metamorpherrat | f6950aa2608d44af4e9ab8a77b3cd2b10b1a538f40130e651733bb49b09d8f70

General

Target

29f9b680505b0abf1f09b72d6537cc30N.exe
Size

78KB
MD5

29f9b680505b0abf1f09b72d6537cc30
SHA1

733878d7d19ca0f5c93e70005284da811fdcf5a2
SHA256

f6950aa2608d44af4e9ab8a77b3cd2b10b1a538f40130e651733bb49b09d8f70
SHA512

fa8cdbeb33518a908c039270a6b71b2d42f235d7b334f4339a0570d0ffa8d45cc0d6dc0380cfdc14df43ad7e9c3f69fed8a65d522adca4ee91b91f959a412185
SSDEEP

1536:4tHFo6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtq9/o19N:4tHFo53Ln7N041Qqhgq9/2

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2476	tmpD643.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2452	29f9b680505b0abf1f09b72d6537cc30N.exe
2452	29f9b680505b0abf1f09b72d6537cc30N.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpD643.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD643.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	29f9b680505b0abf1f09b72d6537cc30N.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2452	29f9b680505b0abf1f09b72d6537cc30N.exe
Token: SeDebugPrivilege	2476	tmpD643.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 2004	2452	29f9b680505b0abf1f09b72d6537cc30N.exe	31
PID 2452 wrote to memory of 2004	2452	29f9b680505b0abf1f09b72d6537cc30N.exe	31
PID 2452 wrote to memory of 2004	2452	29f9b680505b0abf1f09b72d6537cc30N.exe	31
PID 2452 wrote to memory of 2004	2452	29f9b680505b0abf1f09b72d6537cc30N.exe	31
PID 2004 wrote to memory of 2956	2004	vbc.exe	33
PID 2004 wrote to memory of 2956	2004	vbc.exe	33
PID 2004 wrote to memory of 2956	2004	vbc.exe	33
PID 2004 wrote to memory of 2956	2004	vbc.exe	33
PID 2452 wrote to memory of 2476	2452	29f9b680505b0abf1f09b72d6537cc30N.exe	34
PID 2452 wrote to memory of 2476	2452	29f9b680505b0abf1f09b72d6537cc30N.exe	34
PID 2452 wrote to memory of 2476	2452	29f9b680505b0abf1f09b72d6537cc30N.exe	34
PID 2452 wrote to memory of 2476	2452	29f9b680505b0abf1f09b72d6537cc30N.exe	34

C:\Users\Admin\AppData\Local\Temp\29f9b680505b0abf1f09b72d6537cc30N.exe
"C:\Users\Admin\AppData\Local\Temp\29f9b680505b0abf1f09b72d6537cc30N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a8t2cqrc.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD72E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD72D.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2956
- C:\Users\Admin\AppData\Local\Temp\tmpD643.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpD643.tmp.exe" C:\Users\Admin\AppData\Local\Temp\29f9b680505b0abf1f09b72d6537cc30N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD72E.tmp

Filesize
1KB

MD5
f0375ab131a53263a94e8d1c3e55a667

SHA1
e5eb04709b2276fbe055df288568cad5c2769b61

SHA256
aa5b12791ac6c8bfa5026f20baf42fb7633f5244292c4368a706ed49aaaed0bc

SHA512
cd3329c46702cca6759ee0959986bc266b3fba7ee0bc4b5d9dbb3eeae5398f733344d6ed7a200d3f23bade16fe59182c4b2f3adb925cc233aca9ebf21d73bb11

Download Submit
C:\Users\Admin\AppData\Local\Temp\a8t2cqrc.0.vb

Filesize
15KB

MD5
a16f5a16d969787c936df8c90144a3ec

SHA1
d19c690beae638d99567e92b3dde6fefa6a80eb0

SHA256
1aa2ff93603d2f5634993afcfc60b62f4d0d8f498e9997eedda9d222e9858fe1

SHA512
b754d633fe9ded668edc73c247d2eeeae871ca31ebc7bf7bc75114074163689b1a1224de5c2e7a9ac7070744d592c6f3d267c7435927e9cb019c10c2d07ce90e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a8t2cqrc.cmdline

Filesize
266B

MD5
5f72036a785062e9b46a2307414f481f

SHA1
a72adc0893173da76cbb62e3bcf74fa4a3a0f52e

SHA256
c6a04afac74fe21bb370c0ef055cfb9ad1c571b836bb4f8a2517524d7219d408

SHA512
c1df8c56d7513d13b6f6ce6dd2408bf543b7a5ee5ddbb07e5e29bb303812e9817ae23edc42ba3632a13a7531a6ee6a143193a0cde8ce7cd6a7c99674238bde38

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD643.tmp.exe

Filesize
78KB

MD5
45c3e43b7f338dbbec627735cf9362c3

SHA1
9ab56e24214e3417b867a1850607723840ad51ba

SHA256
73dabefe5f5584e9a630a4851bb026c78a1fc362211a834cbe4a8c8101acaab4

SHA512
88f6f361293a4df03137f0a6da831e88513c1e7708eadebd92a9ca2431e0d26e63488565f45f6f565525a8357c05409267b9827edc94682654bcd48b6d63be29

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD72D.tmp

Filesize
660B

MD5
93ce5f5e3faf38dc01610bd9e736f264

SHA1
52f50b85f61ebdc68e1363ed061ac22dfdfb0d58

SHA256
8143ad62a87f1828da03c7a532951ffc657a4ae70b56d34f7f9bf42d79710ce5

SHA512
359e4b931225ce7684d14720772a31fa3626c643d799b81cccca5de62fbabd311bc87a0a690c83fa322e4fed85b584a91da92f1a6443b35dca513330510f5d91

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2004-8-0x0000000074C20000-0x00000000751CB000-memory.dmp

Filesize
5.7MB

Download
memory/2004-18-0x0000000074C20000-0x00000000751CB000-memory.dmp

Filesize
5.7MB

Download
memory/2452-0-0x0000000074C21000-0x0000000074C22000-memory.dmp

Filesize
4KB

Download
memory/2452-1-0x0000000074C20000-0x00000000751CB000-memory.dmp

Filesize
5.7MB

Download
memory/2452-2-0x0000000074C20000-0x00000000751CB000-memory.dmp

Filesize
5.7MB

Download
memory/2452-24-0x0000000074C20000-0x00000000751CB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads