metamorpherrat | 674e2b13d656ae775ed50d4c0f0fdec224d493026bb9b3c71488467a2db5f04e

General

Target

674e2b13d656ae775ed50d4c0f0fdec224d493026bb9b3c71488467a2db5f04eN.exe
Size

78KB
MD5

cfac1a9904f7bc099a0aa77aa2af6860
SHA1

0acdf75f10e712b89cb301a68b52e85e3021bc68
SHA256

674e2b13d656ae775ed50d4c0f0fdec224d493026bb9b3c71488467a2db5f04e
SHA512

7f4dc4408a8e6c17218cc0ba3e95a4bc5b3b3d3b6bd905a6b1b0437ad3e75561508236f42f2d6fa0485fc2ed759cf8f41114ecd74dd5ea38376210e6bfc8dc62
SSDEEP

1536:sPWtHFo6rdELT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQty9/g10:sPWtHFo8dSE2EwR4uY41HyvYy9/V

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
980	tmpC783.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2080	674e2b13d656ae775ed50d4c0f0fdec224d493026bb9b3c71488467a2db5f04eN.exe
2080	674e2b13d656ae775ed50d4c0f0fdec224d493026bb9b3c71488467a2db5f04eN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmpC783.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	674e2b13d656ae775ed50d4c0f0fdec224d493026bb9b3c71488467a2db5f04eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC783.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2080	674e2b13d656ae775ed50d4c0f0fdec224d493026bb9b3c71488467a2db5f04eN.exe
Token: SeDebugPrivilege	980	tmpC783.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2328	2080	674e2b13d656ae775ed50d4c0f0fdec224d493026bb9b3c71488467a2db5f04eN.exe	30
PID 2080 wrote to memory of 2328	2080	674e2b13d656ae775ed50d4c0f0fdec224d493026bb9b3c71488467a2db5f04eN.exe	30
PID 2080 wrote to memory of 2328	2080	674e2b13d656ae775ed50d4c0f0fdec224d493026bb9b3c71488467a2db5f04eN.exe	30
PID 2080 wrote to memory of 2328	2080	674e2b13d656ae775ed50d4c0f0fdec224d493026bb9b3c71488467a2db5f04eN.exe	30
PID 2328 wrote to memory of 2052	2328	vbc.exe	32
PID 2328 wrote to memory of 2052	2328	vbc.exe	32
PID 2328 wrote to memory of 2052	2328	vbc.exe	32
PID 2328 wrote to memory of 2052	2328	vbc.exe	32
PID 2080 wrote to memory of 980	2080	674e2b13d656ae775ed50d4c0f0fdec224d493026bb9b3c71488467a2db5f04eN.exe	33
PID 2080 wrote to memory of 980	2080	674e2b13d656ae775ed50d4c0f0fdec224d493026bb9b3c71488467a2db5f04eN.exe	33
PID 2080 wrote to memory of 980	2080	674e2b13d656ae775ed50d4c0f0fdec224d493026bb9b3c71488467a2db5f04eN.exe	33
PID 2080 wrote to memory of 980	2080	674e2b13d656ae775ed50d4c0f0fdec224d493026bb9b3c71488467a2db5f04eN.exe	33

C:\Users\Admin\AppData\Local\Temp\674e2b13d656ae775ed50d4c0f0fdec224d493026bb9b3c71488467a2db5f04eN.exe
"C:\Users\Admin\AppData\Local\Temp\674e2b13d656ae775ed50d4c0f0fdec224d493026bb9b3c71488467a2db5f04eN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zofjtl5u.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC840.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC83F.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2052
- C:\Users\Admin\AppData\Local\Temp\tmpC783.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpC783.tmp.exe" C:\Users\Admin\AppData\Local\Temp\674e2b13d656ae775ed50d4c0f0fdec224d493026bb9b3c71488467a2db5f04eN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC840.tmp

Filesize
1KB

MD5
04648e197a132e2da181ad555c9dade0

SHA1
548f9dba2ac832cf27dad10309644d69835d4ab2

SHA256
28309f4fb875248e84d02656a95c23ed122c018089274fef6e777690ffef08f9

SHA512
f1046d81a8aa32d329db9f4539bdc9f099de05449ecc80dcbff3bc081eb38b89c762bf9311439b59c01cb7c2a6f31babb0eddafaa072ac43c9d03f8b896b4701

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC783.tmp.exe

Filesize
78KB

MD5
461a6742c5515125d5c55bfe5578aa83

SHA1
3d41b634f33b70e4d05e4634ad605ee247d3a847

SHA256
e3b24c9e9528bf0aafe2aced639b52385c3f0a88a96298435578196e03d3dfb6

SHA512
f83fda6eac8b4fa0dc072727a1863959b2bcd3941a27e837e92a1410e1413a3b0bf58953969e301eeb331dd564db205ed563e7fa6e5edd805cfdcf83c05eab22

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC83F.tmp

Filesize
660B

MD5
232ee4ffcc1346bc1b26c7ecf208b098

SHA1
c41842816600d31f1c468374f8ed3053fcda5190

SHA256
ea28f259b8d7f916f0b94da2c7cb1a639896c26bbda204d6f6b1ba2c2b6af519

SHA512
5140e98c09934bd99fdbfbac1e68f5828d02ee2ad24918fa2273d7eeeda59c6d3b7576048614ee6dc6157d6f845526f4078b737b94c2490e1ebb94d410cd2a29

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
C:\Users\Admin\AppData\Local\Temp\zofjtl5u.0.vb

Filesize
15KB

MD5
b182801e8a676ea1d2e6392904020fc7

SHA1
f0599fbd9db22ac12a599d6a907b58140e97a8af

SHA256
eccc41ddd840886755b15828cb8670f9b23c00389c6c3ab7645b06db917d13a8

SHA512
3f887bd2835a5b72d8cf76483a2a867b7e18be682eecc3bc44c9f3dc47b20b1bb688d41adb575c44f08974f0ed4866a94666353e41527badbaaf6849e7bc7371

Download Submit
C:\Users\Admin\AppData\Local\Temp\zofjtl5u.cmdline

Filesize
266B

MD5
5ddfeb0c1bd3cd73cdadf7761c198172

SHA1
6e66f357577dbba56932da4b837d707162a19fe8

SHA256
d4a72537d6f1e987cddba0afe5265a7af2082187bf87eaa3a0eb669a2da15a14

SHA512
4c3014bad009b4f3cf47222543b84a150214206daa26f3d9b3f47cbd55750125cfd33024b35bb161f38176bac3e0a518044b60ffaa3bfe18b53bf2042797fc68

Download Submit
memory/2080-0-0x0000000074B31000-0x0000000074B32000-memory.dmp

Filesize
4KB

Download
memory/2080-1-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/2080-2-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/2080-24-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/2328-8-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/2328-18-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads