metamorpherrat | c5959c61c2a13a9f01da43c8f9270fbc3e0662bb9a580b16239ba82895a9ea07

General

Target

c5959c61c2a13a9f01da43c8f9270fbc3e0662bb9a580b16239ba82895a9ea07.exe
Size

78KB
MD5

ab3197069f1aacfb8e06edbae575952c
SHA1

a3b715bb1cc4f19201de085828ef5be278b0b167
SHA256

c5959c61c2a13a9f01da43c8f9270fbc3e0662bb9a580b16239ba82895a9ea07
SHA512

5599df2a50daaa4e01b50145b149e1a967bef5487cf42e048e143ab4f089e7ef00289a5016ddcfe3c62eece04987ed53583653346de7155857609a6351e1752a
SSDEEP

1536:GRWV5jS5dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQt96gC9/b1N6:GRWV5jSkn7N041Qqhg49/u

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Deletes itself 1 IoCs

pid	Process
2688	tmp50FD.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2688	tmp50FD.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2708	c5959c61c2a13a9f01da43c8f9270fbc3e0662bb9a580b16239ba82895a9ea07.exe
2708	c5959c61c2a13a9f01da43c8f9270fbc3e0662bb9a580b16239ba82895a9ea07.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp50FD.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c5959c61c2a13a9f01da43c8f9270fbc3e0662bb9a580b16239ba82895a9ea07.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp50FD.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2708	c5959c61c2a13a9f01da43c8f9270fbc3e0662bb9a580b16239ba82895a9ea07.exe
Token: SeDebugPrivilege	2688	tmp50FD.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2728	2708	c5959c61c2a13a9f01da43c8f9270fbc3e0662bb9a580b16239ba82895a9ea07.exe	30
PID 2708 wrote to memory of 2728	2708	c5959c61c2a13a9f01da43c8f9270fbc3e0662bb9a580b16239ba82895a9ea07.exe	30
PID 2708 wrote to memory of 2728	2708	c5959c61c2a13a9f01da43c8f9270fbc3e0662bb9a580b16239ba82895a9ea07.exe	30
PID 2708 wrote to memory of 2728	2708	c5959c61c2a13a9f01da43c8f9270fbc3e0662bb9a580b16239ba82895a9ea07.exe	30
PID 2728 wrote to memory of 2312	2728	vbc.exe	32
PID 2728 wrote to memory of 2312	2728	vbc.exe	32
PID 2728 wrote to memory of 2312	2728	vbc.exe	32
PID 2728 wrote to memory of 2312	2728	vbc.exe	32
PID 2708 wrote to memory of 2688	2708	c5959c61c2a13a9f01da43c8f9270fbc3e0662bb9a580b16239ba82895a9ea07.exe	33
PID 2708 wrote to memory of 2688	2708	c5959c61c2a13a9f01da43c8f9270fbc3e0662bb9a580b16239ba82895a9ea07.exe	33
PID 2708 wrote to memory of 2688	2708	c5959c61c2a13a9f01da43c8f9270fbc3e0662bb9a580b16239ba82895a9ea07.exe	33
PID 2708 wrote to memory of 2688	2708	c5959c61c2a13a9f01da43c8f9270fbc3e0662bb9a580b16239ba82895a9ea07.exe	33

C:\Users\Admin\AppData\Local\Temp\c5959c61c2a13a9f01da43c8f9270fbc3e0662bb9a580b16239ba82895a9ea07.exe
"C:\Users\Admin\AppData\Local\Temp\c5959c61c2a13a9f01da43c8f9270fbc3e0662bb9a580b16239ba82895a9ea07.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\azq8kkej.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5265.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5264.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2312
- C:\Users\Admin\AppData\Local\Temp\tmp50FD.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp50FD.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c5959c61c2a13a9f01da43c8f9270fbc3e0662bb9a580b16239ba82895a9ea07.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5265.tmp

Filesize
1KB

MD5
2268b44af401119f017a6c5ba112806c

SHA1
d0c7d8f1eb11b8a86d4c471a048ba1577934b5d2

SHA256
5b32f1ef33f5ffcf55dbfcc851ebb7d0484148ed87f39fa4a2a758bd3c559add

SHA512
2fb26a20589586a3a7981d146e494a3b81026d30f7890b20e1e9324070a15d3162cf147957f8f23909d9132530b77218985982649d4a26386a2fd3e242892bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\azq8kkej.0.vb

Filesize
14KB

MD5
373ca1156b9de8f10ac67969eec45d44

SHA1
afd40b6a3c016dc7ea42a77335ae9ca5193287ec

SHA256
ac6f178f6484f7493de3ecaf8eadfaf7b610b343bc2ef9391769fd5fad03918a

SHA512
91e97275f35a0cf5fc5ebc5c2f0ceed0159f369f5ab479cf9411c07533d844fc47ded5f4a8e27df5e4f71d74cbb93429d05a5abe8ddbf017101ad7cfecef409d

Download Submit
C:\Users\Admin\AppData\Local\Temp\azq8kkej.cmdline

Filesize
266B

MD5
e0fe39689ea2970bcf75c559153ccdc6

SHA1
54e502a9a218fc2f3243fb7035f6daa71c2cf6eb

SHA256
4a1f41a5671afdc227467d9e23ca8ac1890e756ed8c216eab2d644f17a922c42

SHA512
e88360fca4fdab0b40948af55c921dd60bb5762c488dfd9fa58d9a1bb65740357878503c6c4034a4026fd2cf69a03ea3f0a0ece77e87cb2517bff1677585d6c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp50FD.tmp.exe

Filesize
78KB

MD5
320adddf0f63fa139e20bb57be7e9b55

SHA1
40ea839c9239d23d92ad246b3b5e95d0742b0879

SHA256
bfdf30524c3d5f56e3a34936a901e99c9e1df408d2bee5cfbd6c876663a2ec17

SHA512
938012e709b7209e257ad10b782ce0b6c2ce3d684bb521ad294d508360366f3587326a9ee0bfe13042bd59e00656732b41a82836c2e928ce148bb16d97a208b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5264.tmp

Filesize
660B

MD5
be2da6dcd46da3650225d2a96f7a3736

SHA1
2ae37fa40f0eace494126c41a3ec5d6dc9e12549

SHA256
37215cadc7de4fb64ae9a748f3d63864da25cd10752671536909856be99a9313

SHA512
0f8f7fbc436e0fb7764ea55e2aef255f6626334b632268d3c7170643414472b98f89c1b0070ec67f6695d3db84cba9a5d99670d087f26ed8a83a3772a7b18779

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2708-0-0x00000000742F1000-0x00000000742F2000-memory.dmp

Filesize
4KB

Download
memory/2708-1-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download
memory/2708-3-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download
memory/2708-24-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download
memory/2728-8-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download
memory/2728-18-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads