metamorpherrat | 2b4edbd97dfbaccc7d82e2e19149088172f5a6f46da5ae30e15a6574b0afcc5f

General

Target

9a4b57bb2ade93773070d3f4c171f970N.exe
Size

78KB
MD5

9a4b57bb2ade93773070d3f4c171f970
SHA1

bd0fc2558c9e830805c98c4ef11b44fb330c9c03
SHA256

2b4edbd97dfbaccc7d82e2e19149088172f5a6f46da5ae30e15a6574b0afcc5f
SHA512

15f0f4aa876a5e1241437a9d7bca329c675575ae56f47be136f692778481896974594e128529548f141e270f515e9f3933b95bf53015c03e6cbeafb2a3bf36db
SSDEEP

1536:K58Tdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtN6u9//1hH:K58yn7N041Qqhg99/T

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp91A5.tmp.exe

pid process

2980 tmp91A5.tmp.exe
Loads dropped DLL 2 IoCs

Processes:

9a4b57bb2ade93773070d3f4c171f970N.exe

pid process

2272 9a4b57bb2ade93773070d3f4c171f970N.exe
2272 9a4b57bb2ade93773070d3f4c171f970N.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2980	tmp91A5.tmp.exe

pid	process
2272	9a4b57bb2ade93773070d3f4c171f970N.exe
2272	9a4b57bb2ade93773070d3f4c171f970N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp91A5.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp91A5.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

9a4b57bb2ade93773070d3f4c171f970N.exevbc.execvtres.exetmp91A5.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9a4b57bb2ade93773070d3f4c171f970N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp91A5.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

9a4b57bb2ade93773070d3f4c171f970N.exetmp91A5.tmp.exe

description pid process

Token: SeDebugPrivilege 2272 9a4b57bb2ade93773070d3f4c171f970N.exe
Token: SeDebugPrivilege 2980 tmp91A5.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2272	9a4b57bb2ade93773070d3f4c171f970N.exe
Token: SeDebugPrivilege	2980	tmp91A5.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

9a4b57bb2ade93773070d3f4c171f970N.exevbc.exe

description	pid	process	target process
PID 2272 wrote to memory of 2820	2272	9a4b57bb2ade93773070d3f4c171f970N.exe	vbc.exe
PID 2272 wrote to memory of 2820	2272	9a4b57bb2ade93773070d3f4c171f970N.exe	vbc.exe
PID 2272 wrote to memory of 2820	2272	9a4b57bb2ade93773070d3f4c171f970N.exe	vbc.exe
PID 2272 wrote to memory of 2820	2272	9a4b57bb2ade93773070d3f4c171f970N.exe	vbc.exe
PID 2820 wrote to memory of 2872	2820	vbc.exe	cvtres.exe
PID 2820 wrote to memory of 2872	2820	vbc.exe	cvtres.exe
PID 2820 wrote to memory of 2872	2820	vbc.exe	cvtres.exe
PID 2820 wrote to memory of 2872	2820	vbc.exe	cvtres.exe
PID 2272 wrote to memory of 2980	2272	9a4b57bb2ade93773070d3f4c171f970N.exe	tmp91A5.tmp.exe
PID 2272 wrote to memory of 2980	2272	9a4b57bb2ade93773070d3f4c171f970N.exe	tmp91A5.tmp.exe
PID 2272 wrote to memory of 2980	2272	9a4b57bb2ade93773070d3f4c171f970N.exe	tmp91A5.tmp.exe
PID 2272 wrote to memory of 2980	2272	9a4b57bb2ade93773070d3f4c171f970N.exe	tmp91A5.tmp.exe

C:\Users\Admin\AppData\Local\Temp\9a4b57bb2ade93773070d3f4c171f970N.exe
"C:\Users\Admin\AppData\Local\Temp\9a4b57bb2ade93773070d3f4c171f970N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nc1kt2hf.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES94B2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc94B1.tmp"
3⤵
- System Location Discovery: System Language Discovery
PID:2872

C:\Users\Admin\AppData\Local\Temp\tmp91A5.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp91A5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9a4b57bb2ade93773070d3f4c171f970N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2980

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES94B2.tmp
Filesize
1KB

MD5
c10ea92bef748fdd2894ef6543fb5ac9

SHA1
22c70ec6b8806c13502d2d043e45446f07da91c9

SHA256
6a752f494da17a83e5a60e11d337f24a11b7c13decadab7a6bf60b62a4cae23f

SHA512
6677ac3fa6e8612788df27026362c46b15cf68172abbca5cce14c97b258111372d9ccc68ea1ad8cc8479b6ab2b535d22f04bd11e42acc4be533e2d94b3bd576e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nc1kt2hf.0.vb
Filesize
14KB

MD5
c42ad67e2aa92733a79bd6ba757105c7

SHA1
351a1657b30ba9cd5152b88c89702a5558cdf523

SHA256
ee7ee91288206f689c9db88bb4258f920816b266655819eec02c8114e46e3939

SHA512
6b33143496179ec396ed6c974f48ce7616c80e78e70ab74b027ef60c517ffa4efe6ec871af41443d8f6a80a6151393fd4d9e0b1e45de73b4c2969c7b4da88ad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nc1kt2hf.cmdline
Filesize
266B

MD5
017ee2bab7e64d8e39e9e537e349b801

SHA1
2cfb4b34743b430219a6e678157d5f1d0fdd3fe9

SHA256
e2ac17c12ad7fd75b2eb58e7527645d7e91a54da3e5a91d89fb3de92290e274b

SHA512
1c908b0c6a1ae0ab2d795524e3676c1a92ee57b0eee577a952be0924b5008c6797a7d91ab1733ba5d61ecc79dc8f82500b3177a532429edae8ae9d3b59bdd184

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp91A5.tmp.exe
Filesize
78KB

MD5
afdd715f918f2564dd2d6f7d3d6716e1

SHA1
21540c4c874453564e43cfe4c645a5c38a5cff2b

SHA256
52efe22d36049ae0325e5fbb07d0f0ed0878c3cc28a8fc49f6bc6f1a76e63ae7

SHA512
2508c077cf06d3af4c9de7b9700a9333a8d7799b9fbf7d6ee78f42ee0bc496fd595caa014e66049bfca458d3ce89a4c76a31c120f0a95df1173d6dd89ed46628

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc94B1.tmp
Filesize
660B

MD5
dc1a0e8ae4a2f8f42effbf7675e49f9d

SHA1
c2fecfc3dcba9498859f3c7e153d9f6d8fd33123

SHA256
5b268273d22850cab4640f5571bcaa3f7288dc382162a748299bdbad457cf3a0

SHA512
94b92f2950973637f78333f35e1822ece134fc4ac4ac184fc1f466471e46279d400be78d96fb0662a572dd2ab6b4e4170d7303dd2bb0b8671cae888792faf35e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2272-0-0x00000000748E1000-0x00000000748E2000-memory.dmp

Filesize
4KB

Download
memory/2272-1-0x00000000748E0000-0x0000000074E8B000-memory.dmp

Filesize
5.7MB

Download
memory/2272-2-0x00000000748E0000-0x0000000074E8B000-memory.dmp

Filesize
5.7MB

Download
memory/2272-24-0x00000000748E0000-0x0000000074E8B000-memory.dmp

Filesize
5.7MB

Download
memory/2820-8-0x00000000748E0000-0x0000000074E8B000-memory.dmp

Filesize
5.7MB

Download
memory/2820-18-0x00000000748E0000-0x0000000074E8B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads