metamorpherrat | 266e13488f21ba0896e8fb1ca3a95a500fbb0404d9e105ff0b18ed8705cfaf6b

General

Target

266e13488f21ba0896e8fb1ca3a95a500fbb0404d9e105ff0b18ed8705cfaf6b.exe
Size

78KB
MD5

e75c70a4ed3f4f87dc148a69ad362144
SHA1

495a389e7880ac5c1f2ba243f5b3842556039f9a
SHA256

266e13488f21ba0896e8fb1ca3a95a500fbb0404d9e105ff0b18ed8705cfaf6b
SHA512

8524ad5d54283c7181c1704d7b268eb1f3571051f284cf98bf4b89ea90dc26c4143308c8eeabcb3957d8337a62983f662c408eff47ddfa48927349b43cdf526e
SSDEEP

1536:cPCHY6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtQ9/512A:cPCHY53Ln7N041QqhgQ9/T

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Deletes itself 1 IoCs

pid	Process
2628	tmp2D38.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2628	tmp2D38.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2700	266e13488f21ba0896e8fb1ca3a95a500fbb0404d9e105ff0b18ed8705cfaf6b.exe
2700	266e13488f21ba0896e8fb1ca3a95a500fbb0404d9e105ff0b18ed8705cfaf6b.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp2D38.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp2D38.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	266e13488f21ba0896e8fb1ca3a95a500fbb0404d9e105ff0b18ed8705cfaf6b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2700	266e13488f21ba0896e8fb1ca3a95a500fbb0404d9e105ff0b18ed8705cfaf6b.exe
Token: SeDebugPrivilege	2628	tmp2D38.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2640	2700	266e13488f21ba0896e8fb1ca3a95a500fbb0404d9e105ff0b18ed8705cfaf6b.exe	30
PID 2700 wrote to memory of 2640	2700	266e13488f21ba0896e8fb1ca3a95a500fbb0404d9e105ff0b18ed8705cfaf6b.exe	30
PID 2700 wrote to memory of 2640	2700	266e13488f21ba0896e8fb1ca3a95a500fbb0404d9e105ff0b18ed8705cfaf6b.exe	30
PID 2700 wrote to memory of 2640	2700	266e13488f21ba0896e8fb1ca3a95a500fbb0404d9e105ff0b18ed8705cfaf6b.exe	30
PID 2640 wrote to memory of 2664	2640	vbc.exe	32
PID 2640 wrote to memory of 2664	2640	vbc.exe	32
PID 2640 wrote to memory of 2664	2640	vbc.exe	32
PID 2640 wrote to memory of 2664	2640	vbc.exe	32
PID 2700 wrote to memory of 2628	2700	266e13488f21ba0896e8fb1ca3a95a500fbb0404d9e105ff0b18ed8705cfaf6b.exe	33
PID 2700 wrote to memory of 2628	2700	266e13488f21ba0896e8fb1ca3a95a500fbb0404d9e105ff0b18ed8705cfaf6b.exe	33
PID 2700 wrote to memory of 2628	2700	266e13488f21ba0896e8fb1ca3a95a500fbb0404d9e105ff0b18ed8705cfaf6b.exe	33
PID 2700 wrote to memory of 2628	2700	266e13488f21ba0896e8fb1ca3a95a500fbb0404d9e105ff0b18ed8705cfaf6b.exe	33

C:\Users\Admin\AppData\Local\Temp\266e13488f21ba0896e8fb1ca3a95a500fbb0404d9e105ff0b18ed8705cfaf6b.exe
"C:\Users\Admin\AppData\Local\Temp\266e13488f21ba0896e8fb1ca3a95a500fbb0404d9e105ff0b18ed8705cfaf6b.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6wfvb6dp.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E71.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2E70.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2664
- C:\Users\Admin\AppData\Local\Temp\tmp2D38.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp2D38.tmp.exe" C:\Users\Admin\AppData\Local\Temp\266e13488f21ba0896e8fb1ca3a95a500fbb0404d9e105ff0b18ed8705cfaf6b.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6wfvb6dp.0.vb

Filesize
15KB

MD5
07312a33bb7ddb8b7b53e0e72ba0e3f7

SHA1
307d1d8a9de1f1a239d159fa7a26bb9e3bb86339

SHA256
743f684c3e08dd7e05ba6e3e5b3c62182a7e312eceb472381f08276fc435f4c3

SHA512
0464b560d53a08f8918680533c4fc7a87380dc97366e5c683e2e2e11544feb13a007b98405e3162b63755c1895e8364ee00d0113ebc7766527fb1f9db23c026f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6wfvb6dp.cmdline

Filesize
266B

MD5
5166a947ec06be0f0df155788db8198b

SHA1
001d071b722c55b01be599a5f04affb17c191531

SHA256
fbb89992e4fb628775ab441d6121b5e220acefcebac64e35d3c484a5c1787693

SHA512
0e4a4d8e8f3b217c00d5ac58a97f6564d6fe45cfdd352f85868676e3c50bf92492132cf651217b199612fe4b0bba91d5e7e5a10b484bc20b8ab55c7eae4a72d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2E71.tmp

Filesize
1KB

MD5
bae63365bbb5c0bad69f91311d35cc09

SHA1
854c791dabaea092189885e88071f670ab1e3e87

SHA256
21e49ebf2f910cb1a14772a9d52b049b0a040d8e698270057f613999808c0057

SHA512
e01caab9d19ea9b41638d0ed2929eae0e4a5fc19fe53713bf0f810e154464da3c807f5ce0f5111962185a8bf3a2c143359aa7e447010ca314fd1b0fbde769c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2D38.tmp.exe

Filesize
78KB

MD5
fbef1855e5a49adcfa98faca1a8866c2

SHA1
188a1ab134b5943d33774a1af28fefc602824464

SHA256
1ed92a109efd64420d7b99e5f965c9b3c8673d14e4f88b02dc8bc9dd4877f1dd

SHA512
c22fecfe1c78f5459dbffb91204fbe6efc738464ad8c386c686cda212f677a72592ad7ea99d525e0b63e5bf9e13a3286911f11db1753719057f4c2e06fa865bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2E70.tmp

Filesize
660B

MD5
6aa8d2ff6dea64fdf9233319669dc905

SHA1
3d480bcedcdb6658edac6affa979e7f756a9b625

SHA256
63e48bf935177800a3992b7972ad05ae50e074246e6ac2ec6953ab8e31617d66

SHA512
67cdebc37bd48e4157eb75ffe6e9342b6deaa1adf1aed114c5997f14b586a3617852b4960338bc76d6da190e26330d69b74b9a5326faca16d2322cc60034f29b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2640-9-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/2640-18-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/2700-0-0x00000000742A1000-0x00000000742A2000-memory.dmp

Filesize
4KB

Download
memory/2700-1-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/2700-2-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/2700-23-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads