metamorpherrat | 34cfd5ac7e3f56b43c32134a45dc4be6bdd8d3dedff1d63234572bfe4f88ab62

General

Target

34cfd5ac7e3f56b43c32134a45dc4be6bdd8d3dedff1d63234572bfe4f88ab62N.exe
Size

78KB
MD5

5fb51286121133dbb61751b09f4cd490
SHA1

c4c0a3cf014258d5a451c87865936e43e7e8bc3c
SHA256

34cfd5ac7e3f56b43c32134a45dc4be6bdd8d3dedff1d63234572bfe4f88ab62
SHA512

32cb9e2567deeff3b57743eb9d7cfb7f375e07f2811b2e3d399e65a517f06a2e4bf62f2b41d29804759346a8c411c539730e05f31b7ef227f5f515aa3156c39c
SSDEEP

1536:SWV5Sdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQt96z9/4109:SWV5Nn7N041QqhgA9/F

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2104	tmp823A.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2372	34cfd5ac7e3f56b43c32134a45dc4be6bdd8d3dedff1d63234572bfe4f88ab62N.exe
2372	34cfd5ac7e3f56b43c32134a45dc4be6bdd8d3dedff1d63234572bfe4f88ab62N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp823A.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	34cfd5ac7e3f56b43c32134a45dc4be6bdd8d3dedff1d63234572bfe4f88ab62N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp823A.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2372	34cfd5ac7e3f56b43c32134a45dc4be6bdd8d3dedff1d63234572bfe4f88ab62N.exe
Token: SeDebugPrivilege	2104	tmp823A.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 1652	2372	34cfd5ac7e3f56b43c32134a45dc4be6bdd8d3dedff1d63234572bfe4f88ab62N.exe	30
PID 2372 wrote to memory of 1652	2372	34cfd5ac7e3f56b43c32134a45dc4be6bdd8d3dedff1d63234572bfe4f88ab62N.exe	30
PID 2372 wrote to memory of 1652	2372	34cfd5ac7e3f56b43c32134a45dc4be6bdd8d3dedff1d63234572bfe4f88ab62N.exe	30
PID 2372 wrote to memory of 1652	2372	34cfd5ac7e3f56b43c32134a45dc4be6bdd8d3dedff1d63234572bfe4f88ab62N.exe	30
PID 1652 wrote to memory of 2788	1652	vbc.exe	32
PID 1652 wrote to memory of 2788	1652	vbc.exe	32
PID 1652 wrote to memory of 2788	1652	vbc.exe	32
PID 1652 wrote to memory of 2788	1652	vbc.exe	32
PID 2372 wrote to memory of 2104	2372	34cfd5ac7e3f56b43c32134a45dc4be6bdd8d3dedff1d63234572bfe4f88ab62N.exe	33
PID 2372 wrote to memory of 2104	2372	34cfd5ac7e3f56b43c32134a45dc4be6bdd8d3dedff1d63234572bfe4f88ab62N.exe	33
PID 2372 wrote to memory of 2104	2372	34cfd5ac7e3f56b43c32134a45dc4be6bdd8d3dedff1d63234572bfe4f88ab62N.exe	33
PID 2372 wrote to memory of 2104	2372	34cfd5ac7e3f56b43c32134a45dc4be6bdd8d3dedff1d63234572bfe4f88ab62N.exe	33

C:\Users\Admin\AppData\Local\Temp\34cfd5ac7e3f56b43c32134a45dc4be6bdd8d3dedff1d63234572bfe4f88ab62N.exe
"C:\Users\Admin\AppData\Local\Temp\34cfd5ac7e3f56b43c32134a45dc4be6bdd8d3dedff1d63234572bfe4f88ab62N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xfozk7p8.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8400.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc83FF.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2788
- C:\Users\Admin\AppData\Local\Temp\tmp823A.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp823A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\34cfd5ac7e3f56b43c32134a45dc4be6bdd8d3dedff1d63234572bfe4f88ab62N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8400.tmp

Filesize
1KB

MD5
5cbfd2608f4a8e10292f5e0b0770f52a

SHA1
00ef0576b79caad87313e05c609f1a6e4d400bd5

SHA256
6909ca9c97a9a5190ca9e057754d1bc7065abcc25900508eb18ebe32de39b224

SHA512
b44cffd9e07d28ae5d3624401e36923166fd29f1297da5ade80a4c329932e2cfc8d6372ec0fb61f6b932354d6e56fd861215da0ca99b4a589ea1d1004bad2d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp823A.tmp.exe

Filesize
78KB

MD5
0bf7b3642a913bb0cd48c69c3b555f3c

SHA1
3d9a8199bbe98d0e71a5cfff5174c376ff878cc2

SHA256
5bda6393d677c61fe8f36fc93d86092847d1a456c2587e1ae8261ef9c1331c83

SHA512
b047cf0ea24324aa237595a054af150a2b33080fb5f54f39be6699fc53a0621f1b1ba1b9e5bfb0aabf6c73e664177fa1ded86a1f27c1e741f8cf2a777c9b814f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc83FF.tmp

Filesize
660B

MD5
03971600b91957279d0643988065a8e4

SHA1
5be0f3b2136eb86393e20dc30f0388a0c83062b6

SHA256
dddbb32a3528f200e4151e0b4bca7327923a5de0458e149caee1f8b8d03cd938

SHA512
42c95fccb8dc4fdd29ddbab5f565b4e12bd3c12bb42ce33bc4203235ef44b96ae9bde0aa41a7b87ba14475fa76ea174fb8ac79a5531260a49b4bb58b6ee23f47

Download Submit
C:\Users\Admin\AppData\Local\Temp\xfozk7p8.0.vb

Filesize
14KB

MD5
bde470a8ce1ccc873b5aecd5c8ee1724

SHA1
02ef377563845bc2e9006fba7197a569d207ae6b

SHA256
d779c9d4a21b1c73ec6a8b653afae7362458e39ddaeb8d5892e73e4ec4ff2715

SHA512
5d581d444a70d9a7d42f6c49be41be1d2abe36fa53ce01badfe242261a5da5d41f24c0a2b68a72bcf6a9aa9d2a39f2f8e98a1a95ff92bc1ece5670974ab0a4a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\xfozk7p8.cmdline

Filesize
266B

MD5
3401e134b0707a4271fdff76c136f53b

SHA1
d1d81a30d5e37ceecdc7a18942eaecc436f713b7

SHA256
21aeb3b5cc2f9945f7b5fc34d129801044db15bb0b29fff0248146599d61d2bc

SHA512
af49b640eec7ef13c03527f323d4d47f7d3fcfe1d728a2c5007bd5f0cc692a5ad315d7aa248ccd005d2f76447084aa9d79ecd11f264361d8e6e2dae0e88ef8b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/1652-8-0x0000000074A80000-0x000000007502B000-memory.dmp

Filesize
5.7MB

Download
memory/1652-18-0x0000000074A80000-0x000000007502B000-memory.dmp

Filesize
5.7MB

Download
memory/2372-0-0x0000000074A81000-0x0000000074A82000-memory.dmp

Filesize
4KB

Download
memory/2372-1-0x0000000074A80000-0x000000007502B000-memory.dmp

Filesize
5.7MB

Download
memory/2372-2-0x0000000074A80000-0x000000007502B000-memory.dmp

Filesize
5.7MB

Download
memory/2372-23-0x0000000074A80000-0x000000007502B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads