metamorpherrat | 6dc87ffc3a8e23f9a4f45d4099aff33f01a0b79f958428531eb9dd7603b9e602

General

Target

5fc07da9ed16a8394b3326ff67d7e970N.exe
Size

78KB
MD5

5fc07da9ed16a8394b3326ff67d7e970
SHA1

65cc35a7281c57d2981ed8aa8adda28f1ee8e6ba
SHA256

6dc87ffc3a8e23f9a4f45d4099aff33f01a0b79f958428531eb9dd7603b9e602
SHA512

afc54f9fee248376f719306b38b3f3c18674fe81faef3a1650e38b9bdcf10a501e8fcdcdab77c3199eea4eb6e0f9a8afdd16c8ca746fdfeb53d50640e259145c
SSDEEP

1536:+e5kdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQty6Zt9/u1Kn:+e5Tn7N041Qqhgf9/X

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2788	tmpE4C4.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
3068	5fc07da9ed16a8394b3326ff67d7e970N.exe
3068	5fc07da9ed16a8394b3326ff67d7e970N.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpE4C4.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE4C4.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5fc07da9ed16a8394b3326ff67d7e970N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3068	5fc07da9ed16a8394b3326ff67d7e970N.exe
Token: SeDebugPrivilege	2788	tmpE4C4.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2372	3068	5fc07da9ed16a8394b3326ff67d7e970N.exe	29
PID 3068 wrote to memory of 2372	3068	5fc07da9ed16a8394b3326ff67d7e970N.exe	29
PID 3068 wrote to memory of 2372	3068	5fc07da9ed16a8394b3326ff67d7e970N.exe	29
PID 3068 wrote to memory of 2372	3068	5fc07da9ed16a8394b3326ff67d7e970N.exe	29
PID 2372 wrote to memory of 2572	2372	vbc.exe	31
PID 2372 wrote to memory of 2572	2372	vbc.exe	31
PID 2372 wrote to memory of 2572	2372	vbc.exe	31
PID 2372 wrote to memory of 2572	2372	vbc.exe	31
PID 3068 wrote to memory of 2788	3068	5fc07da9ed16a8394b3326ff67d7e970N.exe	32
PID 3068 wrote to memory of 2788	3068	5fc07da9ed16a8394b3326ff67d7e970N.exe	32
PID 3068 wrote to memory of 2788	3068	5fc07da9ed16a8394b3326ff67d7e970N.exe	32
PID 3068 wrote to memory of 2788	3068	5fc07da9ed16a8394b3326ff67d7e970N.exe	32

C:\Users\Admin\AppData\Local\Temp\5fc07da9ed16a8394b3326ff67d7e970N.exe
"C:\Users\Admin\AppData\Local\Temp\5fc07da9ed16a8394b3326ff67d7e970N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\814irhiw.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE580.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE57F.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2572
- C:\Users\Admin\AppData\Local\Temp\tmpE4C4.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpE4C4.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5fc07da9ed16a8394b3326ff67d7e970N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\814irhiw.0.vb

Filesize
14KB

MD5
406d7983b3faa1943f9dae7f39e51621

SHA1
3c2488ee0297798596aac3e9b110815a0de44a9c

SHA256
1d9495c3fb6e0e372b5a9aa9b22acfc9c5b465ef7bbd0f49d840f67580c1216e

SHA512
b2551d90e2749a2e7ad7b2e8d52ca0de6171f9883efc999a31eee9944be1d86c0942c3226b6c54e5465a5021c9e63a9b07dd9e66dd4d887351980afbbff97b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\814irhiw.cmdline

Filesize
266B

MD5
05dcf78ddf9911209c05bdcdf9348016

SHA1
145656cf2442c02d46490e04d8e64e19186d06b6

SHA256
e779fea97015d8ba41e10218c63f3d027ba52492398f98ed28b4e49813588ab6

SHA512
270482f164b158b4c85d007182b1a2a0ff8a857370a41c1cd2065d21921416f442bd32dfb78b458c229dd81d1039ddb2ab2e4c484d6773dbf0072c795a876ee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE580.tmp

Filesize
1KB

MD5
764a9bbf533aa57993b146bbdbd8ccf4

SHA1
ca6b9e7bd9dd8991e9b11e6eda71bbd9048ca75e

SHA256
b670c648f848d24ec4234245c2935606795c2f8b312b5e990b5ec007c360430f

SHA512
dc7754360b3e106ffe23698af1ca879149651c2493d7c6d30e82676e5cf7ad28b49f3ca5bfcea9e7a2d086b4363c8c4e3dddb1ce637688a93e2b8bca023e120d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE4C4.tmp.exe

Filesize
78KB

MD5
6ba5765b7db7ceaa2b37e86e3b601099

SHA1
ef79d1cef9b47a9f69bfba9800ff11a23ae0c14d

SHA256
aa0b583346612ca2663eb2d16c4f81dd2e59aa013141767b25cdad7b38ae3535

SHA512
82927713f859421e0858762dbc2042fdc24608caee36bae2e7facc6410ef25426a5b93226a5e86706ed0fb8e5bc7751b24bd4d94db007323cb3e2c911cf4f029

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE57F.tmp

Filesize
660B

MD5
5f745ed68942bf5fa9e314716334d683

SHA1
c1d768b67c999c56b991f9d0294f7e229b55fec8

SHA256
5a7cd277736ee9fe5062d4c2a3bb07238adfc7d9e4924dd6919926e7976c0407

SHA512
758e50ec0ba845b163b37e5191a672ce2995d62a11485d584572d82abdacd576462c5504b3fddb9dc563b4c0c9b5ef0fb6d26e76dcf441582462a6c7a914c10c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2372-9-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2372-18-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/3068-0-0x0000000074571000-0x0000000074572000-memory.dmp

Filesize
4KB

Download
memory/3068-1-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/3068-2-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/3068-24-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads