metamorpherrat | 62047a3ae1a56c09a51f1646c347a6e04d6e6ac6ca88714b4be22c3cc56bd7d6

General

Target

62047a3ae1a56c09a51f1646c347a6e04d6e6ac6ca88714b4be22c3cc56bd7d6N.exe
Size

78KB
MD5

2df643bd3c95f5b076371b9b15982100
SHA1

eab6399e99c99a6450ef68a3ae70d619ec89a08a
SHA256

62047a3ae1a56c09a51f1646c347a6e04d6e6ac6ca88714b4be22c3cc56bd7d6
SHA512

76753cd59359055b46f7bd87c2acfb01fd42a1a157160e3b645d4ba66d60a29051062401b3da390e5503180969d0b140f926f53ac2b54ad8b4d61dc0ee6f31f3
SSDEEP

1536:ec58ddy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQty6c9/51S8:ec58In7N041Qqhg09/b

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2092	tmp87B6.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2520	62047a3ae1a56c09a51f1646c347a6e04d6e6ac6ca88714b4be22c3cc56bd7d6N.exe
2520	62047a3ae1a56c09a51f1646c347a6e04d6e6ac6ca88714b4be22c3cc56bd7d6N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp87B6.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp87B6.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	62047a3ae1a56c09a51f1646c347a6e04d6e6ac6ca88714b4be22c3cc56bd7d6N.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2520	62047a3ae1a56c09a51f1646c347a6e04d6e6ac6ca88714b4be22c3cc56bd7d6N.exe
Token: SeDebugPrivilege	2092	tmp87B6.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2384	2520	62047a3ae1a56c09a51f1646c347a6e04d6e6ac6ca88714b4be22c3cc56bd7d6N.exe	30
PID 2520 wrote to memory of 2384	2520	62047a3ae1a56c09a51f1646c347a6e04d6e6ac6ca88714b4be22c3cc56bd7d6N.exe	30
PID 2520 wrote to memory of 2384	2520	62047a3ae1a56c09a51f1646c347a6e04d6e6ac6ca88714b4be22c3cc56bd7d6N.exe	30
PID 2520 wrote to memory of 2384	2520	62047a3ae1a56c09a51f1646c347a6e04d6e6ac6ca88714b4be22c3cc56bd7d6N.exe	30
PID 2384 wrote to memory of 2124	2384	vbc.exe	32
PID 2384 wrote to memory of 2124	2384	vbc.exe	32
PID 2384 wrote to memory of 2124	2384	vbc.exe	32
PID 2384 wrote to memory of 2124	2384	vbc.exe	32
PID 2520 wrote to memory of 2092	2520	62047a3ae1a56c09a51f1646c347a6e04d6e6ac6ca88714b4be22c3cc56bd7d6N.exe	33
PID 2520 wrote to memory of 2092	2520	62047a3ae1a56c09a51f1646c347a6e04d6e6ac6ca88714b4be22c3cc56bd7d6N.exe	33
PID 2520 wrote to memory of 2092	2520	62047a3ae1a56c09a51f1646c347a6e04d6e6ac6ca88714b4be22c3cc56bd7d6N.exe	33
PID 2520 wrote to memory of 2092	2520	62047a3ae1a56c09a51f1646c347a6e04d6e6ac6ca88714b4be22c3cc56bd7d6N.exe	33

C:\Users\Admin\AppData\Local\Temp\62047a3ae1a56c09a51f1646c347a6e04d6e6ac6ca88714b4be22c3cc56bd7d6N.exe
"C:\Users\Admin\AppData\Local\Temp\62047a3ae1a56c09a51f1646c347a6e04d6e6ac6ca88714b4be22c3cc56bd7d6N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y0evhgug.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES891E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc891D.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2124
- C:\Users\Admin\AppData\Local\Temp\tmp87B6.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp87B6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\62047a3ae1a56c09a51f1646c347a6e04d6e6ac6ca88714b4be22c3cc56bd7d6N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES891E.tmp

Filesize
1KB

MD5
5721a0212ebda5b52415f6e4029a7980

SHA1
ff8f1ff4e928898756c619c914951134ef1e3c66

SHA256
c485cb2537107824c39241d763a7bfe31ea6470721c89c9f44057fbb45242522

SHA512
cfa552cb68dcbe554afec049f7003a1f3db79baf7983cb481d1d0c77ce87067b678454c946400de326aec4c946aeda3ef59b238d850fe5be71ac62638b2d1c86

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp87B6.tmp.exe

Filesize
78KB

MD5
696dfdd0be1feabbd6c76a6dd08d05e4

SHA1
2ee4346d834058db55b29e2c22589037de2110f6

SHA256
e8cbb5283d603e2bdd07f9eae91ccdbe94150acda46d99eb72abe4142342b2bc

SHA512
32e41c537d9dc065d4979c42457ac6cb27dc0587cf26da2a1fdc6d666dff2bf85e3ba5f916b39999140949f8d62049640a574b6cf6480f2a4a2ed9d4210b5a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc891D.tmp

Filesize
660B

MD5
8c8e42101220105c61a0a6db7eda24e6

SHA1
8f354ba032543c8efbe9ddfd3adb050f894410fb

SHA256
c30bc153776261230f187a75ae2492ac7f794cf73d19a77fa8e7a70afdc66952

SHA512
8144ecc895d8963d4a50e5df949dcda5123c6f7bc4856f2bb96f5881338aa6190a396e89ded104ba6716c92c1e74b14aa6215c5621e503ef158e12d89c151a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\y0evhgug.0.vb

Filesize
14KB

MD5
90dd4386028cccc1824eeb655b8f84ad

SHA1
34be666b9f9a3ca13c444be1e54cd1679a8d5d85

SHA256
c104a36fd396257a3c2457be40518c8d5f9376c734500730876288b1e400bd4e

SHA512
57902b80b3a4ee1a85b0f9100eb058feba8b29ddf93da4b309043b08b199f65cf218ac04526379e97e4f477c6ea68ff46f3a54fb200b91f79dc25701a03a2fe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\y0evhgug.cmdline

Filesize
266B

MD5
0f2daf1dd33de725d2c0483d20cf48ae

SHA1
2c22a043e3833f3fc6ca5dcf47e15d602fd860ea

SHA256
98e69cf4cc2c417ace753554121a853572219886f9d4d6db2abb04ef5e26fecf

SHA512
be6bb6873d0c1aed7e01f77126e9f2694c55d8de7ad5d8c2e1ffd522fbda7565e3273b0b33899d505d69edd97c59d2bf7793b4493acad03c7bba7dd69d907549

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2384-8-0x0000000073E40000-0x00000000743EB000-memory.dmp

Filesize
5.7MB

Download
memory/2384-18-0x0000000073E40000-0x00000000743EB000-memory.dmp

Filesize
5.7MB

Download
memory/2520-0-0x0000000073E41000-0x0000000073E42000-memory.dmp

Filesize
4KB

Download
memory/2520-1-0x0000000073E40000-0x00000000743EB000-memory.dmp

Filesize
5.7MB

Download
memory/2520-2-0x0000000073E40000-0x00000000743EB000-memory.dmp

Filesize
5.7MB

Download
memory/2520-24-0x0000000073E40000-0x00000000743EB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads