metamorpherrat | 7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3

General

Target

7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe
Size

78KB
MD5

92147390866e992d61c2e53fa1dbf232
SHA1

98aaa505c71acb3ff181ff0e12614d5d9cf9847b
SHA256

7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3
SHA512

125ac3c5aedeb846589e3fdd37a7bebe55a846da5cf3c3d8f6033c752e7d037a343a1260885f54e720c18192a689a709ae8146496f01c91c19bec6f68d5f19c1
SSDEEP

1536:uWV58gdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6P9/J1ol:uWV58vn7N041Qqhg39/M

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmpC265.tmp.exe

pid process

2496 tmpC265.tmp.exe

pid	process
2496	tmpC265.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe

pid	process
1720	7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe
1720	7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpC265.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpC265.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

tmpC265.tmp.exe7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exevbc.execvtres.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC265.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exetmpC265.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1720	7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe
Token: SeDebugPrivilege	2496	tmpC265.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exevbc.exe

description	pid	process	target process
PID 1720 wrote to memory of 340	1720	7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe	vbc.exe
PID 1720 wrote to memory of 340	1720	7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe	vbc.exe
PID 1720 wrote to memory of 340	1720	7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe	vbc.exe
PID 1720 wrote to memory of 340	1720	7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe	vbc.exe
PID 340 wrote to memory of 1600	340	vbc.exe	cvtres.exe
PID 340 wrote to memory of 1600	340	vbc.exe	cvtres.exe
PID 340 wrote to memory of 1600	340	vbc.exe	cvtres.exe
PID 340 wrote to memory of 1600	340	vbc.exe	cvtres.exe
PID 1720 wrote to memory of 2496	1720	7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe	tmpC265.tmp.exe
PID 1720 wrote to memory of 2496	1720	7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe	tmpC265.tmp.exe
PID 1720 wrote to memory of 2496	1720	7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe	tmpC265.tmp.exe
PID 1720 wrote to memory of 2496	1720	7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe	tmpC265.tmp.exe

C:\Users\Admin\AppData\Local\Temp\7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe
"C:\Users\Admin\AppData\Local\Temp\7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qbbodjae.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:340

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC4B7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC4B6.tmp"
3⤵
- System Location Discovery: System Language Discovery
PID:1600

C:\Users\Admin\AppData\Local\Temp\tmpC265.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpC265.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2496

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC4B7.tmp
Filesize
1KB

MD5
b3250071ac805216d1bd4e3262af4b70

SHA1
7067e2d62bdfa2fe4c4c04d7a581d57656ee7d79

SHA256
627ae831d2c2c14c7d033826654c4da476eee1810d1e735e7edbb140995c9a38

SHA512
78f800948169f595f89231551a7a7213668283fb01e2612e8047d8e7db6d2f53107033df46a79145b12b55df24bb95efbfd0069182ce3b6173420a571887f571

Download Submit
C:\Users\Admin\AppData\Local\Temp\qbbodjae.0.vb
Filesize
14KB

MD5
ce2d3c69c497834a4b16d556cbe73034

SHA1
3988203d388e57c074bb38b1bf282dff6bcc6f35

SHA256
66e72f9c71ffe98786b3e6352fab10e570c4d522c326e6e92ae228a40f880665

SHA512
5406518224110fe91dd934de75ceaa89741fad2b3fb211e2d2b94e3085d4ba57d1f55ecac7b78039366fcc492f2bd27672713bd2cff9ea8d2d38ac93aa23c201

Download Submit
C:\Users\Admin\AppData\Local\Temp\qbbodjae.cmdline
Filesize
266B

MD5
84218ed9bac345b3a01605b667021ca3

SHA1
b75f29e5e46a935b41fe5be31b47f380a32a874c

SHA256
7fed0dbf6ad5eb4c785a968c8193c15c6b2fa6c8b011f764d65845318699e372

SHA512
5f263180b1ab08db73424be6801f96cd5e4a37459a7c58addd86ea6c6b54f731e995ff7a5df5cdc02949b5c6afd6791d849869f05f5864a7240550526cafa619

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC265.tmp.exe
Filesize
78KB

MD5
54b777a9b938e971f2da53e3e40bafdf

SHA1
9e6af76274b61961b7ca16f683a0995e9d607349

SHA256
537599fa5648cddbb591e1e2e5b3d3892958e97d368310c49c03e0de8a267200

SHA512
b9da181bb300a9c51b7b8dbe65ad2b68d538cd4a1ace4d13a8161499436202261241b185efe95bd272a993c7bc860b7f3274299f96948a38bc00431c843c23bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC4B6.tmp
Filesize
660B

MD5
d030fc5acb50ba6c9ef8afbfd0b0f24a

SHA1
e9d5b2ec4dd2e1922b2e72a8c9d7c135f2a64ae0

SHA256
9a51ab0d8ac35a89c0cf3379698aa8f604d43fd50561dc045105ad5b5de549c6

SHA512
f431d6102901c9b5301c3d84edeba216fa32a193f90e315d48bba70d8b4142c7016c84ac72743c92e9dd5b254379dff7ccde3dbf2e0fc1807c03b18c98ee33a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/340-8-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download
memory/340-18-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download
memory/1720-0-0x0000000074551000-0x0000000074552000-memory.dmp

Filesize
4KB

Download
memory/1720-1-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download
memory/1720-2-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download
memory/1720-24-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads