metamorpherrat | 4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b

General

Target

4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b.exe
Size

78KB
MD5

5efc8431509cb1b94154302dfb455d55
SHA1

8a8de6b69303be7e998c3ccc55379825cef2da32
SHA256

4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b
SHA512

f03ec0616d5768fb9e8929599d6605254d7e6d69865a0a9ee8e6484244674b8388ee8e2a6bbe18d82e65137d4ec48fb2c76a09bb26d6b1085e64256c56745b30
SSDEEP

1536:rA5jSxAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qtt699/U1zv:85jSxAtWDDILJLovbicqOq3o+nK9/W

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp1C09.tmp.exe

pid process

2580 tmp1C09.tmp.exe

pid	process
2580	tmp1C09.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b.exe

pid	process
1596	4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b.exe
1596	4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp1C09.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp1C09.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b.exetmp1C09.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1596	4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b.exe
Token: SeDebugPrivilege	2580	tmp1C09.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b.exevbc.exe

description	pid	process	target process
PID 1596 wrote to memory of 2652	1596	4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b.exe	vbc.exe
PID 1596 wrote to memory of 2652	1596	4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b.exe	vbc.exe
PID 1596 wrote to memory of 2652	1596	4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b.exe	vbc.exe
PID 1596 wrote to memory of 2652	1596	4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b.exe	vbc.exe
PID 2652 wrote to memory of 2696	2652	vbc.exe	cvtres.exe
PID 2652 wrote to memory of 2696	2652	vbc.exe	cvtres.exe
PID 2652 wrote to memory of 2696	2652	vbc.exe	cvtres.exe
PID 2652 wrote to memory of 2696	2652	vbc.exe	cvtres.exe
PID 1596 wrote to memory of 2580	1596	4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b.exe	tmp1C09.tmp.exe
PID 1596 wrote to memory of 2580	1596	4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b.exe	tmp1C09.tmp.exe
PID 1596 wrote to memory of 2580	1596	4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b.exe	tmp1C09.tmp.exe
PID 1596 wrote to memory of 2580	1596	4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b.exe	tmp1C09.tmp.exe

C:\Users\Admin\AppData\Local\Temp\4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b.exe
"C:\Users\Admin\AppData\Local\Temp\4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hohzydpl.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2652

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D61.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1D60.tmp"
3⤵
PID:2696

C:\Users\Admin\AppData\Local\Temp\tmp1C09.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp1C09.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2580

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1D61.tmp
Filesize
1KB

MD5
f543ac60322d7f9e70279194629e338e

SHA1
0df10886b7d5499dd7d44bb82c9d84f7684170b3

SHA256
8a8edec63310ba3bfefe840a6460bc7b6bb1c95a68dab25824f716ae30d9769f

SHA512
d7896e779521258bb8f8b4707b08f12b2bc02a2e585ede593e547bd0388a99e20c7f5c440589fdf11b7373e93c18fbdd41545ea976cf02572429a2ce4d572f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hohzydpl.0.vb
Filesize
14KB

MD5
2f648316e85a0887426144e84a9aa5c1

SHA1
b5f4c3de8ed1018c331ee1cac4bf9c0f9c491dbc

SHA256
03b3a6356ff9b453047ec32cb757a84a1aef09da24b73d8356a844aaf5365255

SHA512
51be4b7de4ae7d7827550806176a3e3a697af03993b15e0725deb12858ed2154f0761143964350600b9a603b2eca6077ef3411d9a18a0a6c43ef8b8e235ea9b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hohzydpl.cmdline
Filesize
266B

MD5
141c47cb24f5ad779100dfa7c25cb9bd

SHA1
a71d3b6af122974cec32a615129e97840c423e1e

SHA256
54db9fd28c64423a4e499107a89b01dc9b298bbf8719871dd5d630493222f152

SHA512
5da8bcbc55c0649002ca608c8df6c60ff4ef81380a242e1cbfe0b85688c805432995fa76b994c0372cb08f5701a1008a81835941c18c8fccf1fb837f8ad8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1C09.tmp.exe
Filesize
78KB

MD5
38c6ed3b8a4cd943f4bf2b7265b04f11

SHA1
00a3f9d41b409e3eeebc2011e32fd9878bce605b

SHA256
80951e48fa6a6d37b2c95871ee637a3391982744a86245acbda7e0091bcbcf7f

SHA512
0ced724c16a46ee592eba906754b22ebceda6a1ef990f43bdc665314b2949c7d959c059c2bb824c9aa7c9030c16482b084a61d2c2badf76e270b8fcba1d2a76e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1D60.tmp
Filesize
660B

MD5
65479c64b7f3cbc39f57fbfa55ed059b

SHA1
e58771d0bd3890102cb5a2d128bb51f88fcb995a

SHA256
dda3681797cde40cf3ddc6e7cbe0aca15814a638420c25b931fd3bf2dd4a0dd0

SHA512
f3c6a451479b3331421cd469799f861ee291e1006d76298e770c72cbac4ce432acb09c938b7a4973352817f6863722a1dde73f9a1afc1a5198d4801aa2df1e30

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/1596-0-0x00000000740F1000-0x00000000740F2000-memory.dmp

Filesize
4KB

Download
memory/1596-1-0x00000000740F0000-0x000000007469B000-memory.dmp

Filesize
5.7MB

Download
memory/1596-2-0x00000000740F0000-0x000000007469B000-memory.dmp

Filesize
5.7MB

Download
memory/1596-24-0x00000000740F0000-0x000000007469B000-memory.dmp

Filesize
5.7MB

Download
memory/2652-8-0x00000000740F0000-0x000000007469B000-memory.dmp

Filesize
5.7MB

Download
memory/2652-18-0x00000000740F0000-0x000000007469B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads