metamorpherrat | 118dc523a13ae39a8853bf17d541b732c88e657e426f6cef01c1ea1c16d746ed

General

Target

118dc523a13ae39a8853bf17d541b732c88e657e426f6cef01c1ea1c16d746ed.exe
Size

78KB
MD5

a7c8face9dd0f643f2a50817cf867af1
SHA1

e4c18b8f6e7f56f84438a24ea800e23fb8d3ff71
SHA256

118dc523a13ae39a8853bf17d541b732c88e657e426f6cef01c1ea1c16d746ed
SHA512

c417c726eca081a4d321ff6c2c64c608ecadab7f1b5893a48ac601c24a0af578a2bb6f3a5439ea75bda1caed9d0c61da0d8ff203bc84908119773e4a0d7d9e56
SSDEEP

1536:T4tHY6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtM9/g1iy2:T4tHY53Ln7N041QqhgM9/A2

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
1240	tmp63A3.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2888	118dc523a13ae39a8853bf17d541b732c88e657e426f6cef01c1ea1c16d746ed.exe
2888	118dc523a13ae39a8853bf17d541b732c88e657e426f6cef01c1ea1c16d746ed.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp63A3.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	118dc523a13ae39a8853bf17d541b732c88e657e426f6cef01c1ea1c16d746ed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp63A3.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2888	118dc523a13ae39a8853bf17d541b732c88e657e426f6cef01c1ea1c16d746ed.exe
Token: SeDebugPrivilege	1240	tmp63A3.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2772	2888	118dc523a13ae39a8853bf17d541b732c88e657e426f6cef01c1ea1c16d746ed.exe	30
PID 2888 wrote to memory of 2772	2888	118dc523a13ae39a8853bf17d541b732c88e657e426f6cef01c1ea1c16d746ed.exe	30
PID 2888 wrote to memory of 2772	2888	118dc523a13ae39a8853bf17d541b732c88e657e426f6cef01c1ea1c16d746ed.exe	30
PID 2888 wrote to memory of 2772	2888	118dc523a13ae39a8853bf17d541b732c88e657e426f6cef01c1ea1c16d746ed.exe	30
PID 2772 wrote to memory of 2784	2772	vbc.exe	32
PID 2772 wrote to memory of 2784	2772	vbc.exe	32
PID 2772 wrote to memory of 2784	2772	vbc.exe	32
PID 2772 wrote to memory of 2784	2772	vbc.exe	32
PID 2888 wrote to memory of 1240	2888	118dc523a13ae39a8853bf17d541b732c88e657e426f6cef01c1ea1c16d746ed.exe	33
PID 2888 wrote to memory of 1240	2888	118dc523a13ae39a8853bf17d541b732c88e657e426f6cef01c1ea1c16d746ed.exe	33
PID 2888 wrote to memory of 1240	2888	118dc523a13ae39a8853bf17d541b732c88e657e426f6cef01c1ea1c16d746ed.exe	33
PID 2888 wrote to memory of 1240	2888	118dc523a13ae39a8853bf17d541b732c88e657e426f6cef01c1ea1c16d746ed.exe	33

C:\Users\Admin\AppData\Local\Temp\118dc523a13ae39a8853bf17d541b732c88e657e426f6cef01c1ea1c16d746ed.exe
"C:\Users\Admin\AppData\Local\Temp\118dc523a13ae39a8853bf17d541b732c88e657e426f6cef01c1ea1c16d746ed.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qvoa89ab.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6633.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6632.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2784
- C:\Users\Admin\AppData\Local\Temp\tmp63A3.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp63A3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\118dc523a13ae39a8853bf17d541b732c88e657e426f6cef01c1ea1c16d746ed.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6633.tmp

Filesize
1KB

MD5
6458df395fdc9bca19032105f4f0fa7c

SHA1
3a08146256f12db1b481498db11d4bb0ea7773e9

SHA256
d639ba1f9297ed8644af71b392cf316f2c1ed298ff31bede0a83df6516995921

SHA512
c4a7832fe7a6312068d7ad34fa402820f51f8ceca7e887ce616d0c4aa769e674f6cd6def0c4a96ca1861c4d796614801a174ddb6aba67fe5bb5f2791557be709

Download Submit
C:\Users\Admin\AppData\Local\Temp\qvoa89ab.0.vb

Filesize
15KB

MD5
d99fd90f3a48ff24c6ac04f0bd7f2f71

SHA1
9213634613e3efa7f1e424f5c4b5242b69048aad

SHA256
13ba98f4e406248a2f6ea757e8ec6f97ab24a18b8f484c4dea6ae25e5dd52755

SHA512
2297af6bfe831f735356f0e1fd0a9744fdd2fc901f11a1fc7ffb9d9fe225d83212c678cf53cff2670ca4943db259e198fbf3b0a87ba540a54afc560f9435b147

Download Submit
C:\Users\Admin\AppData\Local\Temp\qvoa89ab.cmdline

Filesize
266B

MD5
23f28c20ba90972116fbc0ea9508f915

SHA1
3b4f5e75b85156063c57c65f6469e5e81e245e2e

SHA256
3554b0d72a1eae086b70e41ce679e6faf57cf2f167ae1d7fb06e79e324b50695

SHA512
32282c784280c61a7d1f078710c4d626ead0367d1abf119daa056f53090e307aab11de25c00b59dfd78cf8cc7f7dc06d22d3012a3efc5b0c283bc1e4e6341eb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp63A3.tmp.exe

Filesize
78KB

MD5
e17515278c0e623d13176ba1fcda7d8b

SHA1
7c311e468ec0ef69beb56fb15f11d1eb6b0abb55

SHA256
ca27a318310fb2d675d692de0aeaacdcd52210fb447bb48d4c73bdf26c76a955

SHA512
2c7f4794d5bd13714b9b467b3415f06e8e2ea3c245ae0a47e21f353b3735a0faf7ca9093a4ca5081f16008552bb48771f62a554121fe3133cd0e575c96de4386

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6632.tmp

Filesize
660B

MD5
46188219dd3af4c3acc36cd8d7410bf0

SHA1
f1eb64631779c4740d4408f2dc29d13b6d6b72e8

SHA256
a1ace68cef1857f7ae407bd24bce29ae6fcb4ad0493f1adf9aa87065b18c2bca

SHA512
a1061084ae79968c6eb87c908c0d5b4897b88290be15933a04907732566c168fe8a6b2bb173fb2f7afe7ee064c300b7ba10f29affa2d97d1c2864140c31306d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2772-8-0x0000000073F00000-0x00000000744AB000-memory.dmp

Filesize
5.7MB

Download
memory/2772-18-0x0000000073F00000-0x00000000744AB000-memory.dmp

Filesize
5.7MB

Download
memory/2888-0-0x0000000073F01000-0x0000000073F02000-memory.dmp

Filesize
4KB

Download
memory/2888-1-0x0000000073F00000-0x00000000744AB000-memory.dmp

Filesize
5.7MB

Download
memory/2888-2-0x0000000073F00000-0x00000000744AB000-memory.dmp

Filesize
5.7MB

Download
memory/2888-24-0x0000000073F00000-0x00000000744AB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads