metamorpherrat | 4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1

General

Target

4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe
Size

78KB
MD5

e5be2462fefba3f6bd0cdbba67410b95
SHA1

f68347fa8b06578487c2141d6d82fb6fd7679c97
SHA256

4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1
SHA512

24fb60c02072a5b0c3cb59aa4a95a9a821043027e8b6fcb77939d2dfdbbafec7f4e5460bf6ad09c31ab2f3cdfe96ef4ef846f4ee5945063088fde60d9eecb0e5
SSDEEP

1536:2y58cdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC659/U1bS:2y58rn7N041QqhgB9/j

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp81DD.tmp.exe

pid process

3036 tmp81DD.tmp.exe

pid	process
3036	tmp81DD.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe

pid	process
1996	4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe
1996	4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp81DD.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp81DD.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exetmp81DD.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1996	4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe
Token: SeDebugPrivilege	3036	tmp81DD.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exevbc.exe

description	pid	process	target process
PID 1996 wrote to memory of 296	1996	4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe	vbc.exe
PID 1996 wrote to memory of 296	1996	4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe	vbc.exe
PID 1996 wrote to memory of 296	1996	4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe	vbc.exe
PID 1996 wrote to memory of 296	1996	4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe	vbc.exe
PID 296 wrote to memory of 3048	296	vbc.exe	cvtres.exe
PID 296 wrote to memory of 3048	296	vbc.exe	cvtres.exe
PID 296 wrote to memory of 3048	296	vbc.exe	cvtres.exe
PID 296 wrote to memory of 3048	296	vbc.exe	cvtres.exe
PID 1996 wrote to memory of 3036	1996	4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe	tmp81DD.tmp.exe
PID 1996 wrote to memory of 3036	1996	4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe	tmp81DD.tmp.exe
PID 1996 wrote to memory of 3036	1996	4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe	tmp81DD.tmp.exe
PID 1996 wrote to memory of 3036	1996	4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe	tmp81DD.tmp.exe

C:\Users\Admin\AppData\Local\Temp\4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe
"C:\Users\Admin\AppData\Local\Temp\4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tvew9qz0.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:296

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8316.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8315.tmp"
3⤵
PID:3048

C:\Users\Admin\AppData\Local\Temp\tmp81DD.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp81DD.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3036

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8316.tmp
Filesize
1KB

MD5
dff2a427e68befd5e67e08963e01c174

SHA1
0ae064de33eb41c04bac9854d528c7d42183ba9b

SHA256
9654bfce0fae4c05f3784f290bc99626cafa5b8c0484034a2e6d4fcef19fd62b

SHA512
8ee28984c9b7bcb007516fc0c5a410491b07d9a46a1dce0702ebb803accfbd4f3eafff36d7ce6a4f44336c3ad605c0620e089cfb573c0133f9b6a8a30878c232

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp81DD.tmp.exe
Filesize
78KB

MD5
d175c93e4173485cbcab1ccc4466fcbc

SHA1
ff1d5c17794a02c3c84cea8fbc076bd4bdc18ddd

SHA256
dd154f7224910317585e1cce428ab4af92da482fdfda8d61a9679fef4eb41248

SHA512
91e24e8ae9df9130f52bd452e04321b0a179e6b6abdc30d97751b26a061e1d811e072435d94c44404a52d714f1f50c71141a680fb377457ba7a7a0cbba39608f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tvew9qz0.0.vb
Filesize
14KB

MD5
bd4baa0cf01968a5a683435afdbd3437

SHA1
f4d6f634eb1cf16e29367b4a5b737a26b3b8881d

SHA256
eaaa0a1ae25c74e75e213bb92a53006cc8f1c06e661ae6fc6f4ae01dc3c135dc

SHA512
130ecb60f52748ece567f5fca2c6d36b61daee4fe605655a0c63df773e520f9d2428e32e59aa9e08c663369ad696208b4a40867f52bd9ef2166814da0ad4684e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tvew9qz0.cmdline
Filesize
266B

MD5
3008ade2c507d96e0f932de1f1d9005b

SHA1
849e2e802ef591cdfb3ce6a1d71c8c1b3718a4f4

SHA256
7487e7a0a4f4746f5a42d4758b4a7e372c5b68164fc0e14672b3aa4a07ff129e

SHA512
b01eedda8be8e924e2cdf0c717bf95ea225a240eff347a3e77e97659909bd6766a16a81e3842c13c7cfd8828c4d9be1c4d513f3b0e47e9252331dc5d23d775cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8315.tmp
Filesize
660B

MD5
4acd53d758caeea419f738580f1da282

SHA1
c43a92458fb4ac5b21d63501a1ec446d8c3c9cd3

SHA256
56f5539e79bb17a57765c6d056cf481474ea722fcec63537cf14fc33ab4fb7f5

SHA512
b17532a1dd47bc3ed3ecb5ea2dff5392e7ea2fe4624ce4fc808bd3fddcf33d4cfce66fa9e69d72fdf66d1a97f922f5a565f673e73f808e4c298109d58cb8b653

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/296-9-0x0000000074CC0000-0x000000007526B000-memory.dmp

Filesize
5.7MB

Download
memory/296-18-0x0000000074CC0000-0x000000007526B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-0-0x0000000074CC1000-0x0000000074CC2000-memory.dmp

Filesize
4KB

Download
memory/1996-1-0x0000000074CC0000-0x000000007526B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-2-0x0000000074CC0000-0x000000007526B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-24-0x0000000074CC0000-0x000000007526B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads