metamorpherrat | 8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63

General

Target

8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe
Size

78KB
MD5

7f7dd4f0729e7e99746f337f24a68bba
SHA1

ed2fc51c181adc1f915cf2b1ab0e607a46558735
SHA256

8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63
SHA512

fd756fde7a7c21e59ea20a4dab232868420260f682c48116cc1454c4669c8ddea50ad243e10df7d521e9050963246b5d72df2ebc734b577eb1d2fe19905b4a5a
SSDEEP

1536:CHFo6uaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtMK9/DC1OF:CHFoI3DJywQjDgTLopLwdCFJzMK9/J

Score

10^/10

metamorpherrat rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmpDCB8.tmp.exe

pid process

2732 tmpDCB8.tmp.exe

pid	process
2732	tmpDCB8.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe

pid	process
2628	8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe
2628	8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe

description pid process

Token: SeDebugPrivilege 2628 8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe

description	pid	process
Token: SeDebugPrivilege	2628	8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exevbc.exe

description	pid	process	target process
PID 2628 wrote to memory of 2328	2628	8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe	vbc.exe
PID 2628 wrote to memory of 2328	2628	8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe	vbc.exe
PID 2628 wrote to memory of 2328	2628	8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe	vbc.exe
PID 2628 wrote to memory of 2328	2628	8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe	vbc.exe
PID 2328 wrote to memory of 2244	2328	vbc.exe	cvtres.exe
PID 2328 wrote to memory of 2244	2328	vbc.exe	cvtres.exe
PID 2328 wrote to memory of 2244	2328	vbc.exe	cvtres.exe
PID 2328 wrote to memory of 2244	2328	vbc.exe	cvtres.exe
PID 2628 wrote to memory of 2732	2628	8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe	tmpDCB8.tmp.exe
PID 2628 wrote to memory of 2732	2628	8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe	tmpDCB8.tmp.exe
PID 2628 wrote to memory of 2732	2628	8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe	tmpDCB8.tmp.exe
PID 2628 wrote to memory of 2732	2628	8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe	tmpDCB8.tmp.exe

C:\Users\Admin\AppData\Local\Temp\8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe
"C:\Users\Admin\AppData\Local\Temp\8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ltvuhf_1.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDE7E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDE7D.tmp"
3⤵
PID:2244

C:\Users\Admin\AppData\Local\Temp\tmpDCB8.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpDCB8.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe
2⤵
- Executes dropped EXE
PID:2732

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESDE7E.tmp
Filesize
1KB

MD5
66a2997ae37e3bad0cc2b333334f2a4c

SHA1
3e140dcce1a315092924687b228c1023fd61ffdb

SHA256
d313cba36ad53f19b03be2cde7aab0b2f4eed3df49bd6e68faa56caa8a8dd048

SHA512
0412559eed34e7424e9bac97905bb620ec671dfb320c882a40aa4021b0f4e16b6669980ff901f7878fc173f785b0db41e2dc496211fd06244fd95f97a2e48208

Download Submit
C:\Users\Admin\AppData\Local\Temp\ltvuhf_1.0.vb
Filesize
15KB

MD5
5db7a43f03cbaa30668ca21714c65672

SHA1
cee96516cd346c2339a6dc5496da578067f5da5b

SHA256
bbca7cac17bc40657f954e12c2341ed5442c29c7b3b02107858e2d268b8eda48

SHA512
a5fc3ddc2ab5b05bd09f96ec018124a7406fa23817c201d7595b1427e2eb9bad3997993bb03828caca2d0d86a08969978726da8903a12a15182dddcf38057c37

Download Submit
C:\Users\Admin\AppData\Local\Temp\ltvuhf_1.cmdline
Filesize
266B

MD5
96297f2a2127fa7a35833ef0d225cff3

SHA1
1e6dbb1b6216eec99e36ebbeec1b43cccf378396

SHA256
3e410d77cd72b893cbfcc0a8348b16885042c7291c535fddd034b0b40f07d4f6

SHA512
c776202058742ab25fab411f7152793125698e129111a9b54678eb068c2759250efc8e28ea610a7d2e0b9ffd6019cd41668d9ce3ee51f621ef992f954cceadf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDCB8.tmp.exe
Filesize
78KB

MD5
a3cbf1377b7974e869017fefb6ea94d3

SHA1
02ab5e4230f148f2f35390da70b62ceac974d307

SHA256
874cff4a7c24288588371b75c9894cc47d75d9d6cf8806e6ba3d6c883636d34e

SHA512
31188a9ffa1d5faa981117285bb352a9c9e154bb88ea1ba259434b761982550e5b7112208653999a9588ad6c3b8da6a67e820ddaf0e3fa3407c6ab77b9e5f21a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDE7D.tmp
Filesize
660B

MD5
bafc30662800bcaba3c96cc9aa1a7978

SHA1
e46bf411b57e0d435c2a82966df31cb5f7efd979

SHA256
56f8653bfc24af232907426f89bc57b3e33ae16572425039c489e9f64185505d

SHA512
c008c7ddab9bb5b02617ea2b998a9f50fa8e1a81b15163d9030c40159c245e2ce36190a11e7deb01968af329ea1b36532af288dde5153fd267d158a63f7b1db2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/2328-8-0x0000000074EF0000-0x000000007549B000-memory.dmp

Filesize
5.7MB

Download
memory/2328-18-0x0000000074EF0000-0x000000007549B000-memory.dmp

Filesize
5.7MB

Download
memory/2628-0-0x0000000074EF1000-0x0000000074EF2000-memory.dmp

Filesize
4KB

Download
memory/2628-1-0x0000000074EF0000-0x000000007549B000-memory.dmp

Filesize
5.7MB

Download
memory/2628-2-0x0000000074EF0000-0x000000007549B000-memory.dmp

Filesize
5.7MB

Download
memory/2628-24-0x0000000074EF0000-0x000000007549B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing