metamorpherrat | 13a7c27f89f2183a8d81bceef8c00df32f63d9f59d2a26d6a8b8b9916c4408e3

General

Target

13a7c27f89f2183a8d81bceef8c00df32f63d9f59d2a26d6a8b8b9916c4408e3N.exe
Size

78KB
MD5

4a32dd38e88cbb661c97c3a2ff474770
SHA1

0eead370cde58e0a8e6e2a1bb073316bec850ab9
SHA256

13a7c27f89f2183a8d81bceef8c00df32f63d9f59d2a26d6a8b8b9916c4408e3
SHA512

520ef69a0f17c16659084e6c3dea51302c631d4d60f2efbc4eed3b784d75e014f10fac030053eb4fe0386644131a74d8500d284cb43b1c6b3b2ce3e1d9306c79
SSDEEP

1536:KRCHF3638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQteG9/G1VA:KRCHFq3Ln7N041QqhgeG9/t

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2168	tmpF641.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2652	13a7c27f89f2183a8d81bceef8c00df32f63d9f59d2a26d6a8b8b9916c4408e3N.exe
2652	13a7c27f89f2183a8d81bceef8c00df32f63d9f59d2a26d6a8b8b9916c4408e3N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpF641.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	13a7c27f89f2183a8d81bceef8c00df32f63d9f59d2a26d6a8b8b9916c4408e3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpF641.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2652	13a7c27f89f2183a8d81bceef8c00df32f63d9f59d2a26d6a8b8b9916c4408e3N.exe
Token: SeDebugPrivilege	2168	tmpF641.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2676	2652	13a7c27f89f2183a8d81bceef8c00df32f63d9f59d2a26d6a8b8b9916c4408e3N.exe	31
PID 2652 wrote to memory of 2676	2652	13a7c27f89f2183a8d81bceef8c00df32f63d9f59d2a26d6a8b8b9916c4408e3N.exe	31
PID 2652 wrote to memory of 2676	2652	13a7c27f89f2183a8d81bceef8c00df32f63d9f59d2a26d6a8b8b9916c4408e3N.exe	31
PID 2652 wrote to memory of 2676	2652	13a7c27f89f2183a8d81bceef8c00df32f63d9f59d2a26d6a8b8b9916c4408e3N.exe	31
PID 2676 wrote to memory of 2220	2676	vbc.exe	33
PID 2676 wrote to memory of 2220	2676	vbc.exe	33
PID 2676 wrote to memory of 2220	2676	vbc.exe	33
PID 2676 wrote to memory of 2220	2676	vbc.exe	33
PID 2652 wrote to memory of 2168	2652	13a7c27f89f2183a8d81bceef8c00df32f63d9f59d2a26d6a8b8b9916c4408e3N.exe	34
PID 2652 wrote to memory of 2168	2652	13a7c27f89f2183a8d81bceef8c00df32f63d9f59d2a26d6a8b8b9916c4408e3N.exe	34
PID 2652 wrote to memory of 2168	2652	13a7c27f89f2183a8d81bceef8c00df32f63d9f59d2a26d6a8b8b9916c4408e3N.exe	34
PID 2652 wrote to memory of 2168	2652	13a7c27f89f2183a8d81bceef8c00df32f63d9f59d2a26d6a8b8b9916c4408e3N.exe	34

C:\Users\Admin\AppData\Local\Temp\13a7c27f89f2183a8d81bceef8c00df32f63d9f59d2a26d6a8b8b9916c4408e3N.exe
"C:\Users\Admin\AppData\Local\Temp\13a7c27f89f2183a8d81bceef8c00df32f63d9f59d2a26d6a8b8b9916c4408e3N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7jhggyoc.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF74B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF74A.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2220
- C:\Users\Admin\AppData\Local\Temp\tmpF641.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpF641.tmp.exe" C:\Users\Admin\AppData\Local\Temp\13a7c27f89f2183a8d81bceef8c00df32f63d9f59d2a26d6a8b8b9916c4408e3N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7jhggyoc.0.vb

Filesize
15KB

MD5
10b80700ee199c0cfcc9e47a8790cbef

SHA1
31d9f3334a33282b0375ac85171d50d42ad11697

SHA256
c501ee1e9e85a991be79bd6f47669b0f6e824cc5f6e0662c163884b119185bb2

SHA512
b86ebae9392e0ca41ef08e535bc7076ba2ed49fa31aafeab21325478ac296343b4ca4a2a112956335ec7b8d057103348835c134ebaaad93166ec912e1f31b9be

Download Submit
C:\Users\Admin\AppData\Local\Temp\7jhggyoc.cmdline

Filesize
266B

MD5
5947d9a9775525ee422db6e301ebf2d4

SHA1
51f383a7eba0bb880e7f0131ce57f63d2f1795b7

SHA256
a44540bbee859d0cd553b1945b09029d9bd356ddf3471d0bd785842af8cb3323

SHA512
20cf8e11ee2123c7e4fa663a7a728d89c790737b4401db4f48880101fc8b82d333242376e0401d7dd3d19902872beb4302487ea1dd378db09a0ce0db60413d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF74B.tmp

Filesize
1KB

MD5
fa02b2908c8cbdb4068c9cbba2f4019d

SHA1
9d3b7a1545761718efc83ea127a9703a7b86e744

SHA256
4f71362034acdf3226f2acd65ff7a33b2d4b19b03e43de0489480f17a8a56c3e

SHA512
9dffa4c3bab6c55bf43a27897f850d0fcf2878455c9842357270ce4d5a9685115529a79f633073f19f7e2961544f050abc222f5258cb6a33a4d2a1b69847493b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF641.tmp.exe

Filesize
78KB

MD5
77a1d7bd038fd10e4e9ac94e92e222a2

SHA1
ee1f48a36052937e25c502873e7de4ca2a443d44

SHA256
58fc3125b407e7b5f034f54f6850312e678ee891e0872d5728797c69f6945a85

SHA512
b811b283173d939f7a02b5f5d5da26896f3656b57bbd9b048bea8ad507d34c6f7a90bcbb39ed584b5bd7b2bf19518f56481fff556f0c9de04a2f1b0b4327311d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF74A.tmp

Filesize
660B

MD5
49f4c60db5b315232d802fef32ed4959

SHA1
b4dab9a008cdd56bf122c48dc2a77eaee3efd4e5

SHA256
c90a20ae9ae0bb67000c3276725f0e39a7546f6dcddc160b20813d07632483b1

SHA512
9921d6f3438f7cec03d70932d617ba77b669547a2bbdc126e2461b47cbda1b86361f49fbde14ce0de2f1b7e4eb080c0cf3bb6fa66574ced2c6f7393b8ba44d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2652-0-0x0000000074081000-0x0000000074082000-memory.dmp

Filesize
4KB

Download
memory/2652-1-0x0000000074080000-0x000000007462B000-memory.dmp

Filesize
5.7MB

Download
memory/2652-3-0x0000000074080000-0x000000007462B000-memory.dmp

Filesize
5.7MB

Download
memory/2652-24-0x0000000074080000-0x000000007462B000-memory.dmp

Filesize
5.7MB

Download
memory/2676-8-0x0000000074080000-0x000000007462B000-memory.dmp

Filesize
5.7MB

Download
memory/2676-18-0x0000000074080000-0x000000007462B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads