metamorpherrat | 5f8edc075487dfd96e87c39edeb7565c9d61b5f2ce1449018b27f0e63f854f34

General

Target

5f8edc075487dfd96e87c39edeb7565c9d61b5f2ce1449018b27f0e63f854f34N.exe
Size

78KB
MD5

b2a5489877f58a7ee049569cff6e3270
SHA1

f60d1d08fa723a3d24b4b87414cca62dd82a0437
SHA256

5f8edc075487dfd96e87c39edeb7565c9d61b5f2ce1449018b27f0e63f854f34
SHA512

5ea40c1c1c173bff711523979836057a27076dcdc715806937fccb2a56b9e702e6213e27939d18f3225b643fba35bce33a8c99f3ea2df40c08069f27bc77eee1
SSDEEP

1536:psHY6JJteVdv5wyFppaVs+aYTCgtWzYXxxiMrBnP5oYZNQtP9/91Tc:psHYO3e/vqyA11XYUBxprBPjcP9/4

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Deletes itself 1 IoCs

pid	Process
2640	tmp1890.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2640	tmp1890.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2488	5f8edc075487dfd96e87c39edeb7565c9d61b5f2ce1449018b27f0e63f854f34N.exe
2488	5f8edc075487dfd96e87c39edeb7565c9d61b5f2ce1449018b27f0e63f854f34N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System.Management = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sbscmp20_mscorlib.exe\""	tmp1890.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp1890.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5f8edc075487dfd96e87c39edeb7565c9d61b5f2ce1449018b27f0e63f854f34N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2488	5f8edc075487dfd96e87c39edeb7565c9d61b5f2ce1449018b27f0e63f854f34N.exe
Token: SeDebugPrivilege	2640	tmp1890.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2152	2488	5f8edc075487dfd96e87c39edeb7565c9d61b5f2ce1449018b27f0e63f854f34N.exe	31
PID 2488 wrote to memory of 2152	2488	5f8edc075487dfd96e87c39edeb7565c9d61b5f2ce1449018b27f0e63f854f34N.exe	31
PID 2488 wrote to memory of 2152	2488	5f8edc075487dfd96e87c39edeb7565c9d61b5f2ce1449018b27f0e63f854f34N.exe	31
PID 2488 wrote to memory of 2152	2488	5f8edc075487dfd96e87c39edeb7565c9d61b5f2ce1449018b27f0e63f854f34N.exe	31
PID 2152 wrote to memory of 2816	2152	vbc.exe	33
PID 2152 wrote to memory of 2816	2152	vbc.exe	33
PID 2152 wrote to memory of 2816	2152	vbc.exe	33
PID 2152 wrote to memory of 2816	2152	vbc.exe	33
PID 2488 wrote to memory of 2640	2488	5f8edc075487dfd96e87c39edeb7565c9d61b5f2ce1449018b27f0e63f854f34N.exe	34
PID 2488 wrote to memory of 2640	2488	5f8edc075487dfd96e87c39edeb7565c9d61b5f2ce1449018b27f0e63f854f34N.exe	34
PID 2488 wrote to memory of 2640	2488	5f8edc075487dfd96e87c39edeb7565c9d61b5f2ce1449018b27f0e63f854f34N.exe	34
PID 2488 wrote to memory of 2640	2488	5f8edc075487dfd96e87c39edeb7565c9d61b5f2ce1449018b27f0e63f854f34N.exe	34

C:\Users\Admin\AppData\Local\Temp\5f8edc075487dfd96e87c39edeb7565c9d61b5f2ce1449018b27f0e63f854f34N.exe
"C:\Users\Admin\AppData\Local\Temp\5f8edc075487dfd96e87c39edeb7565c9d61b5f2ce1449018b27f0e63f854f34N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\e2git1gp.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES197B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc197A.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2816
- C:\Users\Admin\AppData\Local\Temp\tmp1890.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp1890.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5f8edc075487dfd96e87c39edeb7565c9d61b5f2ce1449018b27f0e63f854f34N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES197B.tmp

Filesize
1KB

MD5
0121176202f2ddd6a98fefc7b8d8e1e0

SHA1
7b809222a6cc0a02b4a1c3f575410ae0ed95f41e

SHA256
6ba65f2b1a7bfeecb16a39590093aee01a6e51feda899b87ff4d1f0605808010

SHA512
7c1bf5f9a96348da92397dea2966ffce20ce108c9a34bbfde747165ac167d7931ea1790f46fe6b0534297c6e795867b8cd7df5e3b0de57b14b5c1ab9b2f29949

Download Submit
C:\Users\Admin\AppData\Local\Temp\e2git1gp.0.vb

Filesize
15KB

MD5
1649777be45eee805d2ea3bb5da5b13c

SHA1
b0658ba8179d4380f588542bb1c4daa2fc810b47

SHA256
fe54819715201a6996368d143440e8d4e393b90ba674e6b158c39d62fac72e32

SHA512
c8d5de714384521d95387314d51258a3ab4296adef8d69ad87eac7615b891972b9a0cbd4ca20dcf82408f84b565c185cd68892269266f4ed5a720d575caef089

Download Submit
C:\Users\Admin\AppData\Local\Temp\e2git1gp.cmdline

Filesize
266B

MD5
0a214b5d0271feaee2bb7606ea3e863d

SHA1
65b1be3825e5216f15a8231a537aa4282fd4c5ca

SHA256
2885fc514fff0b78897ad468bfcc6ea47a5538ddcd35ced5b29efbe0f5c532b1

SHA512
c93bafb2af62f609e8c96f2cdaf04a2ee3f80caec8a160fa61c8e5e2b1eaf1aafbf3482a0ce821eb652f0743d024e8616c7e0130366c688db7adc851f6b136cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1890.tmp.exe

Filesize
78KB

MD5
3c4be6220e09724a3db9ff948615fd07

SHA1
f20baca25f0ae2286150890edf42faccacf78057

SHA256
1044dd8cf2a3c973b66268e1d398433e9170bc226afe13ccd9c6b0764dcce840

SHA512
5c755973bad3ec00bafdd8b3ebab80b637481afde6f034b7c4aeef566bc7a345e00849b0c85755e9d2e676ed9316affd9a54ae389de4645bc89eaa94fbb68fd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc197A.tmp

Filesize
660B

MD5
c898c5efa30e4be3aa9867a99dabd381

SHA1
2b3e8539317caba9ab25384739c96794f8fd154c

SHA256
141086d1181f7a4afbad24d0b1d1212640ca7ac16e565ce12b21cc02c5640079

SHA512
d24faf4d5ae8d14c6107ef1ba06fa0781d3c23d41558fdd511cd3ee9b2e4dbf8f082f8b21dbd1a2c896b736dcc6ef2ea3a6959dda6b1bd650bee51b461b52bcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8481b7e4924c14743ffc0d34075e2ce3

SHA1
e8e7ef480499ba85190b8d5f8e43f761850b0ef3

SHA256
6110931ed1cb1b1a141d4a12044a062646f14be3566a286106e5f59ceaddc4ac

SHA512
3c4ee8221c5238aed57e4fdbcd74833edcf46d5ed602840b5265438538405b4378a1966e9cd0c34a5ce52d0afe7bd7e0d9aac6b420e515fe1ea52477f957a7e1

Download Submit
memory/2152-8-0x0000000074B40000-0x00000000750EB000-memory.dmp

Filesize
5.7MB

Download
memory/2152-18-0x0000000074B40000-0x00000000750EB000-memory.dmp

Filesize
5.7MB

Download
memory/2488-0-0x0000000074B41000-0x0000000074B42000-memory.dmp

Filesize
4KB

Download
memory/2488-1-0x0000000074B40000-0x00000000750EB000-memory.dmp

Filesize
5.7MB

Download
memory/2488-2-0x0000000074B40000-0x00000000750EB000-memory.dmp

Filesize
5.7MB

Download
memory/2488-24-0x0000000074B40000-0x00000000750EB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads