metamorpherrat | a655fdc241f9ca03dfb0de2d52212a1d1557590482593024ec3a6b681bd2b906

General

Target

a655fdc241f9ca03dfb0de2d52212a1d1557590482593024ec3a6b681bd2b906N.exe
Size

78KB
MD5

a7989493a8e5fd945b366d1230069c50
SHA1

21144907dbdbaa2ad41da6dfed7b3a93dd104b71
SHA256

a655fdc241f9ca03dfb0de2d52212a1d1557590482593024ec3a6b681bd2b906
SHA512

332e1ca4b60410afa1fb39b1edddfdd6d86d5168300eaec9a79e4ffaa5086f94ffaedf4f0cadb34eb717342db111eef41bdd38ea6519f4eadbcbf86af15009db
SSDEEP

1536:jPWtHH638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtD9/u1vM:jPWtHa3Ln7N041QqhgD9/z

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2776	tmpE908.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1388	a655fdc241f9ca03dfb0de2d52212a1d1557590482593024ec3a6b681bd2b906N.exe
1388	a655fdc241f9ca03dfb0de2d52212a1d1557590482593024ec3a6b681bd2b906N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpE908.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a655fdc241f9ca03dfb0de2d52212a1d1557590482593024ec3a6b681bd2b906N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE908.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1388	a655fdc241f9ca03dfb0de2d52212a1d1557590482593024ec3a6b681bd2b906N.exe
Token: SeDebugPrivilege	2776	tmpE908.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 2764	1388	a655fdc241f9ca03dfb0de2d52212a1d1557590482593024ec3a6b681bd2b906N.exe	31
PID 1388 wrote to memory of 2764	1388	a655fdc241f9ca03dfb0de2d52212a1d1557590482593024ec3a6b681bd2b906N.exe	31
PID 1388 wrote to memory of 2764	1388	a655fdc241f9ca03dfb0de2d52212a1d1557590482593024ec3a6b681bd2b906N.exe	31
PID 1388 wrote to memory of 2764	1388	a655fdc241f9ca03dfb0de2d52212a1d1557590482593024ec3a6b681bd2b906N.exe	31
PID 2764 wrote to memory of 2684	2764	vbc.exe	33
PID 2764 wrote to memory of 2684	2764	vbc.exe	33
PID 2764 wrote to memory of 2684	2764	vbc.exe	33
PID 2764 wrote to memory of 2684	2764	vbc.exe	33
PID 1388 wrote to memory of 2776	1388	a655fdc241f9ca03dfb0de2d52212a1d1557590482593024ec3a6b681bd2b906N.exe	34
PID 1388 wrote to memory of 2776	1388	a655fdc241f9ca03dfb0de2d52212a1d1557590482593024ec3a6b681bd2b906N.exe	34
PID 1388 wrote to memory of 2776	1388	a655fdc241f9ca03dfb0de2d52212a1d1557590482593024ec3a6b681bd2b906N.exe	34
PID 1388 wrote to memory of 2776	1388	a655fdc241f9ca03dfb0de2d52212a1d1557590482593024ec3a6b681bd2b906N.exe	34

C:\Users\Admin\AppData\Local\Temp\a655fdc241f9ca03dfb0de2d52212a1d1557590482593024ec3a6b681bd2b906N.exe
"C:\Users\Admin\AppData\Local\Temp\a655fdc241f9ca03dfb0de2d52212a1d1557590482593024ec3a6b681bd2b906N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_evtmn4f.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA41.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEA40.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2684
- C:\Users\Admin\AppData\Local\Temp\tmpE908.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpE908.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a655fdc241f9ca03dfb0de2d52212a1d1557590482593024ec3a6b681bd2b906N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESEA41.tmp

Filesize
1KB

MD5
5f26a75b308ad4a275090b9fe518d810

SHA1
71239c9fea84afc3f2419a65e719e1b23fd027c5

SHA256
6ee791957cc2da09f3b00a8d2ed8733e0d25d0a1b56de2356d4ed410029b0418

SHA512
e5ace030dde47fe89c7611fd2a6e85e8ee55fce457dc7492c32eff409d6051cf0c91e56b214f024f8f6e87dd2f6162e00dce957bc1fee8b13b6bf4f66c7e0af7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_evtmn4f.0.vb

Filesize
15KB

MD5
373e53622fa50dc1bc6a5aa662d47e70

SHA1
8aa9bf94946ea9a9c33cf3df842bad4c272e56f3

SHA256
65672778ca8edc2210d6750cacef203891f3ef69cc80efbe63f451dbd331d81b

SHA512
fcad16d9fbbe1041056d490c84947ffa16d8a259418efd7c7aa24f35bf31dad3723ff0b62287defde6e66adafa67231adc2a69b68f86898db0dff95be4e7cdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_evtmn4f.cmdline

Filesize
266B

MD5
aab95fbef0da1529b3a514e5f800f4f2

SHA1
d05af715c5754572e6117bce39a786f2b3d5fb6b

SHA256
b1dc6e503f4fd8f6bb4d784f8cd45484be52c0b638d7c78c863c0ea106bf16be

SHA512
a01fd29aa26835431137c5513c1886e87bcdbdb9304fdd1888b0c47bb10e2df41aaafa6930459198e2a9f296e5e7556de55f6540ec75893a6b7176a96effbcc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE908.tmp.exe

Filesize
78KB

MD5
30a7d429b67107eed6bce8e2e60bc715

SHA1
7105816c4e6f58565b2884d4059b36ef1eb00cc1

SHA256
95b66eaaca924968ffcf3c9abe999b88e199441b019cfaff2b44614c268c7b23

SHA512
9a05a08d25d14451ed0bf6a5b4eed0b4b28c9c9be3d1bee9037f167857c7ae3f7bbb9879f56c4c96b0cba232798ee977e2e8cd53d5f6f2ff5096e9fcfdd79f74

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEA40.tmp

Filesize
660B

MD5
c23fe795816277da6c169f8c5138f473

SHA1
552ea0ef4dbb614218886ec3660654d7248f379f

SHA256
f7ba8a91ebe8e35f2428bb0fcbfe7e9d8a6f83c9ebe38a2b9f59474fcbf1f473

SHA512
b2a260a99eb457b978d47e853a0ddffea52799c69f5a4330e32300c35dfdd5fdf9ae27a46c9d3bab2cc0b882a18d76377b9515ad996e02635132dbdd95644130

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/1388-0-0x00000000748D1000-0x00000000748D2000-memory.dmp

Filesize
4KB

Download
memory/1388-1-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/1388-2-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/1388-24-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/2764-8-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/2764-18-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads