metamorpherrat | 9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713

General

Target

9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe
Size

78KB
MD5

b8f29f75ed83d16e2ef8ef1931a23b6b
SHA1

b44f07f8a645e8a5581db4ae95c3f52a9dd78502
SHA256

9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713
SHA512

7e373e9465cc012236c71e1888d751e046ebc2badeb4919b118b0531790a79eeaa628ccaeab6ed7aef9f8103ef36ad0a5c711f2b0ac1b42cdb8974e56b8c951c
SSDEEP

1536:6tHY6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtl69/v1U3:6tHY53Ln7N041Qqhgl69/M

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmpA850.tmp.exe

pid process

1624 tmpA850.tmp.exe

pid	process
1624	tmpA850.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe

pid	process
1976	9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe
1976	9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpA850.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpA850.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exevbc.execvtres.exetmpA850.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA850.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exetmpA850.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1976	9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe
Token: SeDebugPrivilege	1624	tmpA850.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exevbc.exe

description	pid	process	target process
PID 1976 wrote to memory of 1800	1976	9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe	vbc.exe
PID 1976 wrote to memory of 1800	1976	9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe	vbc.exe
PID 1976 wrote to memory of 1800	1976	9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe	vbc.exe
PID 1976 wrote to memory of 1800	1976	9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe	vbc.exe
PID 1800 wrote to memory of 1056	1800	vbc.exe	cvtres.exe
PID 1800 wrote to memory of 1056	1800	vbc.exe	cvtres.exe
PID 1800 wrote to memory of 1056	1800	vbc.exe	cvtres.exe
PID 1800 wrote to memory of 1056	1800	vbc.exe	cvtres.exe
PID 1976 wrote to memory of 1624	1976	9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe	tmpA850.tmp.exe
PID 1976 wrote to memory of 1624	1976	9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe	tmpA850.tmp.exe
PID 1976 wrote to memory of 1624	1976	9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe	tmpA850.tmp.exe
PID 1976 wrote to memory of 1624	1976	9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe	tmpA850.tmp.exe

C:\Users\Admin\AppData\Local\Temp\9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe
"C:\Users\Admin\AppData\Local\Temp\9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\i5vo3lhg.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA91C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA91B.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1056
- C:\Users\Admin\AppData\Local\Temp\tmpA850.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA850.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA91C.tmp

Filesize
1KB

MD5
c1d71456c87c4407d4870edaec24e2ef

SHA1
d1ef4bc7a2edef630f44242ebe2be8fc07dce32c

SHA256
09a1c5b22b9522ceb6ce25da8dc98b48079ec001a60fcb120aa13b1b562eb8b1

SHA512
0798857432663a0a081c8b5ae08854ef59f3c7414314b6f36952789f420fd28fe269c7f8179a4bf3753f1f54aac01d797e6e1f8e2d97a3cee7834b9bc4ff6ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\i5vo3lhg.0.vb

Filesize
15KB

MD5
05835b86fda588262af0cd5a25d9925c

SHA1
fdd57e81c9d730adb7d4292c00aa0d18db4a480f

SHA256
48f08ab8f8d034188ff1b0d73d6c9af20c2e51142c3d643606405bf368eed1cd

SHA512
07a7deaec1ec7dd4631b4a6c37827f5b48a9c395555edb148fac465417910ef165266da37088d32ca2d9eabcbb2b79ea4aad706474d3eecdc809e09bbfa2723b

Download Submit
C:\Users\Admin\AppData\Local\Temp\i5vo3lhg.cmdline

Filesize
266B

MD5
ac3d32ad021bba7260068221c1a02321

SHA1
4574fc46b41852a5cfddcce0b2b4b95bbc18562f

SHA256
f7ecbb84ad1253479ae7a109da6dea2fe531f9bd628b9f8e395e7cbd70424bc9

SHA512
10dbe98fbda9e9a4f83b7098e6d77487e6b2629ae85abd0539119e9d22973ab9f762aedb19a4f6e5048ffe89a4a9d7e19534ed0da7ca4a6c9d617975bf49d29d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA850.tmp.exe

Filesize
78KB

MD5
b4e084eaad42f350181bdc88a8e92c03

SHA1
05f76988858e819d1a5fcea553529a9a9ddbc7db

SHA256
41e99d16369b1d8d7e98c6333197b8390e5fc0b7084d577887662f3f9d340fb6

SHA512
42c7ee693c2ac50dcb9c03c5832414c95e88997d154a8b9f8acd34428bb610a1f8a5ad25e1a590de7f4ff4b3105ec3ebea8008cc083e18094fcf44119834e37a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA91B.tmp

Filesize
660B

MD5
74dcc24af3d1332ac0ba7990c4609c4b

SHA1
4aba0caa0fc01770b2b3e732a435eecd7780ff3f

SHA256
582267d9944e1d894c034e07ebc910c3778b4ed583dbb821e92e95626d0b10b6

SHA512
39c4ea896ff6df0961a2bcf9880515a6f4f400fa7c0a81255c1ee602dcc23cfa8d2b83abd96a5f83955e0ec985cd4c20dace228eb97d9fa3e44837bd3a4f2827

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/1800-9-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download
memory/1800-18-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download
memory/1976-0-0x0000000074251000-0x0000000074252000-memory.dmp

Filesize
4KB

Download
memory/1976-1-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download
memory/1976-2-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download
memory/1976-24-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads