metamorpherrat | 62047a3ae1a56c09a51f1646c347a6e04d6e6ac6ca88714b4be22c3cc56bd7d6

General

Target

62047a3ae1a56c09a51f1646c347a6e04d6e6ac6ca88714b4be22c3cc56bd7d6N.exe
Size

78KB
MD5

2df643bd3c95f5b076371b9b15982100
SHA1

eab6399e99c99a6450ef68a3ae70d619ec89a08a
SHA256

62047a3ae1a56c09a51f1646c347a6e04d6e6ac6ca88714b4be22c3cc56bd7d6
SHA512

76753cd59359055b46f7bd87c2acfb01fd42a1a157160e3b645d4ba66d60a29051062401b3da390e5503180969d0b140f926f53ac2b54ad8b4d61dc0ee6f31f3
SSDEEP

1536:ec58ddy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQty6c9/51S8:ec58In7N041Qqhg09/b

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2884	tmp5C24.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2032	62047a3ae1a56c09a51f1646c347a6e04d6e6ac6ca88714b4be22c3cc56bd7d6N.exe
2032	62047a3ae1a56c09a51f1646c347a6e04d6e6ac6ca88714b4be22c3cc56bd7d6N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp5C24.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	62047a3ae1a56c09a51f1646c347a6e04d6e6ac6ca88714b4be22c3cc56bd7d6N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5C24.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2032	62047a3ae1a56c09a51f1646c347a6e04d6e6ac6ca88714b4be22c3cc56bd7d6N.exe
Token: SeDebugPrivilege	2884	tmp5C24.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2548	2032	62047a3ae1a56c09a51f1646c347a6e04d6e6ac6ca88714b4be22c3cc56bd7d6N.exe	28
PID 2032 wrote to memory of 2548	2032	62047a3ae1a56c09a51f1646c347a6e04d6e6ac6ca88714b4be22c3cc56bd7d6N.exe	28
PID 2032 wrote to memory of 2548	2032	62047a3ae1a56c09a51f1646c347a6e04d6e6ac6ca88714b4be22c3cc56bd7d6N.exe	28
PID 2032 wrote to memory of 2548	2032	62047a3ae1a56c09a51f1646c347a6e04d6e6ac6ca88714b4be22c3cc56bd7d6N.exe	28
PID 2548 wrote to memory of 2620	2548	vbc.exe	30
PID 2548 wrote to memory of 2620	2548	vbc.exe	30
PID 2548 wrote to memory of 2620	2548	vbc.exe	30
PID 2548 wrote to memory of 2620	2548	vbc.exe	30
PID 2032 wrote to memory of 2884	2032	62047a3ae1a56c09a51f1646c347a6e04d6e6ac6ca88714b4be22c3cc56bd7d6N.exe	31
PID 2032 wrote to memory of 2884	2032	62047a3ae1a56c09a51f1646c347a6e04d6e6ac6ca88714b4be22c3cc56bd7d6N.exe	31
PID 2032 wrote to memory of 2884	2032	62047a3ae1a56c09a51f1646c347a6e04d6e6ac6ca88714b4be22c3cc56bd7d6N.exe	31
PID 2032 wrote to memory of 2884	2032	62047a3ae1a56c09a51f1646c347a6e04d6e6ac6ca88714b4be22c3cc56bd7d6N.exe	31

C:\Users\Admin\AppData\Local\Temp\62047a3ae1a56c09a51f1646c347a6e04d6e6ac6ca88714b4be22c3cc56bd7d6N.exe
"C:\Users\Admin\AppData\Local\Temp\62047a3ae1a56c09a51f1646c347a6e04d6e6ac6ca88714b4be22c3cc56bd7d6N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kkr2puwo.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D1F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5D1E.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2620
- C:\Users\Admin\AppData\Local\Temp\tmp5C24.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp5C24.tmp.exe" C:\Users\Admin\AppData\Local\Temp\62047a3ae1a56c09a51f1646c347a6e04d6e6ac6ca88714b4be22c3cc56bd7d6N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5D1F.tmp

Filesize
1KB

MD5
61d53cef2e9245bf7b7a8b02f3fa0b99

SHA1
ce6a47060ed3e1f075e416d58215e43ff2386429

SHA256
73625973a1547e617e8044d6f56038a449f820173e2a8ff7dfa25cc6e970123f

SHA512
adf724a39bf7b77b39d7647a0eb428ec6c77eab5a5058651294c19d28c7630778372354fba4300fda55417aab015d6ab11e75f283454e0df6fc222f30529b75e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkr2puwo.0.vb

Filesize
14KB

MD5
2def1f296927b714b99b103397c8a181

SHA1
ca4ec777b2354eefb0386b78688813f39dc11d45

SHA256
2920f43df97e18a2c2f0fe9a0ac147f22b60bc2db4b9e2ccb033e511ae446f3f

SHA512
7ecb5c4acf718fda46e7532665cb1561246b3f0a3384484d05ac7b000f81e8c08267b96b06fedd2c4c6200af539ee2789ee8a83385b10012f6afa1d06a08beb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkr2puwo.cmdline

Filesize
266B

MD5
a0bb4d38ad0dbb704af046e91cf91e92

SHA1
b343a9b3853f1b962acb14dd41cabdd231f81034

SHA256
023ac18ac9983d3db8dd3d5bf6e76867c9b2ebcc217e058be0f385920d7d82a7

SHA512
5a0bf64b099b5d0de4f40047db6c17702791cbaa7e079a9e29e0227bedffc8f059fa3138a75dcf33a45aa34d95cdee92822450292fa00ad6f4dcd3dda078034d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5C24.tmp.exe

Filesize
78KB

MD5
f97c4908aa62a7c3743d754d59a4a9e7

SHA1
09231df51dd0db228b901b5be32cd51a4ec7f95e

SHA256
efd7d2a8de4c6c96913308695f759a42691919fa840ed4133bcbe11c36fdf5f0

SHA512
300b49caf801495006f32e74dd3b1b6540e72afdf507cae00fb46678837e1e11bbc17a098440208dbb8e965a7cc7bf2868b707413236fa1df95cca976d5963c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5D1E.tmp

Filesize
660B

MD5
2a5d143257da217de97c68472386d86c

SHA1
044f43f1a966ccf84a30826a42bc2bfe107fcc2c

SHA256
8b6d24301be350705ab62168fcb75a4337520f7b38b76c6186f9eb2213ed89ad

SHA512
3b433055d665871ad58403ece2dd2b22517ef1edec1bc3b62a2ae83aa3700992edcf386b71a2d69a1ef3685562b7861b3b6d48e97356ae5715b06a7ce221417e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2032-0-0x0000000074301000-0x0000000074302000-memory.dmp

Filesize
4KB

Download
memory/2032-1-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download
memory/2032-2-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download
memory/2032-24-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download
memory/2548-8-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download
memory/2548-18-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads