metamorpherrat | ff52de1ef16a9c1f4fcbc1747b2991f4c4ced1917719ec16404e393bd792e0aa

General

Target

dd868c65b9cb2b674e275d9cdbaf0e10N.exe
Size

78KB
MD5

dd868c65b9cb2b674e275d9cdbaf0e10
SHA1

9651bba10b11253f50510dd02d7481aa5ac20053
SHA256

ff52de1ef16a9c1f4fcbc1747b2991f4c4ced1917719ec16404e393bd792e0aa
SHA512

c1cfe52762cd6c69d7a88c3fcb86adf78d24ef160da8cf9a7b7d5b620dce647ea8a366f0974e4e96a681bf88a2ac97917fa71267d50249b8c353d77f592f411e
SSDEEP

1536:NWV586dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC67g9/QR1hR:NWV581n7N041Qqhgjg9/6

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Deletes itself 1 IoCs

Processes:

tmp341B.tmp.exe

pid process

2808 tmp341B.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp341B.tmp.exe

pid process

2808 tmp341B.tmp.exe
Loads dropped DLL 2 IoCs

Processes:

dd868c65b9cb2b674e275d9cdbaf0e10N.exe

pid process

2696 dd868c65b9cb2b674e275d9cdbaf0e10N.exe
2696 dd868c65b9cb2b674e275d9cdbaf0e10N.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2808	tmp341B.tmp.exe

pid	process
2808	tmp341B.tmp.exe

pid	process
2696	dd868c65b9cb2b674e275d9cdbaf0e10N.exe
2696	dd868c65b9cb2b674e275d9cdbaf0e10N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp341B.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp341B.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

dd868c65b9cb2b674e275d9cdbaf0e10N.exevbc.execvtres.exetmp341B.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd868c65b9cb2b674e275d9cdbaf0e10N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp341B.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

dd868c65b9cb2b674e275d9cdbaf0e10N.exetmp341B.tmp.exe

description pid process

Token: SeDebugPrivilege 2696 dd868c65b9cb2b674e275d9cdbaf0e10N.exe
Token: SeDebugPrivilege 2808 tmp341B.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2696	dd868c65b9cb2b674e275d9cdbaf0e10N.exe
Token: SeDebugPrivilege	2808	tmp341B.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

dd868c65b9cb2b674e275d9cdbaf0e10N.exevbc.exe

description	pid	process	target process
PID 2696 wrote to memory of 2860	2696	dd868c65b9cb2b674e275d9cdbaf0e10N.exe	vbc.exe
PID 2696 wrote to memory of 2860	2696	dd868c65b9cb2b674e275d9cdbaf0e10N.exe	vbc.exe
PID 2696 wrote to memory of 2860	2696	dd868c65b9cb2b674e275d9cdbaf0e10N.exe	vbc.exe
PID 2696 wrote to memory of 2860	2696	dd868c65b9cb2b674e275d9cdbaf0e10N.exe	vbc.exe
PID 2860 wrote to memory of 2216	2860	vbc.exe	cvtres.exe
PID 2860 wrote to memory of 2216	2860	vbc.exe	cvtres.exe
PID 2860 wrote to memory of 2216	2860	vbc.exe	cvtres.exe
PID 2860 wrote to memory of 2216	2860	vbc.exe	cvtres.exe
PID 2696 wrote to memory of 2808	2696	dd868c65b9cb2b674e275d9cdbaf0e10N.exe	tmp341B.tmp.exe
PID 2696 wrote to memory of 2808	2696	dd868c65b9cb2b674e275d9cdbaf0e10N.exe	tmp341B.tmp.exe
PID 2696 wrote to memory of 2808	2696	dd868c65b9cb2b674e275d9cdbaf0e10N.exe	tmp341B.tmp.exe
PID 2696 wrote to memory of 2808	2696	dd868c65b9cb2b674e275d9cdbaf0e10N.exe	tmp341B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\dd868c65b9cb2b674e275d9cdbaf0e10N.exe
"C:\Users\Admin\AppData\Local\Temp\dd868c65b9cb2b674e275d9cdbaf0e10N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2696

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\flcob5yn.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES362E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc362D.tmp"
3⤵
- System Location Discovery: System Language Discovery
PID:2216

C:\Users\Admin\AppData\Local\Temp\tmp341B.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp341B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\dd868c65b9cb2b674e275d9cdbaf0e10N.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2808

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES362E.tmp
Filesize
1KB

MD5
2e6c36417e94cbe1ce9398190ab1350a

SHA1
0bd02843c99684512d19ac99a6f28909c090d02e

SHA256
f49ba702bae1bc954a77e31995cc55479b3fab437c79267f516c79009451c3d8

SHA512
65dea404f4891f6989441bbc1469fb0de26c296125adb0e4a18f03ade08504cf13bd7995232b761932ade193443f160059feaa55f5199b9189960fd5980955f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\flcob5yn.0.vb
Filesize
14KB

MD5
080b97d3ce5c0e902a7f3aeb62bf3643

SHA1
a26aabc30a98c48e9f33f4be559911f2417047a7

SHA256
22b40f0da869b88bfdd0b4e764e9c3a43e17f4cd5bc55510d26865e89f3c5318

SHA512
8d3646b585d9bbb944d432ef58548ff83f19a80e88ed91460bf43f7f05335cd4ce242ce96f6ff912f8aa76d465ed3c19009e6c36fd5fe09d565df6174b8e05da

Download Submit
C:\Users\Admin\AppData\Local\Temp\flcob5yn.cmdline
Filesize
266B

MD5
2077292aef3edaf519a6cf1e22979834

SHA1
3142053e5c2d5915391a5fdd21a34d1bb12c47ee

SHA256
d17af23066befdb5c86308e5ea1ba675fcbca825d610ca19896269c19573b394

SHA512
6405d1dca3145176dbd340131ca5db0175924cf344654f0f675c59fb4a0ba6acfadd23da4775952ae7314cde1ae133b4a9f2f2f2daa6b5aedc1a4693049193b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp341B.tmp.exe
Filesize
78KB

MD5
1203d0e46ca54cb9331625020f4e45d2

SHA1
f5fafc85df429e1a4f7764b9f2a03576080d8fc8

SHA256
b915e33ee049361f3ec8d2218810de841a026cd6d66cc28ecff256b7654f3e41

SHA512
d4f7594ef061889107282947c18472f4e9d425b07bb15c3e2904adcf23b9681f49414ecd4a0c41f3baa679a90a4439691031ea48e40da61473395ef4801a4cc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc362D.tmp
Filesize
660B

MD5
383f4c3d6187bdd678db919ad4ea9c77

SHA1
c430380a1949a30ea02c98b095d7e4f4aa62610a

SHA256
d74c17f7e85920deb2c1feecaed3246799c17dd946fb6bbf82d147bd340bcc79

SHA512
a52775b719d31514e485d975e59e5ebb6bfe22001da69cd385683b668bb58e6cef4749503a3bf707b0970896b6063671cd90bc2b86e82eee00c9eb0090d32fae

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2696-0-0x0000000074C21000-0x0000000074C22000-memory.dmp

Filesize
4KB

Download
memory/2696-1-0x0000000074C20000-0x00000000751CB000-memory.dmp

Filesize
5.7MB

Download
memory/2696-2-0x0000000074C20000-0x00000000751CB000-memory.dmp

Filesize
5.7MB

Download
memory/2696-24-0x0000000074C20000-0x00000000751CB000-memory.dmp

Filesize
5.7MB

Download
memory/2860-8-0x0000000074C20000-0x00000000751CB000-memory.dmp

Filesize
5.7MB

Download
memory/2860-18-0x0000000074C20000-0x00000000751CB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads