metamorpherrat | 03e71e8ff58b65bcd69a7d90513e85d04700acbf1c10abaeb24051f27d3a5a88

General

Target

03e71e8ff58b65bcd69a7d90513e85d04700acbf1c10abaeb24051f27d3a5a88.exe
Size

78KB
MD5

5eccb60697d60d1fbfd0518f9b7240ee
SHA1

ddc8607b374394894aeff2e282941b400d55ffd3
SHA256

03e71e8ff58b65bcd69a7d90513e85d04700acbf1c10abaeb24051f27d3a5a88
SHA512

30416f3485e9d7c44eeed735f2a26962f6430cd6a176cf4e04de50d62f9d1c64abe5a4cbb7e618d90d502f45c289f2c754c97beb2673942f03b2635dd48349a5
SSDEEP

1536:PPWtHY6M7t/vZv0kH9gDDtWzYCnJPeoYrGQtA9/qi17j:PPWtHYnh/l0Y9MDYrm7A9/qM

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
3008	tmp56B8.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1684	03e71e8ff58b65bcd69a7d90513e85d04700acbf1c10abaeb24051f27d3a5a88.exe
1684	03e71e8ff58b65bcd69a7d90513e85d04700acbf1c10abaeb24051f27d3a5a88.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmp56B8.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	03e71e8ff58b65bcd69a7d90513e85d04700acbf1c10abaeb24051f27d3a5a88.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp56B8.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1684	03e71e8ff58b65bcd69a7d90513e85d04700acbf1c10abaeb24051f27d3a5a88.exe
Token: SeDebugPrivilege	3008	tmp56B8.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 2936	1684	03e71e8ff58b65bcd69a7d90513e85d04700acbf1c10abaeb24051f27d3a5a88.exe	28
PID 1684 wrote to memory of 2936	1684	03e71e8ff58b65bcd69a7d90513e85d04700acbf1c10abaeb24051f27d3a5a88.exe	28
PID 1684 wrote to memory of 2936	1684	03e71e8ff58b65bcd69a7d90513e85d04700acbf1c10abaeb24051f27d3a5a88.exe	28
PID 1684 wrote to memory of 2936	1684	03e71e8ff58b65bcd69a7d90513e85d04700acbf1c10abaeb24051f27d3a5a88.exe	28
PID 2936 wrote to memory of 2052	2936	vbc.exe	30
PID 2936 wrote to memory of 2052	2936	vbc.exe	30
PID 2936 wrote to memory of 2052	2936	vbc.exe	30
PID 2936 wrote to memory of 2052	2936	vbc.exe	30
PID 1684 wrote to memory of 3008	1684	03e71e8ff58b65bcd69a7d90513e85d04700acbf1c10abaeb24051f27d3a5a88.exe	31
PID 1684 wrote to memory of 3008	1684	03e71e8ff58b65bcd69a7d90513e85d04700acbf1c10abaeb24051f27d3a5a88.exe	31
PID 1684 wrote to memory of 3008	1684	03e71e8ff58b65bcd69a7d90513e85d04700acbf1c10abaeb24051f27d3a5a88.exe	31
PID 1684 wrote to memory of 3008	1684	03e71e8ff58b65bcd69a7d90513e85d04700acbf1c10abaeb24051f27d3a5a88.exe	31

C:\Users\Admin\AppData\Local\Temp\03e71e8ff58b65bcd69a7d90513e85d04700acbf1c10abaeb24051f27d3a5a88.exe
"C:\Users\Admin\AppData\Local\Temp\03e71e8ff58b65bcd69a7d90513e85d04700acbf1c10abaeb24051f27d3a5a88.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\odsulmlw.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5783.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5782.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2052
- C:\Users\Admin\AppData\Local\Temp\tmp56B8.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp56B8.tmp.exe" C:\Users\Admin\AppData\Local\Temp\03e71e8ff58b65bcd69a7d90513e85d04700acbf1c10abaeb24051f27d3a5a88.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5783.tmp

Filesize
1KB

MD5
1e03e27573619711c08471c8c7bc7c15

SHA1
037c47d973ff176f447c702a534f26d414846749

SHA256
97c5b422c012e873d88b591ba697caa1507ac9af6c9a9a677a19968465f83ee2

SHA512
eeab104a1a26629bdce4fff292a80764e8f8d21d8e2ed860c392cd3dd158ad058477978bdfef62dc1b25919cf2a951a39d797fc08251801db5e650a7eb9afc6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\odsulmlw.0.vb

Filesize
15KB

MD5
3604e25a5d7d36c6feb5610a8aa39cf5

SHA1
97da9a85bcbb8f5052c1f46190abfc08be19c56c

SHA256
b9e06a64b1e90b0d536d63c65455d5f5bbd775c1847d5304fc2a052e85614d3c

SHA512
0c83d60e730b65436f5593bb816bc7f4c892da545ae0125a32d5fd738db862108b416d91b0dc6a8d81473cd3dadc2fb1278e3c20f66d7d8e776983694c9ea58a

Download Submit
C:\Users\Admin\AppData\Local\Temp\odsulmlw.cmdline

Filesize
266B

MD5
ec63ae1da9fcd86cf4adea21ebad7480

SHA1
ed893239229b05395f9b49bfbdebb97a68a8a985

SHA256
6b756790f7970a82cac2baadaa1396cecf72bd89fcebd95312111574b427ab4d

SHA512
a8c8820d4c3bbc3df7ddd4631fede22278abc0c96b1310fbac10fc84a188afc13a2712e0c97c5517a9de900a78695adaadd21c990531d405dc84e5d96ae6f6e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp56B8.tmp.exe

Filesize
78KB

MD5
0637bfde09769dc8491569659b6efbae

SHA1
c5cb2bf097da638342be27a40c413f9e8dc6e49d

SHA256
6bdd7b279417bd6122e121dbc5cff14371492aaf0498e937cd300ce9816cb66c

SHA512
c48c482a481b6babe84e9049ad923dff7cb76254040a38c6e6554d4e591bf664415395310e05d396c033e31c493d8d50daaa55b16a9bfab4db283aaae1606cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5782.tmp

Filesize
660B

MD5
85ac69e1e1988767ebbf8fd95539764b

SHA1
f52ef2aad7a283fc581dfbb3f3303f944e14baf0

SHA256
65cc346cbd3439154a4e1efc4371dd1696cb8e4e026db925f3e5e60ad8ec7472

SHA512
c217a660ceb4b847d2c13121185ac9cdad52134688440d470464c5207d5c8d905225f34c8bd48e728629924450f325f03860dc70f23992d41e239ac2182a54e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/1684-0-0x0000000074D71000-0x0000000074D72000-memory.dmp

Filesize
4KB

Download
memory/1684-1-0x0000000074D70000-0x000000007531B000-memory.dmp

Filesize
5.7MB

Download
memory/1684-2-0x0000000074D70000-0x000000007531B000-memory.dmp

Filesize
5.7MB

Download
memory/1684-24-0x0000000074D70000-0x000000007531B000-memory.dmp

Filesize
5.7MB

Download
memory/2936-8-0x0000000074D70000-0x000000007531B000-memory.dmp

Filesize
5.7MB

Download
memory/2936-18-0x0000000074D70000-0x000000007531B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads