metamorpherrat | 9f173afd2aa034e4a10b342e5ec563ff25e2d6454769123a698985594a1a8ca5

General

Target

537592d1e3899ffc46a2cde415c48a80N.exe
Size

78KB
MD5

537592d1e3899ffc46a2cde415c48a80
SHA1

2d827e1e97d2f615c6b7978be57889b5180bd389
SHA256

9f173afd2aa034e4a10b342e5ec563ff25e2d6454769123a698985594a1a8ca5
SHA512

97c4489949293c01be613b6b3775735b28cb5f4485df1d4a98062140d25af3d2b3950af36ccd2d1c00fc932f912db0663b2aa8d841809af4ec9e2c55fe897b7b
SSDEEP

1536:FPWV5sdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtN629/31IL:FPWV5bn7N041Qqhgx9/g

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp4E01.tmp.exe

pid process

2792 tmp4E01.tmp.exe
Loads dropped DLL 2 IoCs

Processes:

537592d1e3899ffc46a2cde415c48a80N.exe

pid process

2432 537592d1e3899ffc46a2cde415c48a80N.exe
2432 537592d1e3899ffc46a2cde415c48a80N.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2792	tmp4E01.tmp.exe

pid	process
2432	537592d1e3899ffc46a2cde415c48a80N.exe
2432	537592d1e3899ffc46a2cde415c48a80N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp4E01.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp4E01.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

537592d1e3899ffc46a2cde415c48a80N.exetmp4E01.tmp.exe

description pid process

Token: SeDebugPrivilege 2432 537592d1e3899ffc46a2cde415c48a80N.exe
Token: SeDebugPrivilege 2792 tmp4E01.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2432	537592d1e3899ffc46a2cde415c48a80N.exe
Token: SeDebugPrivilege	2792	tmp4E01.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

537592d1e3899ffc46a2cde415c48a80N.exevbc.exe

description	pid	process	target process
PID 2432 wrote to memory of 2736	2432	537592d1e3899ffc46a2cde415c48a80N.exe	vbc.exe
PID 2432 wrote to memory of 2736	2432	537592d1e3899ffc46a2cde415c48a80N.exe	vbc.exe
PID 2432 wrote to memory of 2736	2432	537592d1e3899ffc46a2cde415c48a80N.exe	vbc.exe
PID 2432 wrote to memory of 2736	2432	537592d1e3899ffc46a2cde415c48a80N.exe	vbc.exe
PID 2736 wrote to memory of 2676	2736	vbc.exe	cvtres.exe
PID 2736 wrote to memory of 2676	2736	vbc.exe	cvtres.exe
PID 2736 wrote to memory of 2676	2736	vbc.exe	cvtres.exe
PID 2736 wrote to memory of 2676	2736	vbc.exe	cvtres.exe
PID 2432 wrote to memory of 2792	2432	537592d1e3899ffc46a2cde415c48a80N.exe	tmp4E01.tmp.exe
PID 2432 wrote to memory of 2792	2432	537592d1e3899ffc46a2cde415c48a80N.exe	tmp4E01.tmp.exe
PID 2432 wrote to memory of 2792	2432	537592d1e3899ffc46a2cde415c48a80N.exe	tmp4E01.tmp.exe
PID 2432 wrote to memory of 2792	2432	537592d1e3899ffc46a2cde415c48a80N.exe	tmp4E01.tmp.exe

C:\Users\Admin\AppData\Local\Temp\537592d1e3899ffc46a2cde415c48a80N.exe
"C:\Users\Admin\AppData\Local\Temp\537592d1e3899ffc46a2cde415c48a80N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vj0nlbt2.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2736

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4EDC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4EDB.tmp"
3⤵
PID:2676

C:\Users\Admin\AppData\Local\Temp\tmp4E01.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp4E01.tmp.exe" C:\Users\Admin\AppData\Local\Temp\537592d1e3899ffc46a2cde415c48a80N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2792

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4EDC.tmp
Filesize
1KB

MD5
f06782ebf233f5eb8675e8450945193f

SHA1
b764955cee157f3379ed72111203389561a80d8c

SHA256
0f226139240df5b44070a76015eac548cb5618e27ff1c250b087b8f25a99985c

SHA512
a2d8717d1c684e724a8d10dfa479ec67104f541d9385f56b9a343438241a6b85844cde483a22e03addecaa379958df71b3fe1077f7689a51d42b4d24a090bd6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4E01.tmp.exe
Filesize
78KB

MD5
4c61202d609f6ba1100cf71a90c6fa35

SHA1
83c95d3aa5b25a842739931a9919546b3a6b42c7

SHA256
caf57c984072a1e737f3440cf45425ff0ff48fadda6e575b5c67ee866f4f18bd

SHA512
c370fe0f8f2abed5819da8f6f820e3b2a740e8b65899ce42871595f43e29cc4b06063ac5035191628686db184c55a8e1c066c62436e2770616701039bb959904

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4EDB.tmp
Filesize
660B

MD5
994aa94c6b0903e453c538e1f74fb368

SHA1
f0ab7c5b2b47df6e4a31148ad739e790921cd21b

SHA256
103609c91ad048c789e6c4f35cb02f282beae55b6a5bf9f3ef0b039e190397de

SHA512
aa6cf3b489d887828b59fc350781fe89ae7edb5094b2e1258ed77e0995c8c918748665fde921a6d490d7ba42ed71fa8fdabfea5b6c306c0a6aaa98fef862eb15

Download Submit
C:\Users\Admin\AppData\Local\Temp\vj0nlbt2.0.vb
Filesize
14KB

MD5
b96feede14b631edb189537ca2a8f6e0

SHA1
0e27529fd9379e45925f1ec12488f04dede082d5

SHA256
070ba1c76d8ffba7531c3360919df79e6858994a13de47b53014673d63d71ce1

SHA512
180c40ca1713f6a454bb534228945274e45582032365a43bd33aae5e71d0276c0d9d12a16923565085ea73661713d9ff736f33e1e40743d11ddb0c7481d6dbf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vj0nlbt2.cmdline
Filesize
266B

MD5
b6073256437fe6ff8b486b7bce6dbafc

SHA1
92f5cf027e43b6d037d076ddd2cc7b7389137e22

SHA256
eaa7bafa178ae9c72d981a5f90a2a8235e0cb69f1d5a97371afcda06548c9e68

SHA512
dbb76489558e890fd3cd0e794d4f70aa0bcf4261e83181a9701fe909e94e4b41b5012295737be951d994455cf5599d831a957ad522f1f512512891be41f3837d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2432-0-0x0000000074301000-0x0000000074302000-memory.dmp

Filesize
4KB

Download
memory/2432-1-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download
memory/2432-2-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download
memory/2432-24-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download
memory/2736-8-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download
memory/2736-18-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads