metamorpherrat | 0ed2d7bb22e3097e9390ad9fa6caf6be4513ac5eeb18c051c36ce92aceb60853

General

Target

0ed2d7bb22e3097e9390ad9fa6caf6be4513ac5eeb18c051c36ce92aceb60853N.exe
Size

78KB
MD5

867f64250d4384051c727c9675e6c510
SHA1

12f0d5a504370abab33f466b13295855125d7cf1
SHA256

0ed2d7bb22e3097e9390ad9fa6caf6be4513ac5eeb18c051c36ce92aceb60853
SHA512

4bfc34868bbfd6e8b248133be44c64da27ffbc2da007db96ead3489d946b28953087adeaaa9d0731ba730cc13c8660e58209354004fff60986f329ce9c938a4a
SSDEEP

1536:595jSQvZv0kH9gDDtWzYCnJPeoYrGQtN6lz9/ha16q:T5jSQl0Y9MDYrm7i9/s

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
3004	tmp8066.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2380	0ed2d7bb22e3097e9390ad9fa6caf6be4513ac5eeb18c051c36ce92aceb60853N.exe
2380	0ed2d7bb22e3097e9390ad9fa6caf6be4513ac5eeb18c051c36ce92aceb60853N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmp8066.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0ed2d7bb22e3097e9390ad9fa6caf6be4513ac5eeb18c051c36ce92aceb60853N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8066.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2380	0ed2d7bb22e3097e9390ad9fa6caf6be4513ac5eeb18c051c36ce92aceb60853N.exe
Token: SeDebugPrivilege	3004	tmp8066.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2016	2380	0ed2d7bb22e3097e9390ad9fa6caf6be4513ac5eeb18c051c36ce92aceb60853N.exe	30
PID 2380 wrote to memory of 2016	2380	0ed2d7bb22e3097e9390ad9fa6caf6be4513ac5eeb18c051c36ce92aceb60853N.exe	30
PID 2380 wrote to memory of 2016	2380	0ed2d7bb22e3097e9390ad9fa6caf6be4513ac5eeb18c051c36ce92aceb60853N.exe	30
PID 2380 wrote to memory of 2016	2380	0ed2d7bb22e3097e9390ad9fa6caf6be4513ac5eeb18c051c36ce92aceb60853N.exe	30
PID 2016 wrote to memory of 2304	2016	vbc.exe	32
PID 2016 wrote to memory of 2304	2016	vbc.exe	32
PID 2016 wrote to memory of 2304	2016	vbc.exe	32
PID 2016 wrote to memory of 2304	2016	vbc.exe	32
PID 2380 wrote to memory of 3004	2380	0ed2d7bb22e3097e9390ad9fa6caf6be4513ac5eeb18c051c36ce92aceb60853N.exe	33
PID 2380 wrote to memory of 3004	2380	0ed2d7bb22e3097e9390ad9fa6caf6be4513ac5eeb18c051c36ce92aceb60853N.exe	33
PID 2380 wrote to memory of 3004	2380	0ed2d7bb22e3097e9390ad9fa6caf6be4513ac5eeb18c051c36ce92aceb60853N.exe	33
PID 2380 wrote to memory of 3004	2380	0ed2d7bb22e3097e9390ad9fa6caf6be4513ac5eeb18c051c36ce92aceb60853N.exe	33

C:\Users\Admin\AppData\Local\Temp\0ed2d7bb22e3097e9390ad9fa6caf6be4513ac5eeb18c051c36ce92aceb60853N.exe
"C:\Users\Admin\AppData\Local\Temp\0ed2d7bb22e3097e9390ad9fa6caf6be4513ac5eeb18c051c36ce92aceb60853N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ly4sd5md.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8190.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc818F.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2304
- C:\Users\Admin\AppData\Local\Temp\tmp8066.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8066.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0ed2d7bb22e3097e9390ad9fa6caf6be4513ac5eeb18c051c36ce92aceb60853N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8190.tmp

Filesize
1KB

MD5
bd5bec2cdbd702ac686310a5688e0690

SHA1
1de9b9b468e1593b4716b83feb31be0ed5c644e5

SHA256
8a79085d761e9f1ed9d911a7d91e7dd42b4693ec37f11351d6237a882aac2905

SHA512
fbb601c493de3fcd95c440610563971921a94e4c26efab3e6cfa197abd57311495bbc405ede420bfe998d461fcf385ae2a7560b35c1c8aec1bbfb81d2c299a3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ly4sd5md.0.vb

Filesize
14KB

MD5
ace2314a0986c9f8fcedb25c5587b800

SHA1
cd369a1ba630196251264dac47d7facfedee7b88

SHA256
742a76e6d6eee655f85419a7d45a1dafdb19a2de6a5d6d28b8665fbfe7410689

SHA512
7f312a6025f6f8122751aba989e04fa4ef6d21194dacad215461a0558aaad060f9b5f51e3f44557960a8a2c94df6666ef2c9ea659e0ac7dfcd5cf6a9b0e69fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ly4sd5md.cmdline

Filesize
266B

MD5
251628d1f977df74d7b039697655e488

SHA1
cc09bd37e3bc25fae010bb450cb94dc8b8c8c7e6

SHA256
2482db2c355fbf65c3e6d8aa1c59a359a386c86b6df26711c4137251e8dda457

SHA512
44157b35bf20384fdaecfe96d0ffacdca6729512687e64e362aa4d575b8dbb35f0708648acbd10412052eb8ef33457ca10d173545bb995613412ca00e256bbca

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8066.tmp.exe

Filesize
78KB

MD5
9b78d3839ca36deefc22907ef877d430

SHA1
6e810276cbda2c68cfa8ff8614dffcf63e42ed02

SHA256
8c2e43f036949ff7bbf9521d89aa3b1c858a64dff8782be38bf2a2fec0941f3f

SHA512
9b7600d9ca867ffa9a82c3ae5dfe51504eee293258a4c7a9da0b910bbedb53089cdc557532b97aafd9ba7e7645dbbe2afa7a5705daa1489f3f874cd73c19e2d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc818F.tmp

Filesize
660B

MD5
85245088ffc7378fc23b03d15f4c4a98

SHA1
22559dae8687066660987c02d8e90edf37dd175c

SHA256
eea2bea84ebf127d9b15cb7d7f188e4d848ccb176dc23abe8e5475d9c6d770a4

SHA512
f9b9bbb255c886a27de465bc95f92f0259fd9e44cab090144b59b00ae3a4310f5f9bcba7efaada058b154d4ad2087e75fe85f01f48f5606deb5054e0b3d3da89

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/2016-8-0x0000000074800000-0x0000000074DAB000-memory.dmp

Filesize
5.7MB

Download
memory/2016-18-0x0000000074800000-0x0000000074DAB000-memory.dmp

Filesize
5.7MB

Download
memory/2380-0-0x0000000074801000-0x0000000074802000-memory.dmp

Filesize
4KB

Download
memory/2380-1-0x0000000074800000-0x0000000074DAB000-memory.dmp

Filesize
5.7MB

Download
memory/2380-2-0x0000000074800000-0x0000000074DAB000-memory.dmp

Filesize
5.7MB

Download
memory/2380-24-0x0000000074800000-0x0000000074DAB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads