metamorpherrat | 949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf

General

Target

949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf.exe
Size

80KB
MD5

3d4c15603fa3ee5580c67f36d0b91e72
SHA1

e1129bccd3d702cdfde214deb60b7f89fe1f128b
SHA256

949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf
SHA512

27af519090d60f4b25aa6171884b4c1c27e6d8c63cfd472d0185b758a7e8fd770051c3724671fc9b9fae5d8a176d8a932ef79a36ff0faaf320e932099c46895b
SSDEEP

1536:9HFo6rdELT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtLg39/CF1Y:9HFo8dSE2EwR4uY41HyvYLg39/Cz8

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2560	tmp122A.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
3028	949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf.exe
3028	949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmp122A.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp122A.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3028	949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf.exe
Token: SeDebugPrivilege	2560	tmp122A.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2760	3028	949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf.exe	30
PID 3028 wrote to memory of 2760	3028	949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf.exe	30
PID 3028 wrote to memory of 2760	3028	949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf.exe	30
PID 3028 wrote to memory of 2760	3028	949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf.exe	30
PID 2760 wrote to memory of 2784	2760	vbc.exe	32
PID 2760 wrote to memory of 2784	2760	vbc.exe	32
PID 2760 wrote to memory of 2784	2760	vbc.exe	32
PID 2760 wrote to memory of 2784	2760	vbc.exe	32
PID 3028 wrote to memory of 2560	3028	949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf.exe	33
PID 3028 wrote to memory of 2560	3028	949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf.exe	33
PID 3028 wrote to memory of 2560	3028	949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf.exe	33
PID 3028 wrote to memory of 2560	3028	949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf.exe	33

C:\Users\Admin\AppData\Local\Temp\949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf.exe
"C:\Users\Admin\AppData\Local\Temp\949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bocqk8ay.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES146C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc145B.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2784
- C:\Users\Admin\AppData\Local\Temp\tmp122A.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp122A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES146C.tmp

Filesize
1KB

MD5
5f2c397d9a7e86a017c2905fb79fad24

SHA1
c996e1be1edff620e894c2dcca4dc64f7b9b4225

SHA256
4373778cc56b6414a7401fd14f810a568ce0684b1b3afeb7b30c661bcb111b1d

SHA512
6b77cf0330462c1f3e132caf7324d609cf4c97b7fda4167a6aa2e455beedb96fe006f8e393ce653b3ad10b291f18afcf1aa60651af42787f82bb0092b53454eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\bocqk8ay.0.vb

Filesize
15KB

MD5
1f182cf9312d1a343ef7642d1725e458

SHA1
67aa9171e3f6dfc11976a31589d02e273971c19d

SHA256
29564231191dfb8e37316853dd3783631eb7342652bfa45a34a33a08cf53ea6d

SHA512
845068c6c365bcae9ef665763fb729c3124f3aaf9ba657225975a92304485cc81e4803d55b1f80c1d0eec7e398aefd0f3dde6cbcf4b2f24be6eabd8f1b42725b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bocqk8ay.cmdline

Filesize
266B

MD5
f04e7b8996035119ed706039085c4d87

SHA1
e96402bfac431abcda33f8d3014ca5120fc7b8ef

SHA256
b99794780d1213b77007c1dfc32f3b81cd6616c0cfaee58dca2c8f5fd9b89e6f

SHA512
6a9482aaaaa0d5fbdd82c3132b6da600b0243af308dbb6dde4b9c3aeab594e69e1012df8a60320468d1682b69bfb206483de574ec11e2b17d949bbf0a23b2006

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp122A.tmp.exe

Filesize
78KB

MD5
3c9759fb36abaf101aa3bff5615ef8cb

SHA1
aa7b7a28444f43c0b0e06f62b63063c17abe1bce

SHA256
c730de80b7462104a0911dfa19c23ae736a436d3de98f31dafba4dc7ce4974a2

SHA512
b995f86ffa2d946a63d4709eccbac4b4d0043da405f44f43f2deafdb835a15a4df8aa74d52c06b16ba378428b2abdd227c3c37f557514e4e6601b15cdec710b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc145B.tmp

Filesize
660B

MD5
0f0172121383fca306ba1e3b0ba3dd56

SHA1
15a9fb290def6becbeeb24def92418334d1c3256

SHA256
e0f382e6506b569343b3b881c13ff6ceb5ce50b6649219832025b9e4776a2f98

SHA512
951e892264a78bd01432976940eadcbde5c73473e0748c90d0f44088371ba3312d5cfd13acb162077dbd095242f4749e6fd9fcd3cbbf9d9d5bc76187af9c1ead

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/2760-8-0x0000000073E50000-0x00000000743FB000-memory.dmp

Filesize
5.7MB

Download
memory/2760-18-0x0000000073E50000-0x00000000743FB000-memory.dmp

Filesize
5.7MB

Download
memory/3028-0-0x0000000073E51000-0x0000000073E52000-memory.dmp

Filesize
4KB

Download
memory/3028-1-0x0000000073E50000-0x00000000743FB000-memory.dmp

Filesize
5.7MB

Download
memory/3028-2-0x0000000073E50000-0x00000000743FB000-memory.dmp

Filesize
5.7MB

Download
memory/3028-24-0x0000000073E50000-0x00000000743FB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads