metamorpherrat | 12bdda0dea5e73774c7c5ece80c135042386af4dc7bb84e50f71b467cedfde7d

General

Target

4a3a462f29747271c6ff2f0f08d26a60N.exe
Size

78KB
MD5

4a3a462f29747271c6ff2f0f08d26a60
SHA1

7c00e71ce3192a40cb8df94984811ffb13b7e59a
SHA256

12bdda0dea5e73774c7c5ece80c135042386af4dc7bb84e50f71b467cedfde7d
SHA512

af01ceb84c233d28a36c51593d53fb10341db0673329137a134fb426d59b3e98c1049be81810fc888b68c116ecd32b7d62bda75ef0d9d7f82f009e9efc7a13a0
SSDEEP

1536:He5sdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtN6z9/NU10m:He5bn7N041QqhgI9/Ny

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2588	tmp9608.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1712	4a3a462f29747271c6ff2f0f08d26a60N.exe
1712	4a3a462f29747271c6ff2f0f08d26a60N.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp9608.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9608.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4a3a462f29747271c6ff2f0f08d26a60N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1712	4a3a462f29747271c6ff2f0f08d26a60N.exe
Token: SeDebugPrivilege	2588	tmp9608.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2040	1712	4a3a462f29747271c6ff2f0f08d26a60N.exe	30
PID 1712 wrote to memory of 2040	1712	4a3a462f29747271c6ff2f0f08d26a60N.exe	30
PID 1712 wrote to memory of 2040	1712	4a3a462f29747271c6ff2f0f08d26a60N.exe	30
PID 1712 wrote to memory of 2040	1712	4a3a462f29747271c6ff2f0f08d26a60N.exe	30
PID 2040 wrote to memory of 2600	2040	vbc.exe	32
PID 2040 wrote to memory of 2600	2040	vbc.exe	32
PID 2040 wrote to memory of 2600	2040	vbc.exe	32
PID 2040 wrote to memory of 2600	2040	vbc.exe	32
PID 1712 wrote to memory of 2588	1712	4a3a462f29747271c6ff2f0f08d26a60N.exe	33
PID 1712 wrote to memory of 2588	1712	4a3a462f29747271c6ff2f0f08d26a60N.exe	33
PID 1712 wrote to memory of 2588	1712	4a3a462f29747271c6ff2f0f08d26a60N.exe	33
PID 1712 wrote to memory of 2588	1712	4a3a462f29747271c6ff2f0f08d26a60N.exe	33

C:\Users\Admin\AppData\Local\Temp\4a3a462f29747271c6ff2f0f08d26a60N.exe
"C:\Users\Admin\AppData\Local\Temp\4a3a462f29747271c6ff2f0f08d26a60N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\btqvapyr.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES96F3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc96F2.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2600
- C:\Users\Admin\AppData\Local\Temp\tmp9608.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9608.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4a3a462f29747271c6ff2f0f08d26a60N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES96F3.tmp

Filesize
1KB

MD5
0f21d473eba1d97b715fc2537c576f48

SHA1
c953dd33fc4b1c3b8e37a1638f0f8a2c54799b7b

SHA256
e67cdc9a836385dfcf8c828177b7b09f08e0aa82965179f964b94e281ddfce37

SHA512
24b526199d269ea2ff1b73e9ec62ba44fff023d7e8f606c02d66573a2ec655744839324f669dcd555f37b0796243905e0fe314fca42e1817d22bfbf36521cd32

Download Submit
C:\Users\Admin\AppData\Local\Temp\btqvapyr.0.vb

Filesize
14KB

MD5
d379c7875422b2c10c5d97f764fc9b84

SHA1
6c32370fa642b706f7ca95dbcbc87ec4bff81c1e

SHA256
4eacbc14e024fdad9f15973c91a8687a131e92af43b4d6b250de4d189208afc9

SHA512
62a005b417338956ca82a932a07b7c91a0f56b64dc4b53584463004f6b7b0cbc5a2a1c0eacf41ca7e20419f24482cc954f496bcd871c03bc8dc0a10c82586f77

Download Submit
C:\Users\Admin\AppData\Local\Temp\btqvapyr.cmdline

Filesize
266B

MD5
89a4559bf9c0b7b20dd08f694b1eb445

SHA1
563480982ec9f1cb7f7a31c88329b7f61df8a02b

SHA256
52b8a4566caefe7dffc62fa28c747ecedd0eceb5657299e45663542c0bd9add1

SHA512
04e9ce048c19fea7845a1a38feef21ba3a90ff3f500994254a90d32b863e535b755a50cfe514458491ba399ff40027552396c7dbce3f1a925ce1575e3fe1b52b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9608.tmp.exe

Filesize
78KB

MD5
b950ea521739ada00c3c4b6813aa3380

SHA1
5ab4fe0aa5d4868bd66622aa2f1746ed9d1990c4

SHA256
efa8486fdb6d07f6a6f05c7a5fd208ab181762e7d9307ff7de6d6576c10b493f

SHA512
9a1090cd6fbfe671abb3cb3d673030833bcffa21b43db8bb0175f3e428fdc72e9dc7a5e2f7cffec3ee3d63a651ac578d35a4c52c6da43e8c6b4ded9b151ca66b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc96F2.tmp

Filesize
660B

MD5
ef827095057da0304b070414f96230e4

SHA1
e372fa409ff8f1f7bc950eff86d590f85bda04d8

SHA256
7fb1e7504342090ae690591fb33d58c827b48257597796f79dfddd2cbfddf781

SHA512
af3902bf9fcf867b6ec8e80cf5d0a64895b8cee0c54df99cf212a2231a230b89d8736260a62c93a4a5ca48a13bcda5c17a8307c70d8e9e540c3e064ae45ddc6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/1712-0-0x0000000074321000-0x0000000074322000-memory.dmp

Filesize
4KB

Download
memory/1712-1-0x0000000074320000-0x00000000748CB000-memory.dmp

Filesize
5.7MB

Download
memory/1712-2-0x0000000074320000-0x00000000748CB000-memory.dmp

Filesize
5.7MB

Download
memory/1712-24-0x0000000074320000-0x00000000748CB000-memory.dmp

Filesize
5.7MB

Download
memory/2040-8-0x0000000074320000-0x00000000748CB000-memory.dmp

Filesize
5.7MB

Download
memory/2040-18-0x0000000074320000-0x00000000748CB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads