metamorpherrat | 76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137

General

Target

76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137N.exe
Size

78KB
MD5

4bace1dc2a9db3db9638238233a29b60
SHA1

d4c157c6542dcb06b43f897a6926341772176165
SHA256

76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137
SHA512

e330d7485d5a028fb69fc5b76a47c3cdfef660cf9edac4191e07d35da5aca3b10f7bd822606e22bb0d17ad4883784bf11555ff9d63d02d13d32b99baa4ebcdb7
SSDEEP

1536:HPy58MLT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtP6R9/U1wA:HPy586E2EwR4uY41HyvYg9/Y

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp80A5.tmp.exe

pid process

2724 tmp80A5.tmp.exe

pid	process
2724	tmp80A5.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137N.exe

pid	process
2940	76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137N.exe
2940	76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp80A5.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmp80A5.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137N.exevbc.execvtres.exetmp80A5.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp80A5.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137N.exetmp80A5.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2940	76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137N.exe
Token: SeDebugPrivilege	2724	tmp80A5.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137N.exevbc.exe

description	pid	process	target process
PID 2940 wrote to memory of 2716	2940	76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137N.exe	vbc.exe
PID 2940 wrote to memory of 2716	2940	76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137N.exe	vbc.exe
PID 2940 wrote to memory of 2716	2940	76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137N.exe	vbc.exe
PID 2940 wrote to memory of 2716	2940	76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137N.exe	vbc.exe
PID 2716 wrote to memory of 2760	2716	vbc.exe	cvtres.exe
PID 2716 wrote to memory of 2760	2716	vbc.exe	cvtres.exe
PID 2716 wrote to memory of 2760	2716	vbc.exe	cvtres.exe
PID 2716 wrote to memory of 2760	2716	vbc.exe	cvtres.exe
PID 2940 wrote to memory of 2724	2940	76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137N.exe	tmp80A5.tmp.exe
PID 2940 wrote to memory of 2724	2940	76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137N.exe	tmp80A5.tmp.exe
PID 2940 wrote to memory of 2724	2940	76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137N.exe	tmp80A5.tmp.exe
PID 2940 wrote to memory of 2724	2940	76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137N.exe	tmp80A5.tmp.exe

C:\Users\Admin\AppData\Local\Temp\76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137N.exe
"C:\Users\Admin\AppData\Local\Temp\76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jbmxa5ex.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8190.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc818F.tmp"
3⤵
- System Location Discovery: System Language Discovery
PID:2760

C:\Users\Admin\AppData\Local\Temp\tmp80A5.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp80A5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8190.tmp

Filesize
1KB

MD5
6bce09ec7d20fb597c2fd246a7f478a1

SHA1
4c66b5c51dcf5d7cd42827a8806c099654748ba2

SHA256
84ad2a0df23fa03068855ce939ab2757ae5e3eda7db7c75f64733eb8b251aec5

SHA512
1417d935691d7be8386d4ecebe8e1458317af5885bd16985f34b85f294e169355b1b9febcfd5d24f898489a6e8397dbb6f6b55661b05465d0d68426632cb260e

Download Submit
C:\Users\Admin\AppData\Local\Temp\jbmxa5ex.0.vb

Filesize
14KB

MD5
32c6bcb0d2430cd143b33255b061c425

SHA1
676046bdf63ee54c2ee66e9ec81ac5aea836d239

SHA256
57385e8320f4d0d13469d8ed7b022d01057cd5d3f1f4d710fd6539697d5d4d38

SHA512
92d498340cdcab99b509a05c0c833d0918ee58269515cc5b191cdba4b8387529abcd78e863264acc79b6cae6ac4c9eba3cba0cb7a75f6e2aaacdb8a16b1d758e

Download Submit
C:\Users\Admin\AppData\Local\Temp\jbmxa5ex.cmdline

Filesize
266B

MD5
ab79d26503225a6d8b2fed05e811d0f6

SHA1
9a8186f53885e5bf19bf64d2d931e6db341c1379

SHA256
d9a4a62a1bf1a3310372ceb7628d48e3084cdc8032938a17987c415a388322f8

SHA512
151107134da8490cbc39cfb3746e40c56067c9105bb984f7377970205b84ad2eee68b6ef91fd8af615e8252e660ae15b15177297a00ac228376740a25c9f3de7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp80A5.tmp.exe

Filesize
78KB

MD5
238af4cae91aaf0b111e020b02bca2fd

SHA1
23b7fdd9ae435d7184f719266367fbb46edb05c8

SHA256
47f76615cf02ed050d0f6bbd66505ec8bc509a767a30efd9153026ba15d57528

SHA512
886213be93ea65e9633af0940ca6c2ac3174706ffe874c7d065b49ceecb50498e68faf05f70a4e490c841fe2aa05c2885e5d34af22405106a046053ab1cb9fef

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc818F.tmp

Filesize
660B

MD5
fd76e4e2039459f31bf775189f8deb47

SHA1
6279833d355fcd5a9ba8e02af791a6feea54b688

SHA256
8a6a2dbf9852d6ea4c68f5f29d4afd35e1c7371d3fbb68f51996be930e534b80

SHA512
5d2da5ab7935e0141325aabaeb98f04c89b8ecb7282e0b258e1df45c4281bd1864887ef157c0f6b278771da650113cc26c77e1071e099dc564f07dd652363021

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/2716-18-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/2716-8-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/2940-24-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/2940-2-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/2940-1-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/2940-0-0x00000000745F1000-0x00000000745F2000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads