metamorpherrat | 6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6f

General

Target

6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6fN.exe
Size

78KB
MD5

e3dbe94d0c54fae63e9347ba0db697d0
SHA1

06db23739a8c3cc35f236963d5ba7797b8848139
SHA256

6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6f
SHA512

62e8badc84efccce08327145e853c94ee94f9256a08e391d1dfe1c2c090680d2eefe8128f0efa276438672246c190eeba9ad80120409b7e667060304ad82eaac
SSDEEP

1536:hPCHY6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtR9/e1ck:hPCHY53Ln7N041QqhgR9/y

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
1900	tmpE2D0.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1852	6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6fN.exe
1852	6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6fN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpE2D0.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE2D0.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1852	6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6fN.exe
Token: SeDebugPrivilege	1900	tmpE2D0.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 2480	1852	6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6fN.exe	31
PID 1852 wrote to memory of 2480	1852	6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6fN.exe	31
PID 1852 wrote to memory of 2480	1852	6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6fN.exe	31
PID 1852 wrote to memory of 2480	1852	6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6fN.exe	31
PID 2480 wrote to memory of 2248	2480	vbc.exe	33
PID 2480 wrote to memory of 2248	2480	vbc.exe	33
PID 2480 wrote to memory of 2248	2480	vbc.exe	33
PID 2480 wrote to memory of 2248	2480	vbc.exe	33
PID 1852 wrote to memory of 1900	1852	6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6fN.exe	34
PID 1852 wrote to memory of 1900	1852	6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6fN.exe	34
PID 1852 wrote to memory of 1900	1852	6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6fN.exe	34
PID 1852 wrote to memory of 1900	1852	6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6fN.exe	34

C:\Users\Admin\AppData\Local\Temp\6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6fN.exe
"C:\Users\Admin\AppData\Local\Temp\6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6fN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kjzaud8y.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE3BB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE3BA.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2248
- C:\Users\Admin\AppData\Local\Temp\tmpE2D0.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpE2D0.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6fN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE3BB.tmp

Filesize
1KB

MD5
7be1935c3d1f09f2354117c932f59710

SHA1
facdd088878425d5896ad0012d1b7823e477236f

SHA256
6113496c980454ee7b81fe422ba69ba3c85520db7c3146a604ea20f6e6ad0fff

SHA512
0f05d17103e6143b7169248da9cf8ab02baf632bd4bfca46c40edbf9dfbaa158a65a9a03d952cae2bb1fb4f14d36e9b56b28cc9081e761931d69343c81a82b59

Download Submit
C:\Users\Admin\AppData\Local\Temp\kjzaud8y.0.vb

Filesize
15KB

MD5
6c488ed297568c16970018a02a2ecb5d

SHA1
c31a82dc9185efa39463dc139f298c69e8b1a360

SHA256
ac78f7ef19f7c0889f819a241e4dc01826ec6f337d0a89f91af10cee5ee972bf

SHA512
7bafc86f13abb1633981c2425eb3582ad27dd5cff34684351e903e606acbad4ca766b1c9f51e9ebf4d96ab9b7d558eef42f9c665c4477c133766d67ca44846cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\kjzaud8y.cmdline

Filesize
266B

MD5
6c06ba47ec959c10664d9361674a5316

SHA1
56bcf3068c9473d5b1f51c1a78171e2f546ab930

SHA256
c3b3708c7779baab8def06fedcc5503dd91ca01b1abeadcabb455228b8250323

SHA512
4655464484771ee16a2b501bcec9d34a15f727a7a91e62fd4aca8bbb5ada960b6b5e1ba8a2de5261477a1cded38503e334d3a5b82f95d5ff9aef7e1a9b5d7f48

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE2D0.tmp.exe

Filesize
78KB

MD5
96bed29e3298ebb1ac609bbaac301ca6

SHA1
8a77ed5271fddb098869e211f9f7581039c279a3

SHA256
147f45a45cd7897737615f46e0cac14dfabdf8d9d529472e518f0a2802decd00

SHA512
8dab22b850b660bef1afb2fdfc2e220609246e3af791b5de48c6365e52aeb82f3f304345e3a6cd916253aca3fa0f778287f789379f9313e3c050ff34347e7b7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE3BA.tmp

Filesize
660B

MD5
7f055c760632872085089d20c7dbc775

SHA1
ee173221580a086b86b27158f128b43e5bd45264

SHA256
b2a2932070d91c56383197290926714fad5216c05defff7e7ea32db9fbd6748a

SHA512
b9e3866a9b76343e290a2067c2665f9315e33f586ebcb93530c22ae6b425c2b9f69f8d22618e33e20c10f587dcb0238e12278bc9520cffc49062d04bc6e94e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/1852-0-0x0000000074381000-0x0000000074382000-memory.dmp

Filesize
4KB

Download
memory/1852-1-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/1852-2-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/1852-24-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/2480-8-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/2480-18-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads