metamorpherrat | d56f3748a83d82162b38887e40791bd656381125b966f6709209b69bc99cf1f2

General

Target

d56f3748a83d82162b38887e40791bd656381125b966f6709209b69bc99cf1f2.exe
Size

78KB
MD5

d9e2c2e5e4583a552a3721d9d2c2805c
SHA1

d1149c0975c2e51761a63643321f2b25ff8717b6
SHA256

d56f3748a83d82162b38887e40791bd656381125b966f6709209b69bc99cf1f2
SHA512

6d180c5d02d3c56b6e713273de3a06335995be052cefc6570fc76f79213ea3a2d3f37427609935676c667e489253274c0c9ee3880a2fcd8db2703ecf7e00dee0
SSDEEP

1536:T58Vdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC67B9/y1kp:T58An7N041QqhgjB9/7

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2552	tmpEF10.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2668	d56f3748a83d82162b38887e40791bd656381125b966f6709209b69bc99cf1f2.exe
2668	d56f3748a83d82162b38887e40791bd656381125b966f6709209b69bc99cf1f2.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpEF10.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpEF10.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d56f3748a83d82162b38887e40791bd656381125b966f6709209b69bc99cf1f2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2668	d56f3748a83d82162b38887e40791bd656381125b966f6709209b69bc99cf1f2.exe
Token: SeDebugPrivilege	2552	tmpEF10.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2800	2668	d56f3748a83d82162b38887e40791bd656381125b966f6709209b69bc99cf1f2.exe	31
PID 2668 wrote to memory of 2800	2668	d56f3748a83d82162b38887e40791bd656381125b966f6709209b69bc99cf1f2.exe	31
PID 2668 wrote to memory of 2800	2668	d56f3748a83d82162b38887e40791bd656381125b966f6709209b69bc99cf1f2.exe	31
PID 2668 wrote to memory of 2800	2668	d56f3748a83d82162b38887e40791bd656381125b966f6709209b69bc99cf1f2.exe	31
PID 2800 wrote to memory of 2644	2800	vbc.exe	33
PID 2800 wrote to memory of 2644	2800	vbc.exe	33
PID 2800 wrote to memory of 2644	2800	vbc.exe	33
PID 2800 wrote to memory of 2644	2800	vbc.exe	33
PID 2668 wrote to memory of 2552	2668	d56f3748a83d82162b38887e40791bd656381125b966f6709209b69bc99cf1f2.exe	34
PID 2668 wrote to memory of 2552	2668	d56f3748a83d82162b38887e40791bd656381125b966f6709209b69bc99cf1f2.exe	34
PID 2668 wrote to memory of 2552	2668	d56f3748a83d82162b38887e40791bd656381125b966f6709209b69bc99cf1f2.exe	34
PID 2668 wrote to memory of 2552	2668	d56f3748a83d82162b38887e40791bd656381125b966f6709209b69bc99cf1f2.exe	34

C:\Users\Admin\AppData\Local\Temp\d56f3748a83d82162b38887e40791bd656381125b966f6709209b69bc99cf1f2.exe
"C:\Users\Admin\AppData\Local\Temp\d56f3748a83d82162b38887e40791bd656381125b966f6709209b69bc99cf1f2.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\eiixikv8.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF039.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF038.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2644
- C:\Users\Admin\AppData\Local\Temp\tmpEF10.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpEF10.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d56f3748a83d82162b38887e40791bd656381125b966f6709209b69bc99cf1f2.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF039.tmp

Filesize
1KB

MD5
66afea42e091c98236d33925e9385e03

SHA1
e4782faf43c429c2af90a9dfebe9faa4de733fe3

SHA256
c14d73a257e48fdb1a02c0aa94c19c4784d033e5a6058de8f98d5b018187be63

SHA512
c01f32259cec67291b76b19bc38d82615f420050f1694add5ae38d8d66506f2022edce4581a9764cf6428e341a4f4226e2fee5c2e402f80fc61356cf9e244a5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\eiixikv8.0.vb

Filesize
14KB

MD5
4fdef125bfb36a5c17467fa98353835a

SHA1
71f55fdb4f2b59651bf726538c05b7045f9dcabb

SHA256
5b24918047defda66e2a1e4b2477afc6eebe6122e5e125a9ec6ec808e7051998

SHA512
8db474bb966e05358025e4dc301362127c961864e38a08bc9914759c6096e5375820432c79d17ad29fd0ae5db86d2128a6efd048e8a249e5f16bcad03deb6186

Download Submit
C:\Users\Admin\AppData\Local\Temp\eiixikv8.cmdline

Filesize
266B

MD5
17d334933efd90166fd0ef77b92e4c33

SHA1
5c6f1232783e5ee77e05ed2ba01c421b2163199e

SHA256
a89513f2968c424a83c351bf14fc863a4b6bfe1d3c88d7fd64f55b409a3dbf7b

SHA512
919744315957649e523e25ae9f7c9d8805ac75f9100ebb03ee0463f444d1e430bc990c3c9f421ce961a3d163c1c8b693e88bb7fc50084258663bc174f95fe172

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEF10.tmp.exe

Filesize
78KB

MD5
d559baa1041c3315295d14fcf6dbb814

SHA1
1e5d84b100c99407bd1f4c60f60236e06be89b47

SHA256
63c35ed26ea432a5fb1d8ed19813d3621f1ca4733fb643a3264fe571cf26d00b

SHA512
27090b1badaaa4f2b42a6e025e99b4e43c3a3d953ad355705d3b9a9c2cf9511d8a93939c988ca3502ebfc1518d9439de58fd8e564aba09909efbf08e05a0436a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF038.tmp

Filesize
660B

MD5
43c689cea931f8e32b44ce14617a67fa

SHA1
31cfcb3c5247e563589729e0b49a5d700e37a1d4

SHA256
424933df513b4983855058f20cb9c3cf7b17ce63d21b2f0a57766fd1c9e6741e

SHA512
ed685e8d6cea04924b4cd04b0a83550697676c81875aaf337b7691d723bd3d77f680937807f644812b72393b522dbe897407bab459616a2d8e3ea2756eff2e1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2668-0-0x0000000074821000-0x0000000074822000-memory.dmp

Filesize
4KB

Download
memory/2668-1-0x0000000074820000-0x0000000074DCB000-memory.dmp

Filesize
5.7MB

Download
memory/2668-2-0x0000000074820000-0x0000000074DCB000-memory.dmp

Filesize
5.7MB

Download
memory/2668-24-0x0000000074820000-0x0000000074DCB000-memory.dmp

Filesize
5.7MB

Download
memory/2800-8-0x0000000074820000-0x0000000074DCB000-memory.dmp

Filesize
5.7MB

Download
memory/2800-18-0x0000000074820000-0x0000000074DCB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads