metamorpherrat | 094b1185526c1016fa3d52dd2d0aee3edc53bc944f1dd404fb423ffac7aa4fc9

General

Target

094b1185526c1016fa3d52dd2d0aee3edc53bc944f1dd404fb423ffac7aa4fc9.exe
Size

78KB
MD5

41d6067a155a8321042893776fe9c852
SHA1

68e7ba49e2733b43b2d3f453546fecf9c8e98dda
SHA256

094b1185526c1016fa3d52dd2d0aee3edc53bc944f1dd404fb423ffac7aa4fc9
SHA512

1bad1478a1b3119dbc11a50555188bad83fdb3894a61a6d2c3b560d72fc67c78eaa6979b6390c1d3fc059842dea9480dd3022e1161cec769517df021b54347b4
SSDEEP

1536:Mc58wvZv0kH9gDDtWzYCnJPeoYrGQt961A9/b10U:Mc58wl0Y9MDYrm7GA9//

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2936	tmpC207.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2076	094b1185526c1016fa3d52dd2d0aee3edc53bc944f1dd404fb423ffac7aa4fc9.exe
2076	094b1185526c1016fa3d52dd2d0aee3edc53bc944f1dd404fb423ffac7aa4fc9.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmpC207.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	094b1185526c1016fa3d52dd2d0aee3edc53bc944f1dd404fb423ffac7aa4fc9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC207.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2076	094b1185526c1016fa3d52dd2d0aee3edc53bc944f1dd404fb423ffac7aa4fc9.exe
Token: SeDebugPrivilege	2936	tmpC207.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2504	2076	094b1185526c1016fa3d52dd2d0aee3edc53bc944f1dd404fb423ffac7aa4fc9.exe	30
PID 2076 wrote to memory of 2504	2076	094b1185526c1016fa3d52dd2d0aee3edc53bc944f1dd404fb423ffac7aa4fc9.exe	30
PID 2076 wrote to memory of 2504	2076	094b1185526c1016fa3d52dd2d0aee3edc53bc944f1dd404fb423ffac7aa4fc9.exe	30
PID 2076 wrote to memory of 2504	2076	094b1185526c1016fa3d52dd2d0aee3edc53bc944f1dd404fb423ffac7aa4fc9.exe	30
PID 2504 wrote to memory of 2416	2504	vbc.exe	32
PID 2504 wrote to memory of 2416	2504	vbc.exe	32
PID 2504 wrote to memory of 2416	2504	vbc.exe	32
PID 2504 wrote to memory of 2416	2504	vbc.exe	32
PID 2076 wrote to memory of 2936	2076	094b1185526c1016fa3d52dd2d0aee3edc53bc944f1dd404fb423ffac7aa4fc9.exe	33
PID 2076 wrote to memory of 2936	2076	094b1185526c1016fa3d52dd2d0aee3edc53bc944f1dd404fb423ffac7aa4fc9.exe	33
PID 2076 wrote to memory of 2936	2076	094b1185526c1016fa3d52dd2d0aee3edc53bc944f1dd404fb423ffac7aa4fc9.exe	33
PID 2076 wrote to memory of 2936	2076	094b1185526c1016fa3d52dd2d0aee3edc53bc944f1dd404fb423ffac7aa4fc9.exe	33

C:\Users\Admin\AppData\Local\Temp\094b1185526c1016fa3d52dd2d0aee3edc53bc944f1dd404fb423ffac7aa4fc9.exe
"C:\Users\Admin\AppData\Local\Temp\094b1185526c1016fa3d52dd2d0aee3edc53bc944f1dd404fb423ffac7aa4fc9.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v0gd4fta.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC36F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC36E.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2416
- C:\Users\Admin\AppData\Local\Temp\tmpC207.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpC207.tmp.exe" C:\Users\Admin\AppData\Local\Temp\094b1185526c1016fa3d52dd2d0aee3edc53bc944f1dd404fb423ffac7aa4fc9.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC36F.tmp

Filesize
1KB

MD5
813b895fa8c1abaf7e1f16274f926179

SHA1
8a42f152b9343604243be1509f0dad4c3ffa1015

SHA256
6fe700a525b41301dd9ce8ee3a8c86348c2d5e863749a28a8e910e2a800c1eda

SHA512
c8075299ee083763e31259f146d759cbd08cc1a675b376aa2c7fa663a11e61685f756b4dcb0c51c6ce15d6e1ef0da358047aaf94f6c87727b3ee6ee71dbc93a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC207.tmp.exe

Filesize
78KB

MD5
2747ac095a93ed117182b99e842f04c9

SHA1
17c8c2114eef30aa138562acf27b1040366396bf

SHA256
66878d47343d8eda91fe1c058c3d2ee14ffe4f1223554eebbf03a9d44da352a7

SHA512
f549b51727953982432aafd5edf96a9e5bb4beb1e0823a78474b6ab197b3e2aa8d3876c6454ccfe8604c490af1e97b3628a6e93296a8f808473e70ebc1ad30bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\v0gd4fta.0.vb

Filesize
14KB

MD5
c3b5deb529061896139e51ba27b020ec

SHA1
a1a5488124c3b52591964707764c3460eb635fcb

SHA256
64c1fc9df7d36844b52d0303af3b8791cde63c773c8ccd9282eeb17989e5d702

SHA512
fcb17dbd9219f7b0554aeae361aede1cad51ce395a9e1202e23ce80570779870af2f9dc30b8c459acac74745738f15982b51776d85adc37d23ce2c0162642311

Download Submit
C:\Users\Admin\AppData\Local\Temp\v0gd4fta.cmdline

Filesize
266B

MD5
ad65a56f45bd52d8bf8c54dccd43b264

SHA1
e0e66d8e58734f581c07cdd44213c5eab8ff7094

SHA256
c1df3d46d5cdf2b2fbfd490a4ed625bc0f2fb0823d43e1b15db27d97f3a0e8d0

SHA512
a399e306c7ed2e0dc4f3e2a89e386d12ddfac52035523951d36fd9259745907b8140125bd3cfb51e74522898324be1fafa2feacbf89db2b421782117fbbb9df3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC36E.tmp

Filesize
660B

MD5
768ff608e3f52e71fbc1cba90f85c062

SHA1
7b7f3c1d3cebf72879793143e9255e012d8a805b

SHA256
d1e01c47148ee6dbf67e6c6a33e5053613b620344a9250cbed1194c144ea5bd6

SHA512
f1e02cdc66677d0d6331f0ae1a714ecf463001837995faf98ad9e5d796f32081e2c6e84bcf66f3f37b3cb65e096d75100744361629de28d871f685280f004729

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/2076-0-0x00000000740E1000-0x00000000740E2000-memory.dmp

Filesize
4KB

Download
memory/2076-1-0x00000000740E0000-0x000000007468B000-memory.dmp

Filesize
5.7MB

Download
memory/2076-2-0x00000000740E0000-0x000000007468B000-memory.dmp

Filesize
5.7MB

Download
memory/2076-24-0x00000000740E0000-0x000000007468B000-memory.dmp

Filesize
5.7MB

Download
memory/2504-8-0x00000000740E0000-0x000000007468B000-memory.dmp

Filesize
5.7MB

Download
memory/2504-18-0x00000000740E0000-0x000000007468B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads