metamorpherrat | a600554468272a7637964fa94b8832ef8f673655b6c144025b93783499024f7e

General

Target

a600554468272a7637964fa94b8832ef8f673655b6c144025b93783499024f7eN.exe
Size

78KB
MD5

1a17b15131f3eb311f87f81692497c10
SHA1

f4cc8ede15ac89249c9b29d7885b7a71fe914e27
SHA256

a600554468272a7637964fa94b8832ef8f673655b6c144025b93783499024f7e
SHA512

86652b6ae070ee93e27affe16ffb4c7bec2aa0a3a831749f57496659edc41c0b48f06b024728d693963e67b65eca784dfeb33c0e842504aad597c29827620b71
SSDEEP

1536:SWV5jSEdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6Gt9/Sp1R4:SWV5jSzn7N041QqhgG9/z

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Deletes itself 1 IoCs

pid	Process
1136	tmpF086.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
1136	tmpF086.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2264	a600554468272a7637964fa94b8832ef8f673655b6c144025b93783499024f7eN.exe
2264	a600554468272a7637964fa94b8832ef8f673655b6c144025b93783499024f7eN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpF086.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpF086.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a600554468272a7637964fa94b8832ef8f673655b6c144025b93783499024f7eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2264	a600554468272a7637964fa94b8832ef8f673655b6c144025b93783499024f7eN.exe
Token: SeDebugPrivilege	1136	tmpF086.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2756	2264	a600554468272a7637964fa94b8832ef8f673655b6c144025b93783499024f7eN.exe	30
PID 2264 wrote to memory of 2756	2264	a600554468272a7637964fa94b8832ef8f673655b6c144025b93783499024f7eN.exe	30
PID 2264 wrote to memory of 2756	2264	a600554468272a7637964fa94b8832ef8f673655b6c144025b93783499024f7eN.exe	30
PID 2264 wrote to memory of 2756	2264	a600554468272a7637964fa94b8832ef8f673655b6c144025b93783499024f7eN.exe	30
PID 2756 wrote to memory of 2780	2756	vbc.exe	32
PID 2756 wrote to memory of 2780	2756	vbc.exe	32
PID 2756 wrote to memory of 2780	2756	vbc.exe	32
PID 2756 wrote to memory of 2780	2756	vbc.exe	32
PID 2264 wrote to memory of 1136	2264	a600554468272a7637964fa94b8832ef8f673655b6c144025b93783499024f7eN.exe	33
PID 2264 wrote to memory of 1136	2264	a600554468272a7637964fa94b8832ef8f673655b6c144025b93783499024f7eN.exe	33
PID 2264 wrote to memory of 1136	2264	a600554468272a7637964fa94b8832ef8f673655b6c144025b93783499024f7eN.exe	33
PID 2264 wrote to memory of 1136	2264	a600554468272a7637964fa94b8832ef8f673655b6c144025b93783499024f7eN.exe	33

C:\Users\Admin\AppData\Local\Temp\a600554468272a7637964fa94b8832ef8f673655b6c144025b93783499024f7eN.exe
"C:\Users\Admin\AppData\Local\Temp\a600554468272a7637964fa94b8832ef8f673655b6c144025b93783499024f7eN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kai48d5a.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF2E8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF2E7.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2780
- C:\Users\Admin\AppData\Local\Temp\tmpF086.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpF086.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a600554468272a7637964fa94b8832ef8f673655b6c144025b93783499024f7eN.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF2E8.tmp

Filesize
1KB

MD5
c6914a7df2b5b2eb3ebdc3e6cb80b56b

SHA1
f45a3e0c66561cff27df06486a2030fc19db3166

SHA256
5a35b5ee6032faa41caec1e4e7822990714e4a1e2083931f45b8df1c1bcfe58f

SHA512
b362a202e44216ab1fbc4b9592f177b116047f31b8e662629ef43b3f59b75bf5193809900abb268bc1ef7f1dcef0bf02cffb420125bfc607fd2a47e4c88cb676

Download Submit
C:\Users\Admin\AppData\Local\Temp\kai48d5a.0.vb

Filesize
14KB

MD5
926607deb3a79a65965e6d5ecc7a07b2

SHA1
41cd9b40367bf54e9069bc43d00d700b5a3277d7

SHA256
f922d56285e4ee7b33ec9f9d4df322b649bdb50b64abc9bfca7f178a2f8699fd

SHA512
7968ddf8a4163a73656dae5cc303d63fe3af2228fb4e3daa3700077f5b24a15fd0cb11dfd9ad9e28ba76870926c4466d202f598ce3ee286c57996a35cb899b00

Download Submit
C:\Users\Admin\AppData\Local\Temp\kai48d5a.cmdline

Filesize
266B

MD5
bffea59c532f1a448ef840bbb0831aea

SHA1
0da7025dacfecba57bc349a069b9cd38555d696e

SHA256
73f4fe2e3e157d858287697b412b93b11b1499f459e4b2cee8654ce2278643da

SHA512
8f95e95cf3d524511ffe14cf41fcdaee4b7808e760567344015873739c706caa873d6a9154ed817a2480109ee899bb562110e2058e2a2a63699b8663d320d009

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF086.tmp.exe

Filesize
78KB

MD5
298c93dd6b1da0487a7c3246ad78331b

SHA1
0d820a7c291da35c8720df1b2abda5b761491af3

SHA256
084fe448ed0a38c6768bdb1fe7eb7ba1c3c653e6bc60e8f8aee8367174f885c6

SHA512
1b4262083c5dd3f9fadffce109194c33bd93b284452d990176bbc65d41b035e88f26ba97802f1c3386468337b530762b3fcf1d5b670ea4cdc9ea64d54a779c73

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF2E7.tmp

Filesize
660B

MD5
e74560b89c54e2b524669566d79eab5a

SHA1
73739d28500c103920169811804560ecf3411937

SHA256
909a0ffc11702e0687878123d23c6cb12828ace5404762a1caf6bb4b0fb59463

SHA512
96cbfa56cf56714e85d45b1139109695fe64550c97e7df64765bac01960adb0fd2509efc53d87f9b4ef95291a59b1c4f012eaa0de0c3244e0f4e01c21d927cd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2264-0-0x0000000074A41000-0x0000000074A42000-memory.dmp

Filesize
4KB

Download
memory/2264-1-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2264-2-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2264-23-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2756-8-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2756-18-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads