metamorpherrat | 949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf

General

Target

949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf.exe
Size

80KB
MD5

3d4c15603fa3ee5580c67f36d0b91e72
SHA1

e1129bccd3d702cdfde214deb60b7f89fe1f128b
SHA256

949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf
SHA512

27af519090d60f4b25aa6171884b4c1c27e6d8c63cfd472d0185b758a7e8fd770051c3724671fc9b9fae5d8a176d8a932ef79a36ff0faaf320e932099c46895b
SSDEEP

1536:9HFo6rdELT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtLg39/CF1Y:9HFo8dSE2EwR4uY41HyvYLg39/Cz8

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmpC4E5.tmp.exe

pid process

1788 tmpC4E5.tmp.exe

pid	process
1788	tmpC4E5.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf.exe

pid	process
2348	949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf.exe
2348	949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpC4E5.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmpC4E5.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf.exevbc.execvtres.exetmpC4E5.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC4E5.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf.exetmpC4E5.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2348	949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf.exe
Token: SeDebugPrivilege	1788	tmpC4E5.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf.exevbc.exe

description	pid	process	target process
PID 2348 wrote to memory of 1956	2348	949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf.exe	vbc.exe
PID 2348 wrote to memory of 1956	2348	949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf.exe	vbc.exe
PID 2348 wrote to memory of 1956	2348	949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf.exe	vbc.exe
PID 2348 wrote to memory of 1956	2348	949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf.exe	vbc.exe
PID 1956 wrote to memory of 2992	1956	vbc.exe	cvtres.exe
PID 1956 wrote to memory of 2992	1956	vbc.exe	cvtres.exe
PID 1956 wrote to memory of 2992	1956	vbc.exe	cvtres.exe
PID 1956 wrote to memory of 2992	1956	vbc.exe	cvtres.exe
PID 2348 wrote to memory of 1788	2348	949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf.exe	tmpC4E5.tmp.exe
PID 2348 wrote to memory of 1788	2348	949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf.exe	tmpC4E5.tmp.exe
PID 2348 wrote to memory of 1788	2348	949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf.exe	tmpC4E5.tmp.exe
PID 2348 wrote to memory of 1788	2348	949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf.exe	tmpC4E5.tmp.exe

C:\Users\Admin\AppData\Local\Temp\949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf.exe
"C:\Users\Admin\AppData\Local\Temp\949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\id9nxcci.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC5EF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC5EE.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2992
- C:\Users\Admin\AppData\Local\Temp\tmpC4E5.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpC4E5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC5EF.tmp

Filesize
1KB

MD5
83bb971cd703daaded45f310333e67f1

SHA1
e873febc954ee458b5b8d97600db676a0fde45fd

SHA256
417bbcf3d1817fb2e2122be1d47946e85fc67c7e6b66a7954a6ecd29da5041ba

SHA512
79cdbbaa4a8db2e0a0ca353be3efad5352d43d54de1ba8be1c449b43c55a000e4e4411e874eb39cd3c1f3da6e16abf99a096114550db68570125cb1c7b4ee2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\id9nxcci.0.vb

Filesize
15KB

MD5
c8eda9f21e060787574750b1594ce7f5

SHA1
2d2830c2a71f387e78588b25e9b6d95a56e8f44a

SHA256
22b573d907c195397661864e5b4235d6d97bb0a482b4db5e1b18dcd557189efa

SHA512
7d7a86ae76b8505bf444162d7cd00b7e6f5c34db7dc72ebd7a2e753e69ce1998cf68bfd45e6f0e0aae884f76ca3296346939b764c8ee650660b03b484b08ae19

Download Submit
C:\Users\Admin\AppData\Local\Temp\id9nxcci.cmdline

Filesize
266B

MD5
336e9536ee5a81be27ae124bb862ba1c

SHA1
b6a38be8fb4371a2827e3d6874df62b6c792b1b4

SHA256
9cd7af865c0765015736b9be39c1195f1ce103ef22ffee8fbfcfab4e79adbb79

SHA512
19fb56630517e379f68aa84c3a8af57966211f7d10c4d640a9c3ffa85b26052af0ac73cd98a8182488623c31b4be10df4adc4251e61acf2ee68f304e0fa67c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC4E5.tmp.exe

Filesize
78KB

MD5
eace6d65d09a5745388f517020ab32f0

SHA1
4439a94229e5c57e1f37cad54f7a6c66bf911c55

SHA256
830e643f9c3e178c9a66e8bf5b90eb5a2e2a8688e61acfca1b40cda52f839dad

SHA512
5f0f22a4b1eb431699f1528bd5e95169bc254288cf926ef8d5d09543342336944feb61ef5decf1161720d3fef149e851296c84bb8134868f3da3b4cc8a6d338f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC5EE.tmp

Filesize
660B

MD5
43acc3ca52a569abf4e5100745deef3b

SHA1
9d97842ed6200070d3be7e12dc6584730fa209f6

SHA256
085aa3a3e268f491c19a60d66417230d4178ba5c4cf0cee6e3e60da8d7d735d6

SHA512
b55e07c8306398de72527c012dd2861c6e39a9d4d9579155719562e1874e70b159455d5f7ec5d5480c3a5ec6de16ec0107bdd1b1ade0638d40f156589c9caaa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/1956-9-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/1956-18-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/2348-0-0x0000000074841000-0x0000000074842000-memory.dmp

Filesize
4KB

Download
memory/2348-1-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/2348-2-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/2348-24-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads