metamorpherrat | b0eaaea93af75e058e49a26348511828fca5b79ae53d5ac544f3b30f54f431da

General

Target

eb5e6c4e4db36b9a5ae247e10491c8b0N.exe
Size

78KB
MD5

eb5e6c4e4db36b9a5ae247e10491c8b0
SHA1

b7c400e676c79484218396b181949e2edc049260
SHA256

b0eaaea93af75e058e49a26348511828fca5b79ae53d5ac544f3b30f54f431da
SHA512

2279f7b6087d0536a4fd906d1f2e918733dcf74164d4a802579119c0515c46d881170ce657138ada0b4476a8b8b186e8dbf88fe79a1e5f0fafd168862d802ea5
SSDEEP

1536:Ny5jidy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6d9/y1lC:Ny5j9n7N041Qqhg19/z

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2052	tmp7AAC.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2744	eb5e6c4e4db36b9a5ae247e10491c8b0N.exe
2744	eb5e6c4e4db36b9a5ae247e10491c8b0N.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp7AAC.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb5e6c4e4db36b9a5ae247e10491c8b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7AAC.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2744	eb5e6c4e4db36b9a5ae247e10491c8b0N.exe
Token: SeDebugPrivilege	2052	tmp7AAC.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 2076	2744	eb5e6c4e4db36b9a5ae247e10491c8b0N.exe	30
PID 2744 wrote to memory of 2076	2744	eb5e6c4e4db36b9a5ae247e10491c8b0N.exe	30
PID 2744 wrote to memory of 2076	2744	eb5e6c4e4db36b9a5ae247e10491c8b0N.exe	30
PID 2744 wrote to memory of 2076	2744	eb5e6c4e4db36b9a5ae247e10491c8b0N.exe	30
PID 2076 wrote to memory of 2904	2076	vbc.exe	32
PID 2076 wrote to memory of 2904	2076	vbc.exe	32
PID 2076 wrote to memory of 2904	2076	vbc.exe	32
PID 2076 wrote to memory of 2904	2076	vbc.exe	32
PID 2744 wrote to memory of 2052	2744	eb5e6c4e4db36b9a5ae247e10491c8b0N.exe	33
PID 2744 wrote to memory of 2052	2744	eb5e6c4e4db36b9a5ae247e10491c8b0N.exe	33
PID 2744 wrote to memory of 2052	2744	eb5e6c4e4db36b9a5ae247e10491c8b0N.exe	33
PID 2744 wrote to memory of 2052	2744	eb5e6c4e4db36b9a5ae247e10491c8b0N.exe	33

C:\Users\Admin\AppData\Local\Temp\eb5e6c4e4db36b9a5ae247e10491c8b0N.exe
"C:\Users\Admin\AppData\Local\Temp\eb5e6c4e4db36b9a5ae247e10491c8b0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yvxara2y.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7B78.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7B77.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2904
- C:\Users\Admin\AppData\Local\Temp\tmp7AAC.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7AAC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\eb5e6c4e4db36b9a5ae247e10491c8b0N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7B78.tmp

Filesize
1KB

MD5
8bcb039e6850a8ca9e1df545d6369a8b

SHA1
a37e4948a417ced6f3cd47a23617dfe98831ef25

SHA256
e1e0496984f36979788f6e94f0c86222f96fbe151ba20990fd4c3b0dd20fee35

SHA512
1f3c19662fc249a3778a3938fe8964aad3e82484a435e6c1462da54590170dc4716127b75d58d7c8cb1d5612b8f8a0f1a2514a8871c7c79e134aa7470bf23e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7AAC.tmp.exe

Filesize
78KB

MD5
41a65826710168ff76e92c9006df1d29

SHA1
31cf750bc1e0064c011f247743ace4a93de74439

SHA256
44a8e8dcb5b8edba206880f7800bc6d774b8c9cefe16392f9682799f84da5c3c

SHA512
85d5a10a2f28a006639abe1ff10e34a1a2d1c77764b9f86cac0f89f43ec6199d415eb728020928244a719f45ab44710bf1549bfc69fb47d9641fdf3a310eb049

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7B77.tmp

Filesize
660B

MD5
336de9254100bf96a9e5af19fa1a28e6

SHA1
368ca553e2e0ddf320a37992ce9741bf7dae1dd8

SHA256
0ce1e9cc44b266268daefada0859ea99960e9a7ce79c8b4c6158e583c4c33565

SHA512
f4c1c9baafaea80a5d7da3f71598dc1a47324d6387a119bb7ed9f78e2d970bdc0a37a68048863f76c8a6fdabd37d22b239e25777cce9700cb54e7e6de3b4021f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yvxara2y.0.vb

Filesize
14KB

MD5
2e98714eb86af8d8c77a79f3e513a341

SHA1
b4ebb2e55751f0b74fb4d6907117d37bafd3e117

SHA256
348350ae36e3398a9a2c428164eb7261d8d42a3810b0b2ae0b885326e85615d2

SHA512
80d3c40ceb7fd71e9df31e98949e579f75feb790e714bf120072fedd189fd93a5a0a0cb48d5456c25225d8247cb854bad79a625449d2ecd01cefd51950492dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\yvxara2y.cmdline

Filesize
266B

MD5
8c10d131fbe9a8545248f7b379c505d7

SHA1
2caa7d3d458d315c561356486be66782871a2e17

SHA256
9430dd571ff2fc14ff1248b2ef8104e34f97df9a2c36e43cefcacba5eb380410

SHA512
c011aeeeb63a75412b4af2316771ed8da985f7fc83e05f996e48f12cd6202a22bec71bb099f3ed6be5e8446888d708481d8d450d1244f25f2c18ebec2d717e10

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2076-8-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/2076-18-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/2744-0-0x0000000074331000-0x0000000074332000-memory.dmp

Filesize
4KB

Download
memory/2744-2-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/2744-7-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/2744-24-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads