metamorpherrat | 82facf63fe64f92f5c0ad240a0525faf0561691dbb6decd790d49a5a8eacda47

General

Target

0ef77e7056e91bce5f9c70414b10c470N.exe
Size

78KB
MD5

0ef77e7056e91bce5f9c70414b10c470
SHA1

924c459c451a3bcdb8d10408dae05b80232470bc
SHA256

82facf63fe64f92f5c0ad240a0525faf0561691dbb6decd790d49a5a8eacda47
SHA512

1f66c51eee4cf01ab93ae3ae5eb272fdc024a572611843d0b1f2a94adfa566f27a8a88ca2abd61a89b68fafffc973874258532a8fe6feba1469917974f0d7f0b
SSDEEP

1536:csHY6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtM9/i182:csHYnhASyRxvhTzXPvCbW2UM9/E

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp1AE0.tmp.exe

pid process

3068 tmp1AE0.tmp.exe
Loads dropped DLL 2 IoCs

Processes:

0ef77e7056e91bce5f9c70414b10c470N.exe

pid process

1988 0ef77e7056e91bce5f9c70414b10c470N.exe
1988 0ef77e7056e91bce5f9c70414b10c470N.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
3068	tmp1AE0.tmp.exe

pid	process
1988	0ef77e7056e91bce5f9c70414b10c470N.exe
1988	0ef77e7056e91bce5f9c70414b10c470N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp1AE0.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp1AE0.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0ef77e7056e91bce5f9c70414b10c470N.exetmp1AE0.tmp.exe

description pid process

Token: SeDebugPrivilege 1988 0ef77e7056e91bce5f9c70414b10c470N.exe
Token: SeDebugPrivilege 3068 tmp1AE0.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1988	0ef77e7056e91bce5f9c70414b10c470N.exe
Token: SeDebugPrivilege	3068	tmp1AE0.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

0ef77e7056e91bce5f9c70414b10c470N.exevbc.exe

description	pid	process	target process
PID 1988 wrote to memory of 2616	1988	0ef77e7056e91bce5f9c70414b10c470N.exe	vbc.exe
PID 1988 wrote to memory of 2616	1988	0ef77e7056e91bce5f9c70414b10c470N.exe	vbc.exe
PID 1988 wrote to memory of 2616	1988	0ef77e7056e91bce5f9c70414b10c470N.exe	vbc.exe
PID 1988 wrote to memory of 2616	1988	0ef77e7056e91bce5f9c70414b10c470N.exe	vbc.exe
PID 2616 wrote to memory of 2892	2616	vbc.exe	cvtres.exe
PID 2616 wrote to memory of 2892	2616	vbc.exe	cvtres.exe
PID 2616 wrote to memory of 2892	2616	vbc.exe	cvtres.exe
PID 2616 wrote to memory of 2892	2616	vbc.exe	cvtres.exe
PID 1988 wrote to memory of 3068	1988	0ef77e7056e91bce5f9c70414b10c470N.exe	tmp1AE0.tmp.exe
PID 1988 wrote to memory of 3068	1988	0ef77e7056e91bce5f9c70414b10c470N.exe	tmp1AE0.tmp.exe
PID 1988 wrote to memory of 3068	1988	0ef77e7056e91bce5f9c70414b10c470N.exe	tmp1AE0.tmp.exe
PID 1988 wrote to memory of 3068	1988	0ef77e7056e91bce5f9c70414b10c470N.exe	tmp1AE0.tmp.exe

C:\Users\Admin\AppData\Local\Temp\0ef77e7056e91bce5f9c70414b10c470N.exe
"C:\Users\Admin\AppData\Local\Temp\0ef77e7056e91bce5f9c70414b10c470N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5mo7oyhh.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1C19.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1C18.tmp"
3⤵
PID:2892

C:\Users\Admin\AppData\Local\Temp\tmp1AE0.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp1AE0.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0ef77e7056e91bce5f9c70414b10c470N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3068

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5mo7oyhh.0.vb
Filesize
15KB

MD5
d051820c57e5d87390647929820572c8

SHA1
a6e950b15c90a47c13c8dd8783b258a4fa589d5f

SHA256
6e3a1bcd76d49a659af67f40f82dcff58cc90d514bbf68a834dcc0c01aed2119

SHA512
f439d0f4e5c4c5b77c1f363819a8d0e5a9340d80182dbc83fc91817420ee831a3ac53748ad9dd88c59effe83019f0ad4e091747d08a8e7d36cf8dde6f28bf166

Download Submit
C:\Users\Admin\AppData\Local\Temp\5mo7oyhh.cmdline
Filesize
266B

MD5
d7092ffff86a90b4dff670f4d3b4e537

SHA1
7455211a43d32a1dfa0f3d7013fe92c3785bb879

SHA256
a21ba79009ddcf82f766fa63235c7bcece32267a432906c14e1967d8f7a2faae

SHA512
4d582f62affc6628d7bbbe2547ce74609d5ecdfdfe1cfd8224941efd2b4c72b3fc0928599ea192a92e8350ca2fadeb73e9ff441f32c0371ae0f82c60d57ab350

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1C19.tmp
Filesize
1KB

MD5
c77dd19247d633aacd168e2ad7b82cb9

SHA1
e0a53099ca2673fccb819db5cb2fe69ccfd2281d

SHA256
1df029c42f2d82173f35492eb7dfd2df63167d12e21f3d64979e4a90ace35670

SHA512
15048acc61b1b9be24bc6643d4c825b21149af4962bbdfb593faa7fd687a7964abca987ee82958d121ecaba3be00fb1546373a674334211a497d525f7eefe4b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1AE0.tmp.exe
Filesize
78KB

MD5
01adc36e881b1d055c7f550d4273a391

SHA1
2f1b13bb5301dbba8d953504890fa08bda0f347b

SHA256
4bfb6732f81315e0fa40c5c502fb966ad7aded3d50d60dffa475632c3471f088

SHA512
356e2b44b4b74aed5e1441682e24ce298199bfc6b9664b3e80fa580793d0040a352aed367562e1f3ebdc6d7011dc84c1cda8583d765c9fe21c7d4a6179dcaa11

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1C18.tmp
Filesize
660B

MD5
52053116653a3744576b6a6df769a6c8

SHA1
f7d25d23047ed4bbe221d4d00cb1fb922f476685

SHA256
590875e7890231bff52f2e97b67a4b3facd450b23292d422d1498308afbd959b

SHA512
1ada1ca961d24c5b679aaded00ce987c1b14572547080fd484c0c51c83a37125015322a09e7ed42fbc76cafb3ce18219c77bc1cd1d022bca781a157bb0ec8eb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1988-0-0x00000000742D1000-0x00000000742D2000-memory.dmp

Filesize
4KB

Download
memory/1988-1-0x00000000742D0000-0x000000007487B000-memory.dmp

Filesize
5.7MB

Download
memory/1988-2-0x00000000742D0000-0x000000007487B000-memory.dmp

Filesize
5.7MB

Download
memory/1988-24-0x00000000742D0000-0x000000007487B000-memory.dmp

Filesize
5.7MB

Download
memory/2616-9-0x00000000742D0000-0x000000007487B000-memory.dmp

Filesize
5.7MB

Download
memory/2616-18-0x00000000742D0000-0x000000007487B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads