metamorpherrat | bb1d46412f17b1a47d05fd4ee3a653a9383f42be64032bd3d57f886858536e41

General

Target

611fbb528be6fde776975a1afea7ae40N.exe
Size

78KB
MD5

611fbb528be6fde776975a1afea7ae40
SHA1

3a3db1f638ce8b6f570e593d8275896bedd5493f
SHA256

bb1d46412f17b1a47d05fd4ee3a653a9383f42be64032bd3d57f886858536e41
SHA512

6c9d6a76421742aed15fe994c2762757b648f70d0fa44290f1233264f8aa157476471d461487f300fb1112ba125e2b8459d33aaf2dc6d53c95eb03a6487f1698
SSDEEP

1536:ItHFo6rdELT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtO+9/5v18:ItHFo8dSE2EwR4uY41HyvY99/M

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmpCDE9.tmp.exe

pid process

2900 tmpCDE9.tmp.exe
Loads dropped DLL 2 IoCs

Processes:

611fbb528be6fde776975a1afea7ae40N.exe

pid process

2024 611fbb528be6fde776975a1afea7ae40N.exe
2024 611fbb528be6fde776975a1afea7ae40N.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2900	tmpCDE9.tmp.exe

pid	process
2024	611fbb528be6fde776975a1afea7ae40N.exe
2024	611fbb528be6fde776975a1afea7ae40N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpCDE9.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmpCDE9.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

611fbb528be6fde776975a1afea7ae40N.exetmpCDE9.tmp.exe

description pid process

Token: SeDebugPrivilege 2024 611fbb528be6fde776975a1afea7ae40N.exe
Token: SeDebugPrivilege 2900 tmpCDE9.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2024	611fbb528be6fde776975a1afea7ae40N.exe
Token: SeDebugPrivilege	2900	tmpCDE9.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

611fbb528be6fde776975a1afea7ae40N.exevbc.exe

description	pid	process	target process
PID 2024 wrote to memory of 2544	2024	611fbb528be6fde776975a1afea7ae40N.exe	vbc.exe
PID 2024 wrote to memory of 2544	2024	611fbb528be6fde776975a1afea7ae40N.exe	vbc.exe
PID 2024 wrote to memory of 2544	2024	611fbb528be6fde776975a1afea7ae40N.exe	vbc.exe
PID 2024 wrote to memory of 2544	2024	611fbb528be6fde776975a1afea7ae40N.exe	vbc.exe
PID 2544 wrote to memory of 2352	2544	vbc.exe	cvtres.exe
PID 2544 wrote to memory of 2352	2544	vbc.exe	cvtres.exe
PID 2544 wrote to memory of 2352	2544	vbc.exe	cvtres.exe
PID 2544 wrote to memory of 2352	2544	vbc.exe	cvtres.exe
PID 2024 wrote to memory of 2900	2024	611fbb528be6fde776975a1afea7ae40N.exe	tmpCDE9.tmp.exe
PID 2024 wrote to memory of 2900	2024	611fbb528be6fde776975a1afea7ae40N.exe	tmpCDE9.tmp.exe
PID 2024 wrote to memory of 2900	2024	611fbb528be6fde776975a1afea7ae40N.exe	tmpCDE9.tmp.exe
PID 2024 wrote to memory of 2900	2024	611fbb528be6fde776975a1afea7ae40N.exe	tmpCDE9.tmp.exe

C:\Users\Admin\AppData\Local\Temp\611fbb528be6fde776975a1afea7ae40N.exe
"C:\Users\Admin\AppData\Local\Temp\611fbb528be6fde776975a1afea7ae40N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n4wcmazl.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2544

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCEB5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCEB4.tmp"
3⤵
PID:2352

C:\Users\Admin\AppData\Local\Temp\tmpCDE9.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpCDE9.tmp.exe" C:\Users\Admin\AppData\Local\Temp\611fbb528be6fde776975a1afea7ae40N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2900

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESCEB5.tmp
Filesize
1KB

MD5
4fbf6db671cd88924f485d110a06d094

SHA1
48ae9c3939010efb397aa810077f35525cd2fefb

SHA256
bf150e47f28a1c8397982bcfc459f33753e377d891c559304f09b12f993e2647

SHA512
180f0e0c1ce45ab908161d9f9c84b974e423960d2c657486248a855d514ecfdf4ac5393a56093a797705844532a7d81aa629275be59d9dec7c9575a50599e609

Download Submit
C:\Users\Admin\AppData\Local\Temp\n4wcmazl.0.vb
Filesize
15KB

MD5
2f89aec4975bc1c9ca02c4c6c49177f5

SHA1
92bfb6a543110dc160b75f949eaab7cf426a252f

SHA256
b753bb898de1b544d9e0520a298089f2ad431e821d7e046554e8771fa3012726

SHA512
52e94ba63796f45bb423d8ca3a6b1b7c4bb25f7d9dc7ea07d960440c14c5eae20120d5f42d6089bbf8bea934c1db44fd2223440500a956da330bad291ca6f1fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\n4wcmazl.cmdline
Filesize
266B

MD5
677c93b7ff00a847aeb0ae20aa451eb5

SHA1
20f7d8c54ed5cbfc38de790b8678a09a5bcdf6fa

SHA256
a3b12750642166ac6e85bd62df937d6fd4be0241c0788aa134bb77fe53c011fe

SHA512
bdf636759a0ed76a53ec2d8794d0e9a2bb425991cc60441ef0daf8c2509fd1c61bf75f9a3368eedfde0f381411d56d0d2d6216dff554f673164f56bd9185269f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCDE9.tmp.exe
Filesize
78KB

MD5
1e871f4d780ac75af45b07c10ccf9d9d

SHA1
7dcd9eafc9e3f10c629c8d45ccc7d11ff0848260

SHA256
64742f28f16caf56afaccd612236e9c63fde4299bdd1a0149a54db65a2726eb4

SHA512
57b3addafa810dc81f82b7ee45ee1e9cae798609c7fd19c541624c540ab2ef5bea0b2b4bc177f009a8e0573fdcaf8d62235e68a709119f3f98964c88885dcc7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCEB4.tmp
Filesize
660B

MD5
67811a37b2603451b0ea0395babf534c

SHA1
d90234c031b13e8fce4f470f2f906d1cd40c567a

SHA256
5cc6777b3eabde91f97e4ceb803288edab65de1ac7cbc9240132cfaf83250f2a

SHA512
2564610e2e228c89a946464c49748c90116e2f68cb87c9b8a42fe3f145dcf60b54187327212fe562422389736da32f10108d984b8e4e5f6718a44c6e513cee2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/2024-0-0x0000000074871000-0x0000000074872000-memory.dmp

Filesize
4KB

Download
memory/2024-1-0x0000000074870000-0x0000000074E1B000-memory.dmp

Filesize
5.7MB

Download
memory/2024-2-0x0000000074870000-0x0000000074E1B000-memory.dmp

Filesize
5.7MB

Download
memory/2024-24-0x0000000074870000-0x0000000074E1B000-memory.dmp

Filesize
5.7MB

Download
memory/2544-9-0x0000000074870000-0x0000000074E1B000-memory.dmp

Filesize
5.7MB

Download
memory/2544-18-0x0000000074870000-0x0000000074E1B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads