metamorpherrat | f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff

General

Target

f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe
Size

78KB
MD5

6decbc4c1e25065e0b08cd3cc00c5193
SHA1

582f4c9820129ce54bd5c74e545099a0d5eb2c68
SHA256

f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff
SHA512

7ae6290028171de3f86d2cf9e174c6604e57f5e5cb3e19e091ee5aceeab8547c063cc92d74834a35447db47538331b9fdc2d85501555618681df50941d7d2071
SSDEEP

1536:mHY6rdELT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtLI9/9O1Yv:mHY8dSE2EwR4uY41HyvYLI9/H

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp23C6.tmp.exe

pid process

1876 tmp23C6.tmp.exe

pid	process
1876	tmp23C6.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe

pid	process
2716	f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe
2716	f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp23C6.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmp23C6.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exevbc.execvtres.exetmp23C6.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp23C6.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exetmp23C6.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2716	f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe
Token: SeDebugPrivilege	1876	tmp23C6.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exevbc.exe

description	pid	process	target process
PID 2716 wrote to memory of 2720	2716	f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe	vbc.exe
PID 2716 wrote to memory of 2720	2716	f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe	vbc.exe
PID 2716 wrote to memory of 2720	2716	f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe	vbc.exe
PID 2716 wrote to memory of 2720	2716	f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe	vbc.exe
PID 2720 wrote to memory of 2852	2720	vbc.exe	cvtres.exe
PID 2720 wrote to memory of 2852	2720	vbc.exe	cvtres.exe
PID 2720 wrote to memory of 2852	2720	vbc.exe	cvtres.exe
PID 2720 wrote to memory of 2852	2720	vbc.exe	cvtres.exe
PID 2716 wrote to memory of 1876	2716	f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe	tmp23C6.tmp.exe
PID 2716 wrote to memory of 1876	2716	f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe	tmp23C6.tmp.exe
PID 2716 wrote to memory of 1876	2716	f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe	tmp23C6.tmp.exe
PID 2716 wrote to memory of 1876	2716	f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe	tmp23C6.tmp.exe

C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe
"C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wleikvru.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2492.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2491.tmp"
3⤵
- System Location Discovery: System Language Discovery
PID:2852

C:\Users\Admin\AppData\Local\Temp\tmp23C6.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp23C6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1876

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES2492.tmp
Filesize
1KB

MD5
d11fa8c5ba0127d1273631b185398739

SHA1
ed9df0ba12ca7f80ffbeb9adde9502bf553d8d6d

SHA256
52f9242df07e778fc7767d862060b7802e049275c0018682b8823445acc8662a

SHA512
a20ec45faa79e6317fe86fa66171467d57909a1183e422bf1007c8283119c03dd7608d0f019bfbd33790e113ec2577e6efde9e822ea7805a25db2110726292fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp23C6.tmp.exe
Filesize
78KB

MD5
0ba125c8789e9cabbb7e931d91a056bc

SHA1
9203e443f9ed4b5e136edf36b01cbd3ce424282c

SHA256
18f2b2c9379e3f32c80a8d548782012c298c5f44d8680488e1690349431897c8

SHA512
e9a5ecf7ea3f999500326866438e6f54d5486c1811c309476a131fc6eccc0416bc11a37ee5aeb8c1a8432d62814b25a5730958b9654114625a86e8f6939b2339

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2491.tmp
Filesize
660B

MD5
06c9e30575a76e9078b3348a847e5d5c

SHA1
ceb29e8f306b0f49e81b10d6546002077a77c39e

SHA256
37259d75ddf2ee54bb550017eca80db23f92dbccc62f68272e3ff8cacef39b4d

SHA512
0f72893e3248ca82084f50d1caa43f761ae7ef8153f437177f86299ef8df4c74bc38829a86b29628cd369b341cfcf006159dc11d0a4b6d669603a8a39028ffbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\wleikvru.0.vb
Filesize
15KB

MD5
d293403390fe2c36172b27c64d5c8650

SHA1
7da8e06d74ca0eb27de9be37a7f6edbd09aa977b

SHA256
01f36b19af186ed3cb30eefb5de7a90e1a42ed5fc80c954da69403245116524c

SHA512
38d67d55a3a7709187f1841f754e5c2e526a22ca0e9d7fe9aae5768c220ea698c3295f660eaca8794dd68ee1dbdf0f56878e30e46f92566ebe58cf9e12cf8095

Download Submit
C:\Users\Admin\AppData\Local\Temp\wleikvru.cmdline
Filesize
266B

MD5
1bf064ecc0656f91ad4fbcaec55dc0ad

SHA1
7722fbd198aea327cf0c66945f5e1d17d980b282

SHA256
c4469b0b939311c0a979cc97082c1707b698efa50aa68d7f0777ccc66bc99e59

SHA512
b485a0b826d81302c563aafbffe3a53dd71cccc5f3d62cf7c6b89c1a33093c410fe802bb7678cb4456ff077a57c8c4157efc10e6e32da50ca51c7673d18cda3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/2716-0-0x00000000740C1000-0x00000000740C2000-memory.dmp

Filesize
4KB

Download
memory/2716-1-0x00000000740C0000-0x000000007466B000-memory.dmp

Filesize
5.7MB

Download
memory/2716-6-0x00000000740C0000-0x000000007466B000-memory.dmp

Filesize
5.7MB

Download
memory/2716-24-0x00000000740C0000-0x000000007466B000-memory.dmp

Filesize
5.7MB

Download
memory/2720-8-0x00000000740C0000-0x000000007466B000-memory.dmp

Filesize
5.7MB

Download
memory/2720-18-0x00000000740C0000-0x000000007466B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads