmp
Filesize
660B

MD5
8e767a03259e347fbd10b719df0f219f

SHA1
9f0041a2b07a9441754a77e6c6c4185be60a19a2

SHA256
acc93850f94fb1915dc566d83f5e1606ecd0351fc2d9d4ace6f8e86ade529253

SHA512
f9f2bb7e3c5619cb88ed26a841bbb8d6c06706cb5bbce770e6cfd85c19c1f44343cca93d1c9057d79b66cd16e47b59c3770b7c9a8ef6f8da29fd6ba10b8150da

Download Submit
C:\Users\Admin\AppData\Local\Temp\w0aqkplg.0.vb
Filesize
14KB

MD5
1076fba7acfd02b4f82d69c22a9125a5

SHA1
6d838afb154914e61cc468e92dcc15bc5c3607cd

SHA256
7e18511f58c2fd1e6bc0cab8a578394cb129c21a83ab42570e8353a685fed86b

SHA512
758b003fd5cd7c459962070c083f2bbfbd09504a59374e5ce3f92dc96e6cf4e4f046e0b359fdd6bc68ad8f39bf383247e7665ae3d3e775d3dd33910368f9d879

Download Submit
C:\Users\Admin\AppData\Local\Temp\w0aqkplg.cmdline
Filesize
266B

MD5
a0a767ac7ae25595ec86e2e98d132921

SHA1
6bbddf304487f4569dcbd6b6314aa10957293993

SHA256
e4db48f2eff5c5ecdc0b50dd39ef3b3be6a5ea04829a1cc2c8676cd68a8dd393

SHA512
31d940b54ed58088410d6e36937c524e7b469992876c53e313aeac3eed9dc13465e95e4a96fa1387e2eb3cb506c6ed4503ed6fd35725008cac79646b5d701db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/1712-0-0x0000000074631000-0x0000000074632000-memory.dmp

Filesize
4KB

Download
memory/1712-1-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download
memory/1712-2-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download
memory/1712-24-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download
memory/3020-9-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download
memory/3020-18-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads