metamorpherrat | 155116ff317590abcdc9d3995f8613af3ec569fd2f7ad4cba7e1fee63cbb4a72

General

Target

72be6a06caeeaf3d7eb5efa353dcadb0N.exe
Size

78KB
MD5

72be6a06caeeaf3d7eb5efa353dcadb0
SHA1

865654bea69023d7c271ce612c5de100fb7a9f9e
SHA256

155116ff317590abcdc9d3995f8613af3ec569fd2f7ad4cba7e1fee63cbb4a72
SHA512

5fc9d1a6b29d3333382aa44f1839b1cafce7aa5bf3f9fd4524245e6e440e3298eaab90b563cd1c3c90ecbb6c9a7a615459fa3cef5c4a9e2dab76b0886a3556f3
SSDEEP

1536:nosHY6uaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qt/9/613s:osHYI3ZAtWDDILJLovbicqOq3o+n/9/H

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmpE2C1.tmp.exe

pid process

2508 tmpE2C1.tmp.exe
Loads dropped DLL 2 IoCs

Processes:

72be6a06caeeaf3d7eb5efa353dcadb0N.exe

pid process

1780 72be6a06caeeaf3d7eb5efa353dcadb0N.exe
1780 72be6a06caeeaf3d7eb5efa353dcadb0N.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2508	tmpE2C1.tmp.exe

pid	process
1780	72be6a06caeeaf3d7eb5efa353dcadb0N.exe
1780	72be6a06caeeaf3d7eb5efa353dcadb0N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpE2C1.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpE2C1.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

72be6a06caeeaf3d7eb5efa353dcadb0N.exetmpE2C1.tmp.exe

description pid process

Token: SeDebugPrivilege 1780 72be6a06caeeaf3d7eb5efa353dcadb0N.exe
Token: SeDebugPrivilege 2508 tmpE2C1.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1780	72be6a06caeeaf3d7eb5efa353dcadb0N.exe
Token: SeDebugPrivilege	2508	tmpE2C1.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

72be6a06caeeaf3d7eb5efa353dcadb0N.exevbc.exe

description	pid	process	target process
PID 1780 wrote to memory of 884	1780	72be6a06caeeaf3d7eb5efa353dcadb0N.exe	vbc.exe
PID 1780 wrote to memory of 884	1780	72be6a06caeeaf3d7eb5efa353dcadb0N.exe	vbc.exe
PID 1780 wrote to memory of 884	1780	72be6a06caeeaf3d7eb5efa353dcadb0N.exe	vbc.exe
PID 1780 wrote to memory of 884	1780	72be6a06caeeaf3d7eb5efa353dcadb0N.exe	vbc.exe
PID 884 wrote to memory of 2772	884	vbc.exe	cvtres.exe
PID 884 wrote to memory of 2772	884	vbc.exe	cvtres.exe
PID 884 wrote to memory of 2772	884	vbc.exe	cvtres.exe
PID 884 wrote to memory of 2772	884	vbc.exe	cvtres.exe
PID 1780 wrote to memory of 2508	1780	72be6a06caeeaf3d7eb5efa353dcadb0N.exe	tmpE2C1.tmp.exe
PID 1780 wrote to memory of 2508	1780	72be6a06caeeaf3d7eb5efa353dcadb0N.exe	tmpE2C1.tmp.exe
PID 1780 wrote to memory of 2508	1780	72be6a06caeeaf3d7eb5efa353dcadb0N.exe	tmpE2C1.tmp.exe
PID 1780 wrote to memory of 2508	1780	72be6a06caeeaf3d7eb5efa353dcadb0N.exe	tmpE2C1.tmp.exe

C:\Users\Admin\AppData\Local\Temp\72be6a06caeeaf3d7eb5efa353dcadb0N.exe
"C:\Users\Admin\AppData\Local\Temp\72be6a06caeeaf3d7eb5efa353dcadb0N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ckyvyquj.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE3EA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE3E9.tmp"
3⤵
PID:2772

C:\Users\Admin\AppData\Local\Temp\tmpE2C1.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpE2C1.tmp.exe" C:\Users\Admin\AppData\Local\Temp\72be6a06caeeaf3d7eb5efa353dcadb0N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2508

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE3EA.tmp
Filesize
1KB

MD5
0c67d2af4d167b800a4a9926c68f97a8

SHA1
b113d81fd4a71ac1d96d82fb98f36da5090e5d09

SHA256
396d6d78e38a171e829e6db2d7201531510b1f9c04c2427a6d463d14044b2293

SHA512
d9f7d3ba4f280670f7f9f85e526fd7084c6bf784a9b871dd6d18bee3d545186096f98cef66320b154c6a1a35b9e5ec6c8516af426dcbf502f465007da390a36c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckyvyquj.0.vb
Filesize
15KB

MD5
a505c2020eaa5c7461ab3b047ad0baa3

SHA1
74ec53468b668ef33535a5e998165c0211a2e097

SHA256
4080d3e653972a0e53f93a12ebd571a26dbb9313151cc1d9d7343787c9723dbb

SHA512
aabb55e31f4739280a3819c8ce173857a4c7e4ce3226f5b00b38c4687efac437ff415bbec2ce62880330621a24879371e226cc6ccd3092e5bf97714abcaaa6de

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckyvyquj.cmdline
Filesize
266B

MD5
40e02f02238b346af2df668e67e21503

SHA1
5935990ced027d69922c7f52147780aa4d53e3f9

SHA256
1a483c1368b8e3c08ec969397677f18c4865119dec30ab542b7f20e435741a2b

SHA512
091d7a8322b6c8e8fbc90e853979580a068311a29ee0600bd78528b11b139f0b383200813521014f2bfcf46cade6e297559b0c263e2d2dce27d44d6143fa51fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE2C1.tmp.exe
Filesize
78KB

MD5
cf7991d08438583ef6bf620c04a652d1

SHA1
0e148f33d334423b7d79ea657b01f248141cd959

SHA256
ab1d0a4d7c1e64450f89e8b24953d9b566a02ee5821d6212586ecd5b645070f4

SHA512
4135b4f2bac2ccb0bd82599532c9eeff9b48912108068e1d97cbec7d9e187f9bfba2ff514c881d9f5cf7e53cfbd1e0af43dc0d6505fd6d618c1e07b9f4493c92

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE3E9.tmp
Filesize
660B

MD5
62440c459515189136913234c5034548

SHA1
194681b0947d7c774c52ad1bbc4cdc70e48ef7da

SHA256
5c8e2d884e296ce90f203777bee47b6ac626ea57a140482001674c7e8084120d

SHA512
7cbf5df6873f2b00a02ca66fd2a64cebeb3947b90f567734c7ee63e9e03cab1f55b47e5e22f4c6c59a6eec0c5c775ddc9eb5fce2d4ceb240229f74fec84af7b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/884-8-0x0000000074DF0000-0x000000007539B000-memory.dmp

Filesize
5.7MB

Download
memory/884-18-0x0000000074DF0000-0x000000007539B000-memory.dmp

Filesize
5.7MB

Download
memory/1780-0-0x0000000074DF1000-0x0000000074DF2000-memory.dmp

Filesize
4KB

Download
memory/1780-1-0x0000000074DF0000-0x000000007539B000-memory.dmp

Filesize
5.7MB

Download
memory/1780-2-0x0000000074DF0000-0x000000007539B000-memory.dmp

Filesize
5.7MB

Download
memory/1780-24-0x0000000074DF0000-0x000000007539B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads