metamorpherrat | 1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7

General

Target

1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe
Size

78KB
MD5

4ac1291fc0ec8ea3291ef6144b7df361
SHA1

d91139e68eb52f92e0508f37c83712c5c6321f60
SHA256

1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7
SHA512

807adef244d28dc56dc0453edb409af047cd96ec2a623d4a4b3a5b0d46f4471a901c5391f2d902d9ea17111bda7080040046b8d026de876e4d43a013df840caf
SSDEEP

1536:StHHM7t/vZv0kH9gDDtWzYCnJPeoYrGQt/Wy9/QA19v:StHsh/l0Y9MDYrm7/Wy9/L

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Deletes itself 1 IoCs

Processes:

tmpD604.tmp.exe

pid process

2832 tmpD604.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmpD604.tmp.exe

pid process

2832 tmpD604.tmp.exe

pid	process
2832	tmpD604.tmp.exe

pid	process
2832	tmpD604.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe

pid	process
3024	1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe
3024	1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpD604.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmpD604.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exevbc.execvtres.exetmpD604.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD604.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exetmpD604.tmp.exe

description	pid	process
Token: SeDebugPrivilege	3024	1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe
Token: SeDebugPrivilege	2832	tmpD604.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exevbc.exe

description	pid	process	target process
PID 3024 wrote to memory of 2204	3024	1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe	vbc.exe
PID 3024 wrote to memory of 2204	3024	1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe	vbc.exe
PID 3024 wrote to memory of 2204	3024	1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe	vbc.exe
PID 3024 wrote to memory of 2204	3024	1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe	vbc.exe
PID 2204 wrote to memory of 2768	2204	vbc.exe	cvtres.exe
PID 2204 wrote to memory of 2768	2204	vbc.exe	cvtres.exe
PID 2204 wrote to memory of 2768	2204	vbc.exe	cvtres.exe
PID 2204 wrote to memory of 2768	2204	vbc.exe	cvtres.exe
PID 3024 wrote to memory of 2832	3024	1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe	tmpD604.tmp.exe
PID 3024 wrote to memory of 2832	3024	1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe	tmpD604.tmp.exe
PID 3024 wrote to memory of 2832	3024	1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe	tmpD604.tmp.exe
PID 3024 wrote to memory of 2832	3024	1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe	tmpD604.tmp.exe

C:\Users\Admin\AppData\Local\Temp\1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe
"C:\Users\Admin\AppData\Local\Temp\1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iq4iedbq.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD6C0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD6BF.tmp"
3⤵
- System Location Discovery: System Language Discovery
PID:2768

C:\Users\Admin\AppData\Local\Temp\tmpD604.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpD604.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2832

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD6C0.tmp
Filesize
1KB

MD5
19cf387d75844fc5a1688d066feb9482

SHA1
971287a5bb09054d419c626c3f4557ff84a39b5c

SHA256
59dafd54c5c1a50790d391d38d09d8e5990a6cdb14603b3dd29c93e413be5502

SHA512
ff1417e06c05034bfb3111726c83f9bf2e10bad7a2ad6cda0c8b0f33039f6d1b61d60cecb6a20c29aab0139e94a1f70427452ae39108d3c7136045e3cc79d0e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\iq4iedbq.0.vb
Filesize
15KB

MD5
ec884eb5d359a412cf7f2300b205ee86

SHA1
20650b9d4e26f57fe2c465dfbc180fa488cbff3d

SHA256
09ae7477387beb5da0c3d38b93af73ca3da83fa157054ed605d1895602a76ab7

SHA512
fcef6bcc2924abe683408682986fd470a8f06d1094f0365b92d9dc74f6d2cd290d08dff655ed456e9d02d9da06acd8604e5ebb3609d62968272253bfc0cb8123

Download Submit
C:\Users\Admin\AppData\Local\Temp\iq4iedbq.cmdline
Filesize
266B

MD5
c7b14cbdc137f2ca8e78c7ba0c47e831

SHA1
821bbd961297363fbfde06fed2cbf54a559e9fab

SHA256
478464f320964a496de0a8b1bc8f89127827dade6bd91abb7d958c8fa661df05

SHA512
262349f2d5988885bb3ee4df19bdae0fda4431a740fabde468c86b6b6a351ef1393699d2d503377c2fbbb341534de849365bb88515986a53bb3dc57761cda223

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD604.tmp.exe
Filesize
78KB

MD5
eb8f980e87dd9445af4ef1651e1cff9b

SHA1
95edcc800ef823e31fadf3ab96c02b7b2a36102e

SHA256
ec6e3fe546f4fbaf5f2d8e5ac5f028ae2b23f686a5db510bcd26c42214003797

SHA512
6848fbbe37ea84693d895225fca8e2177baac80213f803ee8de3e05b9867c6c3d897ba8d31bc5b1fe8b2432e940bae99a5baab5d4a00f69b27e18290f432f750

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD6BF.tmp
Filesize
660B

MD5
66fd8491f7eb0f3ee011764d9afec647

SHA1
1ab51a1b44b4f58925472e9f908b1573c9a5cb9b

SHA256
a055f18a5aadc78c7ada03be29b62e1e693fdec3d042f72c9e15ac0eca37d326

SHA512
8aa913868e593ef1c4d7f884d40c845685fb8a506d7dcec88b804043850b409206add30186177206890770c7f41258dcb47708a0dcc98b7fb5b6959730965b67

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/2204-9-0x0000000074910000-0x0000000074EBB000-memory.dmp

Filesize
5.7MB

Download
memory/2204-18-0x0000000074910000-0x0000000074EBB000-memory.dmp

Filesize
5.7MB

Download
memory/3024-0-0x0000000074911000-0x0000000074912000-memory.dmp

Filesize
4KB

Download
memory/3024-1-0x0000000074910000-0x0000000074EBB000-memory.dmp

Filesize
5.7MB

Download
memory/3024-2-0x0000000074910000-0x0000000074EBB000-memory.dmp

Filesize
5.7MB

Download
memory/3024-24-0x0000000074910000-0x0000000074EBB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads