metamorpherrat | 54c420ae2f2b9361205135bd71f0e7cfb3f61a0ddada7842d0a4b47083a02d2e

General

Target

54c420ae2f2b9361205135bd71f0e7cfb3f61a0ddada7842d0a4b47083a02d2eN.exe
Size

78KB
MD5

f4247435e512d54b0c1c20cd764a8750
SHA1

60912dfdeb34dffe7623d8676734160567d2b3a9
SHA256

54c420ae2f2b9361205135bd71f0e7cfb3f61a0ddada7842d0a4b47083a02d2e
SHA512

7ca7436464d6ea2b88f50921b3f176bf9bb2a6d3a0ffe7ab6e6249173bf44ad5ed4f9d853b45c51cea34919c542c66fbef750518e11d263e1dc44bded7832f40
SSDEEP

1536:Q58Vdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6P9/F1+g:Q58An7N041Qqhgn9/f

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2672	tmp6816.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
3032	54c420ae2f2b9361205135bd71f0e7cfb3f61a0ddada7842d0a4b47083a02d2eN.exe
3032	54c420ae2f2b9361205135bd71f0e7cfb3f61a0ddada7842d0a4b47083a02d2eN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp6816.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	54c420ae2f2b9361205135bd71f0e7cfb3f61a0ddada7842d0a4b47083a02d2eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6816.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3032	54c420ae2f2b9361205135bd71f0e7cfb3f61a0ddada7842d0a4b47083a02d2eN.exe
Token: SeDebugPrivilege	2672	tmp6816.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2732	3032	54c420ae2f2b9361205135bd71f0e7cfb3f61a0ddada7842d0a4b47083a02d2eN.exe	30
PID 3032 wrote to memory of 2732	3032	54c420ae2f2b9361205135bd71f0e7cfb3f61a0ddada7842d0a4b47083a02d2eN.exe	30
PID 3032 wrote to memory of 2732	3032	54c420ae2f2b9361205135bd71f0e7cfb3f61a0ddada7842d0a4b47083a02d2eN.exe	30
PID 3032 wrote to memory of 2732	3032	54c420ae2f2b9361205135bd71f0e7cfb3f61a0ddada7842d0a4b47083a02d2eN.exe	30
PID 2732 wrote to memory of 2820	2732	vbc.exe	32
PID 2732 wrote to memory of 2820	2732	vbc.exe	32
PID 2732 wrote to memory of 2820	2732	vbc.exe	32
PID 2732 wrote to memory of 2820	2732	vbc.exe	32
PID 3032 wrote to memory of 2672	3032	54c420ae2f2b9361205135bd71f0e7cfb3f61a0ddada7842d0a4b47083a02d2eN.exe	33
PID 3032 wrote to memory of 2672	3032	54c420ae2f2b9361205135bd71f0e7cfb3f61a0ddada7842d0a4b47083a02d2eN.exe	33
PID 3032 wrote to memory of 2672	3032	54c420ae2f2b9361205135bd71f0e7cfb3f61a0ddada7842d0a4b47083a02d2eN.exe	33
PID 3032 wrote to memory of 2672	3032	54c420ae2f2b9361205135bd71f0e7cfb3f61a0ddada7842d0a4b47083a02d2eN.exe	33

C:\Users\Admin\AppData\Local\Temp\54c420ae2f2b9361205135bd71f0e7cfb3f61a0ddada7842d0a4b47083a02d2eN.exe
"C:\Users\Admin\AppData\Local\Temp\54c420ae2f2b9361205135bd71f0e7cfb3f61a0ddada7842d0a4b47083a02d2eN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nnxbjck6.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES68F1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc68F0.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2820
- C:\Users\Admin\AppData\Local\Temp\tmp6816.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp6816.tmp.exe" C:\Users\Admin\AppData\Local\Temp\54c420ae2f2b9361205135bd71f0e7cfb3f61a0ddada7842d0a4b47083a02d2eN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES68F1.tmp

Filesize
1KB

MD5
75f9180a4af43df741a25c56c8cce448

SHA1
6108c77fb2891640b996ce8154fb9d9966fc6954

SHA256
a419ccd9acb9187b383fad4cb0c6384a9fd8acaf5de021e6ca78dc4eccc351bb

SHA512
80f6526e59ba9e22ede6edf718101c270d217de96ab5ac72b76f756c5f3b51852235bcd2a0709a19000b1712968ece8d013b7a9bf4f54b86bcd667cab565ed2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nnxbjck6.0.vb

Filesize
14KB

MD5
01adcd6e6896ec01e21cfef04cfa8937

SHA1
f3c6d10410f627dcb74ed4f4045b84ba6b19e8ed

SHA256
032e147f15203a8ba184c3a04fc70bb3705959399ce946d12729aac9e1cdeeea

SHA512
eacacb1a4735801ba888bf613535f15dc214c4b47434d1525f234bb50bde53615057eec9d426b2b916f9efe95e6a3b9533b3bc85360f40f074c939ac11b95e2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nnxbjck6.cmdline

Filesize
266B

MD5
b162b39e95b15b22d0ff09fa0394bb30

SHA1
71e4aa318ac139917bc66b2333507361ba9ab474

SHA256
97c37a87ccc5d4c6cd7342e66a88fcc776a6aaa14828cf9049b9c71d0577ac93

SHA512
8922314f8b20785e5fa78977c969e4d42a8b84217d162a8ea960abc64c8b92a8f8f81cd6fda74b54c0b4134d8d47a6e14c65d325f52898faec31c1d3c7be704b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6816.tmp.exe

Filesize
78KB

MD5
6692fd7cb3783ab4f8adb35b0ba223d4

SHA1
6be97160cf30dcf395617bef0a0678d0228d07a4

SHA256
670bbeebe3beab03b4351034c2dcd914585a9e72c2c1b6a5557de5a832e6d9f3

SHA512
e44eb0e285642d71cc248cfd8099482d2ab51f61eae2b8b13ab8dde0365fc5745bd9749f7076b2ebd26319c2897d6ffa86fbf4994d32f0990f0eca4670105f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc68F0.tmp

Filesize
660B

MD5
befb3768f5078855b30536ae2efcb2d4

SHA1
90b6d467c0b355ddea9f6efde6be6fd5880a8fbc

SHA256
95dd6c9011e187c158ac91be9d4c4d6b908ee03636d3811ac52d37e5a525ecf6

SHA512
ddc450fcfe384a3d1976fb793d57514a3d952a46770ff54983393bf835e1b1d2e0936553f4cc679a5ead370469f90a81c43a4ca2809f5d6f97627637bb81d75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2732-8-0x0000000074990000-0x0000000074F3B000-memory.dmp

Filesize
5.7MB

Download
memory/2732-18-0x0000000074990000-0x0000000074F3B000-memory.dmp

Filesize
5.7MB

Download
memory/3032-0-0x0000000074991000-0x0000000074992000-memory.dmp

Filesize
4KB

Download
memory/3032-1-0x0000000074990000-0x0000000074F3B000-memory.dmp

Filesize
5.7MB

Download
memory/3032-2-0x0000000074990000-0x0000000074F3B000-memory.dmp

Filesize
5.7MB

Download
memory/3032-24-0x0000000074990000-0x0000000074F3B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads