metamorpherrat | 6ec7e6e0d3d3f1699fa17ec1a29bc71162acc7ae9c85e94db5d1222b16abe758

General

Target

a183398c50099b929d55e35b7bfff180N.exe
Size

78KB
MD5

a183398c50099b929d55e35b7bfff180
SHA1

0df5ab7b0ee42ab88e04e8886bf4a25357c8b8b4
SHA256

6ec7e6e0d3d3f1699fa17ec1a29bc71162acc7ae9c85e94db5d1222b16abe758
SHA512

dd9aa3b3df05be746f1a8924fc2f4e6b428d529f4d7f9843a8e267f8425e42f3971a09e4fee4d7a42acce36719498722d22927164db2e14ee982b8b03dfadcd4
SSDEEP

1536:LHY6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtK9/61qU:LHY53Ln7N041QqhgK9/M

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
1316	tmp7974.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2844	a183398c50099b929d55e35b7bfff180N.exe
2844	a183398c50099b929d55e35b7bfff180N.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp7974.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7974.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a183398c50099b929d55e35b7bfff180N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2844	a183398c50099b929d55e35b7bfff180N.exe
Token: SeDebugPrivilege	1316	tmp7974.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 2736	2844	a183398c50099b929d55e35b7bfff180N.exe	30
PID 2844 wrote to memory of 2736	2844	a183398c50099b929d55e35b7bfff180N.exe	30
PID 2844 wrote to memory of 2736	2844	a183398c50099b929d55e35b7bfff180N.exe	30
PID 2844 wrote to memory of 2736	2844	a183398c50099b929d55e35b7bfff180N.exe	30
PID 2736 wrote to memory of 2836	2736	vbc.exe	32
PID 2736 wrote to memory of 2836	2736	vbc.exe	32
PID 2736 wrote to memory of 2836	2736	vbc.exe	32
PID 2736 wrote to memory of 2836	2736	vbc.exe	32
PID 2844 wrote to memory of 1316	2844	a183398c50099b929d55e35b7bfff180N.exe	33
PID 2844 wrote to memory of 1316	2844	a183398c50099b929d55e35b7bfff180N.exe	33
PID 2844 wrote to memory of 1316	2844	a183398c50099b929d55e35b7bfff180N.exe	33
PID 2844 wrote to memory of 1316	2844	a183398c50099b929d55e35b7bfff180N.exe	33

C:\Users\Admin\AppData\Local\Temp\a183398c50099b929d55e35b7bfff180N.exe
"C:\Users\Admin\AppData\Local\Temp\a183398c50099b929d55e35b7bfff180N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h5bml5jf.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7ABC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7ABB.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2836
- C:\Users\Admin\AppData\Local\Temp\tmp7974.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7974.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a183398c50099b929d55e35b7bfff180N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7ABC.tmp

Filesize
1KB

MD5
830f858b806a1f093a8cc960a34e50ca

SHA1
f9b3ffb99e3b61cd07676ef2cced324f035ec1a8

SHA256
97b8d069c3e0d907967d17085836dbce005b965a0ea549fe41b82049dd217d45

SHA512
3cf71e8609b07b1678ee92813cf1f22ab40b1b27183fd81bbdaf0eefd256712ec1ccd14611a15877f53e5fd2337a9fd7639529eade748fcc51c85b5708f29796

Download Submit
C:\Users\Admin\AppData\Local\Temp\h5bml5jf.0.vb

Filesize
15KB

MD5
2c8be90c66931afad7a1aa4aecab8102

SHA1
3ce4df8e857f396eb0eda9ced3d272c3c3ff4c28

SHA256
87b9055a88efd00fbb18a2cbb60a34a46dee42f9bc18a64da44f1578d6ca7fa9

SHA512
2fc48bde2fb2b6157b865645f446ed0fded8b948f3fbc5ae01a920e9574dbaed13e4f9c5ed748852f171ca9cee9cb3e67f29bd9e10a16b8aecac80399a2fb3cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\h5bml5jf.cmdline

Filesize
266B

MD5
2d376e50bcd9d40db74af52e72ba18fc

SHA1
c01f7abda40df1b12138f26c601183bb50c3f958

SHA256
2848a7efe563dd393a3cb4854e6b637c770e3b94a9abbfad4711b89dec033579

SHA512
5c7ddb7c793c5627944a2b5868c7347bfe7efbb26b0d842cb317083915bde340c9c9a2be6f59ef21eff710f27e4cfba2740c335626f70628ae40955fe854b1e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7974.tmp.exe

Filesize
78KB

MD5
3713ee5889c565b27b2244aa25c4babe

SHA1
5cf5b4dc90ecde39916a8683bff74ed298fbe176

SHA256
e73ae09aa982cbe5d21b4b72110f06123450fdd41856485f550572a82c549261

SHA512
0946e3a14d8e43e971a624c242fb0b0b78a770c0d9abfdd371d9c98a73da726c68747d9598460deca9dce727201eeef2a780da8d80ecc2e6c60ca2c5ee917dd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7ABB.tmp

Filesize
660B

MD5
881816dbc6f7efcb016ea82287c3fd76

SHA1
b69dda74325364e4a515275b3275a2bce873dea0

SHA256
3958ff433d7d49f19a0d657b030f2677b9d3e04efceb1d31574a616bf53c6aed

SHA512
aaefef0ad804dd0bd575421bc3fcb4ca65a02014d993a09f10a5b22ebf5888eac1b4bbfff2eae97d5fc2065494177eeda6a3c24284fab010e0aa4f34a84363e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2736-8-0x0000000074CA0000-0x000000007524B000-memory.dmp

Filesize
5.7MB

Download
memory/2736-18-0x0000000074CA0000-0x000000007524B000-memory.dmp

Filesize
5.7MB

Download
memory/2844-0-0x0000000074CA1000-0x0000000074CA2000-memory.dmp

Filesize
4KB

Download
memory/2844-1-0x0000000074CA0000-0x000000007524B000-memory.dmp

Filesize
5.7MB

Download
memory/2844-2-0x0000000074CA0000-0x000000007524B000-memory.dmp

Filesize
5.7MB

Download
memory/2844-24-0x0000000074CA0000-0x000000007524B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads