metamorpherrat | 30cdbc075791c6d775283f12fbe3e6bd2b60be03f56f1b60bd2ef12b2209b285

General

Target

30cdbc075791c6d775283f12fbe3e6bd2b60be03f56f1b60bd2ef12b2209b285N.exe
Size

78KB
MD5

e6944c8c11e1cd77b5064016970c35a0
SHA1

2ff2707a5c0474e3419ba7d8619c9e5d57685f3d
SHA256

30cdbc075791c6d775283f12fbe3e6bd2b60be03f56f1b60bd2ef12b2209b285
SHA512

e06f9753ca3288d078bdedcbc43e1f44cd1ddb3e484d5fa3a5b516a1977595e78303a7072a415e0f0c928e10bca72c53cc109dd58074be52350a9d8103243768
SSDEEP

1536:oPy5jSVdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQts659/Gy/1cP:oPy5jSAn7N041QqhgP9/GyU

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2264	tmp951E.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2340	30cdbc075791c6d775283f12fbe3e6bd2b60be03f56f1b60bd2ef12b2209b285N.exe
2340	30cdbc075791c6d775283f12fbe3e6bd2b60be03f56f1b60bd2ef12b2209b285N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp951E.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp951E.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30cdbc075791c6d775283f12fbe3e6bd2b60be03f56f1b60bd2ef12b2209b285N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2340	30cdbc075791c6d775283f12fbe3e6bd2b60be03f56f1b60bd2ef12b2209b285N.exe
Token: SeDebugPrivilege	2264	tmp951E.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2296	2340	30cdbc075791c6d775283f12fbe3e6bd2b60be03f56f1b60bd2ef12b2209b285N.exe	30
PID 2340 wrote to memory of 2296	2340	30cdbc075791c6d775283f12fbe3e6bd2b60be03f56f1b60bd2ef12b2209b285N.exe	30
PID 2340 wrote to memory of 2296	2340	30cdbc075791c6d775283f12fbe3e6bd2b60be03f56f1b60bd2ef12b2209b285N.exe	30
PID 2340 wrote to memory of 2296	2340	30cdbc075791c6d775283f12fbe3e6bd2b60be03f56f1b60bd2ef12b2209b285N.exe	30
PID 2296 wrote to memory of 2220	2296	vbc.exe	32
PID 2296 wrote to memory of 2220	2296	vbc.exe	32
PID 2296 wrote to memory of 2220	2296	vbc.exe	32
PID 2296 wrote to memory of 2220	2296	vbc.exe	32
PID 2340 wrote to memory of 2264	2340	30cdbc075791c6d775283f12fbe3e6bd2b60be03f56f1b60bd2ef12b2209b285N.exe	33
PID 2340 wrote to memory of 2264	2340	30cdbc075791c6d775283f12fbe3e6bd2b60be03f56f1b60bd2ef12b2209b285N.exe	33
PID 2340 wrote to memory of 2264	2340	30cdbc075791c6d775283f12fbe3e6bd2b60be03f56f1b60bd2ef12b2209b285N.exe	33
PID 2340 wrote to memory of 2264	2340	30cdbc075791c6d775283f12fbe3e6bd2b60be03f56f1b60bd2ef12b2209b285N.exe	33

C:\Users\Admin\AppData\Local\Temp\30cdbc075791c6d775283f12fbe3e6bd2b60be03f56f1b60bd2ef12b2209b285N.exe
"C:\Users\Admin\AppData\Local\Temp\30cdbc075791c6d775283f12fbe3e6bd2b60be03f56f1b60bd2ef12b2209b285N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1z_b6yuu.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES95DA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc95D9.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2220
- C:\Users\Admin\AppData\Local\Temp\tmp951E.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp951E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\30cdbc075791c6d775283f12fbe3e6bd2b60be03f56f1b60bd2ef12b2209b285N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1z_b6yuu.0.vb

Filesize
14KB

MD5
ac1a7af120ea799b0a597b38b216d52c

SHA1
88c11aa20cc35e63df2700243e8dffacecd67953

SHA256
4be4c5c72ccf39551d3660e63f693671afc7ce7fa8e5ba290f7ae6e6d7c76518

SHA512
9df54fd46cd4e04155e4e272a18225fabe9dceb8e00af87d75c1a4356beefeef099493b5c99242d9b80be521be2edd172ed76031327299d26429d811cab34295

Download Submit
C:\Users\Admin\AppData\Local\Temp\1z_b6yuu.cmdline

Filesize
266B

MD5
8e3508dcec3158fee7ac3bef2ca9d57d

SHA1
f4804f08ecbb7cf62bd80a7e7cf6345d11e28bc1

SHA256
52dc760a6860b2502689a941bbc917e6d8b5c9402a62fc67d91ae70c2c98fe95

SHA512
4f5817c630f2a9a332360f9dc37e133d86a59036fa493f9bd823e002e10ae77809ba38cd15c5f0962a6766c8b27d829aaf60e32e46d91410d8f7438b73242e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES95DA.tmp

Filesize
1KB

MD5
3da95de9a234d9a5fafef8913961c972

SHA1
55ae775f389423fc68d78a4b1a98d1ccd445590c

SHA256
4921407a3ecf671e3c5e7fe78d6a635ce77211a3e6e55d78998e5d646cf0e6c7

SHA512
c47d54597f4507261f2f854e06a7a877244ba373982e59e223e673c65e40cdfcfcd03c00189c886f14a021da539453859685051a0b9a59de703afa6f806321f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp951E.tmp.exe

Filesize
78KB

MD5
032ad6043e18ffcf25ace86cd10cecfd

SHA1
1413099eeca8ed980c37e215eb151691aab2c065

SHA256
ac338c5c1d46712c0d8a28f4453ea4e8d0be9db697327e3dac4068b120763f93

SHA512
4c442aff1a639cd0a2d60370500ad7f6b894a6f2eb7020bbade056886d59d3dfd0c72dadf051aba88f8ca6439f41e0da17670d6672f861cac87035846233bc49

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc95D9.tmp

Filesize
660B

MD5
a2431ccf2310edfccae7d1dde1a419e9

SHA1
63d07395326e5ee566dd68787250ff93d713205f

SHA256
02490b5289d761de80203e54f866ffcf1bd32e04420d35e7f71abbc6aaac5c0b

SHA512
e1a105383bdabe6d76cd80f8ebd7a2a7637e7cd16d0b46b307f57cd52e8e3d0e00198aa92bd1094cc6c31f0b1ec4b29f7bad06b70c6ea379b7d2b863fcdc5b0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2296-8-0x0000000074130000-0x00000000746DB000-memory.dmp

Filesize
5.7MB

Download
memory/2296-18-0x0000000074130000-0x00000000746DB000-memory.dmp

Filesize
5.7MB

Download
memory/2340-0-0x0000000074131000-0x0000000074132000-memory.dmp

Filesize
4KB

Download
memory/2340-1-0x0000000074130000-0x00000000746DB000-memory.dmp

Filesize
5.7MB

Download
memory/2340-2-0x0000000074130000-0x00000000746DB000-memory.dmp

Filesize
5.7MB

Download
memory/2340-24-0x0000000074130000-0x00000000746DB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads