metamorpherrat | 69f3d632778bcf461afe7e9288181da90e54473b3a3f2c6be2b56df861f1b7be

General

Target

584c0b6241c94a0bd06ad1be57123a30N.exe
Size

78KB
MD5

584c0b6241c94a0bd06ad1be57123a30
SHA1

70642d38afe2d3054f789ee0138040299f73ee93
SHA256

69f3d632778bcf461afe7e9288181da90e54473b3a3f2c6be2b56df861f1b7be
SHA512

1a6d877dbf42703ffcf339ed955def62fbf2579270ae1d687676d93526e8af9df6215ecfeae1dfc2cc05617737d62f2bedcbd357c09b47e4732e0e4d2a83d0f2
SSDEEP

1536:7HF3638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtl9/W1ad:7HFq3Ln7N041Qqhgl9/N

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp92ED.tmp.exe

pid process

2660 tmp92ED.tmp.exe
Loads dropped DLL 2 IoCs

Processes:

584c0b6241c94a0bd06ad1be57123a30N.exe

pid process

1924 584c0b6241c94a0bd06ad1be57123a30N.exe
1924 584c0b6241c94a0bd06ad1be57123a30N.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2660	tmp92ED.tmp.exe

pid	process
1924	584c0b6241c94a0bd06ad1be57123a30N.exe
1924	584c0b6241c94a0bd06ad1be57123a30N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp92ED.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp92ED.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

584c0b6241c94a0bd06ad1be57123a30N.exetmp92ED.tmp.exe

description pid process

Token: SeDebugPrivilege 1924 584c0b6241c94a0bd06ad1be57123a30N.exe
Token: SeDebugPrivilege 2660 tmp92ED.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1924	584c0b6241c94a0bd06ad1be57123a30N.exe
Token: SeDebugPrivilege	2660	tmp92ED.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

584c0b6241c94a0bd06ad1be57123a30N.exevbc.exe

description	pid	process	target process
PID 1924 wrote to memory of 1936	1924	584c0b6241c94a0bd06ad1be57123a30N.exe	vbc.exe
PID 1924 wrote to memory of 1936	1924	584c0b6241c94a0bd06ad1be57123a30N.exe	vbc.exe
PID 1924 wrote to memory of 1936	1924	584c0b6241c94a0bd06ad1be57123a30N.exe	vbc.exe
PID 1924 wrote to memory of 1936	1924	584c0b6241c94a0bd06ad1be57123a30N.exe	vbc.exe
PID 1936 wrote to memory of 2788	1936	vbc.exe	cvtres.exe
PID 1936 wrote to memory of 2788	1936	vbc.exe	cvtres.exe
PID 1936 wrote to memory of 2788	1936	vbc.exe	cvtres.exe
PID 1936 wrote to memory of 2788	1936	vbc.exe	cvtres.exe
PID 1924 wrote to memory of 2660	1924	584c0b6241c94a0bd06ad1be57123a30N.exe	tmp92ED.tmp.exe
PID 1924 wrote to memory of 2660	1924	584c0b6241c94a0bd06ad1be57123a30N.exe	tmp92ED.tmp.exe
PID 1924 wrote to memory of 2660	1924	584c0b6241c94a0bd06ad1be57123a30N.exe	tmp92ED.tmp.exe
PID 1924 wrote to memory of 2660	1924	584c0b6241c94a0bd06ad1be57123a30N.exe	tmp92ED.tmp.exe

C:\Users\Admin\AppData\Local\Temp\584c0b6241c94a0bd06ad1be57123a30N.exe
"C:\Users\Admin\AppData\Local\Temp\584c0b6241c94a0bd06ad1be57123a30N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3ckpluyt.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9648.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9637.tmp"
3⤵
PID:2788

C:\Users\Admin\AppData\Local\Temp\tmp92ED.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp92ED.tmp.exe" C:\Users\Admin\AppData\Local\Temp\584c0b6241c94a0bd06ad1be57123a30N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2660

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3ckpluyt.0.vb
Filesize
15KB

MD5
cbc8e3899969db9634bfcbe0e328d883

SHA1
7851584ce2959323dc4491afb73332436f30ea39

SHA256
13d13c5d563f31cc9f374580464fb3dd12aecbc9e8141af20b42f1643eb3800a

SHA512
0cb0866293634d1363c1cbeb2d023bd010d41dc3cf1c31e6abf9eef2dcaffb96a1d40ee89df4f8c59bef298d620baffc2b7ecb3245da015d368fa76ad372a88e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ckpluyt.cmdline
Filesize
266B

MD5
655066a24eeb56c373bf371c02d7fcd0

SHA1
20c478ed7ea7ac237dfd202a84c058640dbfee2c

SHA256
eead908b5ee0391e0114b61bee8b4fe0bf075ff54c75b4c761aadeaa69192da7

SHA512
e9aee5bdaf234a531680a87bcfb2fdcaaa7e01624023fde59b06ef1f2488f9e6b0699d7ca68d6d920b2de65793e90e4e59683cae642fda4a2f85e8316e160aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9648.tmp
Filesize
1KB

MD5
02179fb1f25f24a3380b9460cf7a9ef9

SHA1
b8936495e490ca017b27946ec2de0402b8ed17a9

SHA256
efde9e5e1b537cfceddf0d9b87d078e618862e84f9a850a9180a831757b9cb20

SHA512
210309a9495c44a353a98b80772cdf5dc2f0d8eb4f473b2e115b4948e551a97f0cf2f41d5ac95d801ffbe5211089f548a3fbcada5778f025ee5abc3f7dbfef74

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp92ED.tmp.exe
Filesize
78KB

MD5
ae8ab3250af9cdbb14afe3e813ec8f29

SHA1
331e782bbe2cae03fd96cfab51b66aaa208b6578

SHA256
7825c29ac122e27ddfd4d91faae163ad370b7a205f45fb89e2fa0519ae1f1c02

SHA512
df3e0f521f8096ce6633bbdb10be1ca5057f5d79e637788964405ecd355bcb13f70f6af7fc05c85352877863f5999c34348b0398e844f69fba912ac31237ef51

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9637.tmp
Filesize
660B

MD5
5e41b0b937a453c32b5e235421c1f00c

SHA1
a1a51cf15ab6910d01be111ded6b28202eaead90

SHA256
b7b00d1114312fbafbf42cf5cc1c0b084fb5df0313bc8d529377f1486806bec6

SHA512
b88d72908634c6ac2b8c8ac81f54d7bbb7075edd6802d0f4659535c464f315a82f03fcb560fffa6279eacfefe741fb2f722fd055177dd2a1268b212ff5657cf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/1924-0-0x0000000074021000-0x0000000074022000-memory.dmp

Filesize
4KB

Download
memory/1924-1-0x0000000074020000-0x00000000745CB000-memory.dmp

Filesize
5.7MB

Download
memory/1924-2-0x0000000074020000-0x00000000745CB000-memory.dmp

Filesize
5.7MB

Download
memory/1924-24-0x0000000074020000-0x00000000745CB000-memory.dmp

Filesize
5.7MB

Download
memory/1936-8-0x0000000074020000-0x00000000745CB000-memory.dmp

Filesize
5.7MB

Download
memory/1936-18-0x0000000074020000-0x00000000745CB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads