metamorpherrat | 5595d4f51ff45eea028a6e5560e986f60f5a45f18e36ee26ad8230813d8640d5

General

Target

5595d4f51ff45eea028a6e5560e986f60f5a45f18e36ee26ad8230813d8640d5N.exe
Size

78KB
MD5

8124fc490fdbc572fbc501e4f5d27770
SHA1

8b5ccfc08912eee29ec0ae27532b19ba241901f7
SHA256

5595d4f51ff45eea028a6e5560e986f60f5a45f18e36ee26ad8230813d8640d5
SHA512

39ad9c87b3e280acb84d74c8876c55ca53f0225d82fa457d34bc7fb696d53272be0423613207c9ee1a051bb38598e4219acc4260d1a9bb1678a43e2f8ae073e2
SSDEEP

1536:CWtHFo6M7t/vZv0kH9gDDtWzYCnJPeoYrGQteR9/e1gi:CWtHFonh/l0Y9MDYrm7eR9/c

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2772	tmpF631.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2132	5595d4f51ff45eea028a6e5560e986f60f5a45f18e36ee26ad8230813d8640d5N.exe
2132	5595d4f51ff45eea028a6e5560e986f60f5a45f18e36ee26ad8230813d8640d5N.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmpF631.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5595d4f51ff45eea028a6e5560e986f60f5a45f18e36ee26ad8230813d8640d5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpF631.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2132	5595d4f51ff45eea028a6e5560e986f60f5a45f18e36ee26ad8230813d8640d5N.exe
Token: SeDebugPrivilege	2772	tmpF631.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2800	2132	5595d4f51ff45eea028a6e5560e986f60f5a45f18e36ee26ad8230813d8640d5N.exe	30
PID 2132 wrote to memory of 2800	2132	5595d4f51ff45eea028a6e5560e986f60f5a45f18e36ee26ad8230813d8640d5N.exe	30
PID 2132 wrote to memory of 2800	2132	5595d4f51ff45eea028a6e5560e986f60f5a45f18e36ee26ad8230813d8640d5N.exe	30
PID 2132 wrote to memory of 2800	2132	5595d4f51ff45eea028a6e5560e986f60f5a45f18e36ee26ad8230813d8640d5N.exe	30
PID 2800 wrote to memory of 2696	2800	vbc.exe	32
PID 2800 wrote to memory of 2696	2800	vbc.exe	32
PID 2800 wrote to memory of 2696	2800	vbc.exe	32
PID 2800 wrote to memory of 2696	2800	vbc.exe	32
PID 2132 wrote to memory of 2772	2132	5595d4f51ff45eea028a6e5560e986f60f5a45f18e36ee26ad8230813d8640d5N.exe	33
PID 2132 wrote to memory of 2772	2132	5595d4f51ff45eea028a6e5560e986f60f5a45f18e36ee26ad8230813d8640d5N.exe	33
PID 2132 wrote to memory of 2772	2132	5595d4f51ff45eea028a6e5560e986f60f5a45f18e36ee26ad8230813d8640d5N.exe	33
PID 2132 wrote to memory of 2772	2132	5595d4f51ff45eea028a6e5560e986f60f5a45f18e36ee26ad8230813d8640d5N.exe	33

C:\Users\Admin\AppData\Local\Temp\5595d4f51ff45eea028a6e5560e986f60f5a45f18e36ee26ad8230813d8640d5N.exe
"C:\Users\Admin\AppData\Local\Temp\5595d4f51ff45eea028a6e5560e986f60f5a45f18e36ee26ad8230813d8640d5N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xllae4jj.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF6CE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF6CD.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2696
- C:\Users\Admin\AppData\Local\Temp\tmpF631.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpF631.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5595d4f51ff45eea028a6e5560e986f60f5a45f18e36ee26ad8230813d8640d5N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF6CE.tmp

Filesize
1KB

MD5
2706d3f9df937201e36d424e4300cb9f

SHA1
d5cd69f346e45ab33fe627b41c32160da0487671

SHA256
a8ab43f31788a8f39b8e81a8b00f5e36dd26ea90067a479b184ab3efbcb77fa8

SHA512
a6d828b91a65a8e8ac4bdfb9bd130d4f87d8ef164236eb6f366b774f3138ec46188de295f495584fc2a726361c24408a16f34b81bd5058ffb661d6ab0443f0d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF631.tmp.exe

Filesize
78KB

MD5
d2edb4c2b7d672e14c3c6ed3ab59088d

SHA1
72c7499ad3838d3791d1519708b5f0d2e9c9efa1

SHA256
4be5f2fc8a725092a10bcadef2d4c7fb9595bc541b7150f7975bbae5ae02b8e9

SHA512
fd73278bf56aca5b2971a5b6e52282a5ebe3b32964a5bccbc0203b2b5c2c8ccf16abdfc49007ca7bdf3bc4f9ae79c3ea851f2e6464e889fcd37ce5b89782edfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF6CD.tmp

Filesize
660B

MD5
8ec71a8ad1823af1fe66833128d443a3

SHA1
c4f5234791e6c6374ff138262891e4d2a4d3d356

SHA256
5473fbe2587df4b2bebe1c72aae8c018a04a920281f1725df5c7f4f3c2b4d36d

SHA512
36003e3c7a4a9e2945ec18b1c3d451b83d8cb5c1910f5ffb3b8a53cf21fd6e4a27fc5388ade309adbbc87b91e517a17f2d8f0908703d5339f33871a5ef718ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\xllae4jj.0.vb

Filesize
15KB

MD5
9a02eedd1ae0823725b97ab49b41e999

SHA1
e9a136ab1b2e75d40486dc42be70634b86c5d3f3

SHA256
513827921da8859296917ccf0d36abf8ecf1aec3c23dd2f314c7c9420cde680c

SHA512
14781f3e0ce43e5d498ca79a0191f2e53a9bd84506d1413843c807201fed86e6326a88f78a074639972eb87140d6fa249936b9521522790c3740a3d38ab4db55

Download Submit
C:\Users\Admin\AppData\Local\Temp\xllae4jj.cmdline

Filesize
266B

MD5
0b6fa1b26ae2718ccd35b03adc82e7ed

SHA1
608bd23cb9038fe243f2fbf85f9d09b46b1cec3b

SHA256
ab6e3f8b1bdee8cd515a061640f376253f0931ae49e0595f3b82c1b002cec221

SHA512
70ce20ea16d17275d55f46a7d5bb617ce33f36cf45438f4cbf69c48c0d9c31c816b5dcf7eedd4f3a005556b6181bd71ffab0f0aba71f6c7163b277221dd10b66

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/2132-0-0x0000000074031000-0x0000000074032000-memory.dmp

Filesize
4KB

Download
memory/2132-1-0x0000000074030000-0x00000000745DB000-memory.dmp

Filesize
5.7MB

Download
memory/2132-6-0x0000000074030000-0x00000000745DB000-memory.dmp

Filesize
5.7MB

Download
memory/2132-24-0x0000000074030000-0x00000000745DB000-memory.dmp

Filesize
5.7MB

Download
memory/2800-8-0x0000000074030000-0x00000000745DB000-memory.dmp

Filesize
5.7MB

Download
memory/2800-18-0x0000000074030000-0x00000000745DB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads