metamorpherrat | aaffa2c3e7182d9da5a2097bc273758a55e0c66edc58aebd40da4113fe1374c3

General

Target

aaffa2c3e7182d9da5a2097bc273758a55e0c66edc58aebd40da4113fe1374c3N.exe
Size

78KB
MD5

ed389ee9a2ce5adc29152cc4df7997e0
SHA1

fae9a619e69074a45ec8ae9e5dda17cfbdb88eec
SHA256

aaffa2c3e7182d9da5a2097bc273758a55e0c66edc58aebd40da4113fe1374c3
SHA512

8b66ad5c3a9da4fec83c733665f25e748e4149bd3bfcc0280a22d7a021461aed94859a45cb39e50dfa3930d057adbc1c2d779f30df8911d17694de3eda391be1
SSDEEP

1536:7tHFo6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQt+9/Q1za:7tHFo53Ln7N041Qqhg+9/H

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
1208	tmpCA22.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2264	aaffa2c3e7182d9da5a2097bc273758a55e0c66edc58aebd40da4113fe1374c3N.exe
2264	aaffa2c3e7182d9da5a2097bc273758a55e0c66edc58aebd40da4113fe1374c3N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpCA22.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aaffa2c3e7182d9da5a2097bc273758a55e0c66edc58aebd40da4113fe1374c3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpCA22.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2264	aaffa2c3e7182d9da5a2097bc273758a55e0c66edc58aebd40da4113fe1374c3N.exe
Token: SeDebugPrivilege	1208	tmpCA22.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 1908	2264	aaffa2c3e7182d9da5a2097bc273758a55e0c66edc58aebd40da4113fe1374c3N.exe	30
PID 2264 wrote to memory of 1908	2264	aaffa2c3e7182d9da5a2097bc273758a55e0c66edc58aebd40da4113fe1374c3N.exe	30
PID 2264 wrote to memory of 1908	2264	aaffa2c3e7182d9da5a2097bc273758a55e0c66edc58aebd40da4113fe1374c3N.exe	30
PID 2264 wrote to memory of 1908	2264	aaffa2c3e7182d9da5a2097bc273758a55e0c66edc58aebd40da4113fe1374c3N.exe	30
PID 1908 wrote to memory of 2560	1908	vbc.exe	32
PID 1908 wrote to memory of 2560	1908	vbc.exe	32
PID 1908 wrote to memory of 2560	1908	vbc.exe	32
PID 1908 wrote to memory of 2560	1908	vbc.exe	32
PID 2264 wrote to memory of 1208	2264	aaffa2c3e7182d9da5a2097bc273758a55e0c66edc58aebd40da4113fe1374c3N.exe	33
PID 2264 wrote to memory of 1208	2264	aaffa2c3e7182d9da5a2097bc273758a55e0c66edc58aebd40da4113fe1374c3N.exe	33
PID 2264 wrote to memory of 1208	2264	aaffa2c3e7182d9da5a2097bc273758a55e0c66edc58aebd40da4113fe1374c3N.exe	33
PID 2264 wrote to memory of 1208	2264	aaffa2c3e7182d9da5a2097bc273758a55e0c66edc58aebd40da4113fe1374c3N.exe	33

C:\Users\Admin\AppData\Local\Temp\aaffa2c3e7182d9da5a2097bc273758a55e0c66edc58aebd40da4113fe1374c3N.exe
"C:\Users\Admin\AppData\Local\Temp\aaffa2c3e7182d9da5a2097bc273758a55e0c66edc58aebd40da4113fe1374c3N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\epoms1bd.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB4C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCB4B.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2560
- C:\Users\Admin\AppData\Local\Temp\tmpCA22.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpCA22.tmp.exe" C:\Users\Admin\AppData\Local\Temp\aaffa2c3e7182d9da5a2097bc273758a55e0c66edc58aebd40da4113fe1374c3N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESCB4C.tmp

Filesize
1KB

MD5
567dcac8b2118a23bc0cf18734193d44

SHA1
2d4a365f61904911ead65fcc2ad7c2010b58bf7c

SHA256
591636b8f5aa0f204d4ed58e16e3da9c0a63beee43d2c3b850381b4cd06f09c3

SHA512
5fa4af2ba5cb4804107b81f77db996dd5d8b6f7168042833b0f5be1c73392750bf42531d3a59c87140afa64e70ed98dbd251c0fb63c976f093cc9a92136dc9b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\epoms1bd.0.vb

Filesize
15KB

MD5
284921cf9791c30e1be2a393a21ff784

SHA1
4b8c8b34adf1dc8a41f5b9490e32377b69b661e9

SHA256
dc4ecb83b789f6664a705a0fd020ce0eb4ae04d2bbd9e60871023856155f4833

SHA512
bf1888b6aa656a87c5ee4ee7e66eabcb98a275169194e00f0573a0bcf3b0ac34af37137e7984c0ed6098996289198eb79ce19098d4a6370dcbed2501709dbd86

Download Submit
C:\Users\Admin\AppData\Local\Temp\epoms1bd.cmdline

Filesize
266B

MD5
0347b08d7392d6cd784fa94c99c63c69

SHA1
aa99b664ffe7ec6be8ed3eca2ef2927037281caf

SHA256
b318c620497e6197a024a1c6f9d1946c1b05f3d7eea9c83ef3550d9deb34f39f

SHA512
3f5aefaa363bf8f5c103dd098792c816b517217ab9785b375147bbe4eede20a10ec8992577469c4c7a7ee58f5a18c345300a9b089544a8d62c6f892174cabe50

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCA22.tmp.exe

Filesize
78KB

MD5
49103c7b3029d5550f70d8eda689fa25

SHA1
52b9aa13d662041da9300d46f3fc654ef9a3a3b0

SHA256
30836db40753e2ed4373c45fb0e2cdaef32d1f6c49e01e5320688b4f14cf2f35

SHA512
cc4604056d8b33a1ddbbabc20586a588a88fc70370a1d3f6b831f46d68125d1c7604c1b3ef41e912c464cc0549864ff3edfc4e02d6dc6742b7eca9a4fad9164c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCB4B.tmp

Filesize
660B

MD5
ee56b1f0038e1db52c3f11e0770f4468

SHA1
ef2aaf0a3a22883ed45806f0ce0824c88b890fab

SHA256
4b93dca9c10f3faf8db5e5f5b90209fc2bc844759e7cb69d779c5f0bbe94afae

SHA512
33d34a1a17896b3bd5f4f6e644c3649ef9c2a33384623f88aecfa35341ce87c569d9f3fea304c0048268419e42fe2a190ae2c1677d1ef1d1ba8b47105fe83aed

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/1908-8-0x0000000074080000-0x000000007462B000-memory.dmp

Filesize
5.7MB

Download
memory/1908-18-0x0000000074080000-0x000000007462B000-memory.dmp

Filesize
5.7MB

Download
memory/2264-0-0x0000000074081000-0x0000000074082000-memory.dmp

Filesize
4KB

Download
memory/2264-1-0x0000000074080000-0x000000007462B000-memory.dmp

Filesize
5.7MB

Download
memory/2264-2-0x0000000074080000-0x000000007462B000-memory.dmp

Filesize
5.7MB

Download
memory/2264-24-0x0000000074080000-0x000000007462B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads