metamorpherrat | c789b961b4cefab04ef60090c0b4b1df918965d9832986c0c600c5a80056e26c

General

Target

c789b961b4cefab04ef60090c0b4b1df918965d9832986c0c600c5a80056e26cN.exe
Size

78KB
MD5

ce08c63f5f3bcf42a05f5cdcbfcc5d90
SHA1

07be501257f38bb13a0d47888a6715f478eead8a
SHA256

c789b961b4cefab04ef60090c0b4b1df918965d9832986c0c600c5a80056e26c
SHA512

6c4b7fa0df927186cc6f7470ca20aca456e45ecf7c26397cbf9bcf355d4cc2cf4c3a95673569b3df7354f64d34a747eacd2b80c3bcac8305fd7d7047a7b9164e
SSDEEP

1536:TPCHY6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQt1Y9/o1vp:TPCHY53Ln7N041Qqhg1Y9/k

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2076	tmpBB53.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1620	c789b961b4cefab04ef60090c0b4b1df918965d9832986c0c600c5a80056e26cN.exe
1620	c789b961b4cefab04ef60090c0b4b1df918965d9832986c0c600c5a80056e26cN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpBB53.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c789b961b4cefab04ef60090c0b4b1df918965d9832986c0c600c5a80056e26cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBB53.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1620	c789b961b4cefab04ef60090c0b4b1df918965d9832986c0c600c5a80056e26cN.exe
Token: SeDebugPrivilege	2076	tmpBB53.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 3044	1620	c789b961b4cefab04ef60090c0b4b1df918965d9832986c0c600c5a80056e26cN.exe	30
PID 1620 wrote to memory of 3044	1620	c789b961b4cefab04ef60090c0b4b1df918965d9832986c0c600c5a80056e26cN.exe	30
PID 1620 wrote to memory of 3044	1620	c789b961b4cefab04ef60090c0b4b1df918965d9832986c0c600c5a80056e26cN.exe	30
PID 1620 wrote to memory of 3044	1620	c789b961b4cefab04ef60090c0b4b1df918965d9832986c0c600c5a80056e26cN.exe	30
PID 3044 wrote to memory of 2360	3044	vbc.exe	32
PID 3044 wrote to memory of 2360	3044	vbc.exe	32
PID 3044 wrote to memory of 2360	3044	vbc.exe	32
PID 3044 wrote to memory of 2360	3044	vbc.exe	32
PID 1620 wrote to memory of 2076	1620	c789b961b4cefab04ef60090c0b4b1df918965d9832986c0c600c5a80056e26cN.exe	33
PID 1620 wrote to memory of 2076	1620	c789b961b4cefab04ef60090c0b4b1df918965d9832986c0c600c5a80056e26cN.exe	33
PID 1620 wrote to memory of 2076	1620	c789b961b4cefab04ef60090c0b4b1df918965d9832986c0c600c5a80056e26cN.exe	33
PID 1620 wrote to memory of 2076	1620	c789b961b4cefab04ef60090c0b4b1df918965d9832986c0c600c5a80056e26cN.exe	33

C:\Users\Admin\AppData\Local\Temp\c789b961b4cefab04ef60090c0b4b1df918965d9832986c0c600c5a80056e26cN.exe
"C:\Users\Admin\AppData\Local\Temp\c789b961b4cefab04ef60090c0b4b1df918965d9832986c0c600c5a80056e26cN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fq6gzfd3.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC2F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBC2E.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2360
- C:\Users\Admin\AppData\Local\Temp\tmpBB53.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpBB53.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c789b961b4cefab04ef60090c0b4b1df918965d9832986c0c600c5a80056e26cN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBC2F.tmp

Filesize
1KB

MD5
b011b7ee4ccedda025313a51d93426d2

SHA1
fbfe00de65610b70519abcd14fe200ea9acebfad

SHA256
ce2f08da59394fb1a84c0b14484ac7b22d57e948795a7b28c351afba0e16cc28

SHA512
7ef4f6730266d4a10d1f129214daed54d5357d5f1b5d4054f448bfa48a737102b3f621dd908511bd41df39aa2435c645c2ce7448c313e9238afac109ba2b95e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\fq6gzfd3.0.vb

Filesize
15KB

MD5
7564c8a60c8a66066e833d69885b5637

SHA1
18c44172c4e6cc02d0d2d65c3b6eefebf6931564

SHA256
c5ca2e40778827f9fbec731ec874852e82bc3d0630b0afab2439f05fb5776008

SHA512
d6c34926f482dff2a82e8d4e1c831b87f7bcea7247f98bfcb07b47983bf0ff5d4d8ca8251b7fd57be478207db20c49d46ed15524a1f967d49bab76afea85fc93

Download Submit
C:\Users\Admin\AppData\Local\Temp\fq6gzfd3.cmdline

Filesize
266B

MD5
33fabac4c8780fde4a90dbca236fed4e

SHA1
4e621f0caa5b13874b53c0d7c2a58f338d9528da

SHA256
1711450d448fd2fb6bbc1f1626a2c5f905488740949a1cde0fb5ae6ea444d0cd

SHA512
c72e4350cdceab75f4b094b4b20ce3c13665a3515492cad1993f76ca36416dda22d37f932319fb9269c7f630d5afaed418aeb694d32e1e97645899164efa7ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBB53.tmp.exe

Filesize
78KB

MD5
2e068d3d30909c7bdc412a54355a672a

SHA1
066c766cb5d38c948b82abd263ed8bf806bb48e5

SHA256
7f4ac46c40f05f1d016aa02bcfd444f93630fcdd9d1fd227b6e82436ca57958f

SHA512
7b07568d4cd13bc24f0f2135bbb7dac3703d055d46e4aef37ef448b30699c967280b11ae7e1de9faa5a9f1822bfd607032d9b48963ff5a669db2e89c21c731b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBC2E.tmp

Filesize
660B

MD5
d4415bfa357b5b8f9a10aea9d2f5b2bf

SHA1
75543cf31c1df4658757702d290bc546fa53823e

SHA256
522cc35475d54ce7b94eb2b7a57b19257a72050428a4f4d3156e052ac21dd030

SHA512
80c2bfea4d20477c8dc55284a900b544ed4ffd7f1b027cba5e073884002d14b615ba47b15a3e0c6e3b40beaa2b48ed3bd985d9ab7f440d8ce1d48f65f7261996

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/1620-0-0x0000000074051000-0x0000000074052000-memory.dmp

Filesize
4KB

Download
memory/1620-1-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/1620-2-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/1620-24-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/3044-8-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/3044-18-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads