metamorpherrat | 1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0

General

Target

1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe
Size

78KB
MD5

6720be5e3ae5ab893f0a2c5a882a1299
SHA1

4e6839b86611b77164e8c0916c92e9365ec19f86
SHA256

1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0
SHA512

6d5d61ad6578702a7cb0ca155863454857fb4a78dcff542633e52d781388d8418cbb5144ec6de028404293d528f465da71f2b5277708a8f7faab8b7f942cfdf6
SSDEEP

1536:wc58sXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtC6n9/dw1mN:wc58USyRxvhTzXPvCbW2Uv9/V

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmpF344.tmp.exe

pid process

2864 tmpF344.tmp.exe

pid	process
2864	tmpF344.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe

pid	process
2632	1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe
2632	1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpF344.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpF344.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exetmpF344.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2632	1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe
Token: SeDebugPrivilege	2864	tmpF344.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exevbc.exe

description	pid	process	target process
PID 2632 wrote to memory of 2712	2632	1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe	vbc.exe
PID 2632 wrote to memory of 2712	2632	1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe	vbc.exe
PID 2632 wrote to memory of 2712	2632	1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe	vbc.exe
PID 2632 wrote to memory of 2712	2632	1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe	vbc.exe
PID 2712 wrote to memory of 2848	2712	vbc.exe	cvtres.exe
PID 2712 wrote to memory of 2848	2712	vbc.exe	cvtres.exe
PID 2712 wrote to memory of 2848	2712	vbc.exe	cvtres.exe
PID 2712 wrote to memory of 2848	2712	vbc.exe	cvtres.exe
PID 2632 wrote to memory of 2864	2632	1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe	tmpF344.tmp.exe
PID 2632 wrote to memory of 2864	2632	1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe	tmpF344.tmp.exe
PID 2632 wrote to memory of 2864	2632	1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe	tmpF344.tmp.exe
PID 2632 wrote to memory of 2864	2632	1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe	tmpF344.tmp.exe

C:\Users\Admin\AppData\Local\Temp\1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe
"C:\Users\Admin\AppData\Local\Temp\1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ohncvtrf.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF420.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF41F.tmp"
3⤵
PID:2848

C:\Users\Admin\AppData\Local\Temp\tmpF344.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpF344.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2864

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF420.tmp
Filesize
1KB

MD5
58ee8f747294f3ffda17f1647b010f32

SHA1
10f0bae1918dce5a7c5b56ec6c5a6935db2d32a5

SHA256
8e8217810ae11dac2ff699967dadb6a82d984f7f4f1bf3e988e91b836eef5a74

SHA512
ac9acb08d65068512f7316210db248b8885e313dbe01f507c7e4fd27c9172ddbc3c507a2d7f04fc07748642ce87b86d3948c25dfb5a59481b3bd0d80d1c69055

Download Submit
C:\Users\Admin\AppData\Local\Temp\ohncvtrf.0.vb
Filesize
14KB

MD5
b86706b55a03ab75ebee846491025c99

SHA1
0a0d5eefcf811fa4b178a1724592a83e1e4b2dd7

SHA256
d67a39912c1ac0db4a614215b273ca357b21530e08e49a6a959917b1ff70f56c

SHA512
f45c51ac5998db9f72ff68c1009a87cefb9c4bc99813daa6dae8ef82bb9e6570a4b694c2e819b927cebd28ff7db64fd9aee341a29ea01d6699a19498c25be335

Download Submit
C:\Users\Admin\AppData\Local\Temp\ohncvtrf.cmdline
Filesize
266B

MD5
739e67dc80ebebd1aaa840ea39647bff

SHA1
b0ec0b061222ad159a6372c8144cfc281ae15634

SHA256
99db3e5483a657998eabbe15c640d9d9913443e267c8025803806208779d95a1

SHA512
93d8b02ab557356d92643039018c46214bdbc1293acfd5e5f7d687b3772bfd75afe34dec6c6b482c942ca567531ae758854bc61b7a475c1460a9e2bfd09528d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF344.tmp.exe
Filesize
78KB

MD5
389cc8afce975eab977e3eab7dc651b4

SHA1
e9494de879c80fa03a2e1a713cebce624e5b10e4

SHA256
e7ec39e6bdb3bfa3779f60410e3ec0563403eabb266a2841e846d2737bbac025

SHA512
850652dc851f9f15e5912296752935131991b919a3209fc016c1489735df572386e2c51b61ef38edd2e41b9a0b8ee1e929ce6a1a4769daf00bcf8c5eeaaf7cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF41F.tmp
Filesize
660B

MD5
33c4afdde2fcc7fbbc6966408f13d1b7

SHA1
c51af7bd275286cc57eda443204612eb0043401b

SHA256
7922929b23112a8ab6e4341d036d65747b67b5100c91f5d05dd560b9ac7d193f

SHA512
1bf01452449040ca82be1f63e5c6f080389f1e6dd0a0f5fc0882f77f9593d99874c5fff6693c518b7b896965e041d19680337a8fae70b4504e234c5abb3ce556

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2632-0-0x00000000745C1000-0x00000000745C2000-memory.dmp

Filesize
4KB

Download
memory/2632-1-0x00000000745C0000-0x0000000074B6B000-memory.dmp

Filesize
5.7MB

Download
memory/2632-2-0x00000000745C0000-0x0000000074B6B000-memory.dmp

Filesize
5.7MB

Download
memory/2632-24-0x00000000745C0000-0x0000000074B6B000-memory.dmp

Filesize
5.7MB

Download
memory/2712-8-0x00000000745C0000-0x0000000074B6B000-memory.dmp

Filesize
5.7MB

Download
memory/2712-18-0x00000000745C0000-0x0000000074B6B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads