metamorpherrat | 2e276a526de749d2ac256339726564eadd69985bc3c480a08b01b0d60b63d4fd

General

Target

2e276a526de749d2ac256339726564eadd69985bc3c480a08b01b0d60b63d4fdN.exe
Size

78KB
MD5

363c5ce3196976ef1ffb56b5e159dc10
SHA1

a5f903bef3d78c56f706ac8b430fe8ee2773a1aa
SHA256

2e276a526de749d2ac256339726564eadd69985bc3c480a08b01b0d60b63d4fd
SHA512

957d159242cad352f10ac131f7fbf5462f9e8118bd941f50250ab5e46cb78e71764daeecb2453aa6e8c2175189d82aa0223dbabc36064413f9752a1ccb7ada2b
SSDEEP

1536:bPy589dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6u9/Z21KE:bPy58on7N041QqhgW9/Z8

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2808	tmp2FD7.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2860	2e276a526de749d2ac256339726564eadd69985bc3c480a08b01b0d60b63d4fdN.exe
2860	2e276a526de749d2ac256339726564eadd69985bc3c480a08b01b0d60b63d4fdN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp2FD7.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp2FD7.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2e276a526de749d2ac256339726564eadd69985bc3c480a08b01b0d60b63d4fdN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2860	2e276a526de749d2ac256339726564eadd69985bc3c480a08b01b0d60b63d4fdN.exe
Token: SeDebugPrivilege	2808	tmp2FD7.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2744	2860	2e276a526de749d2ac256339726564eadd69985bc3c480a08b01b0d60b63d4fdN.exe	30
PID 2860 wrote to memory of 2744	2860	2e276a526de749d2ac256339726564eadd69985bc3c480a08b01b0d60b63d4fdN.exe	30
PID 2860 wrote to memory of 2744	2860	2e276a526de749d2ac256339726564eadd69985bc3c480a08b01b0d60b63d4fdN.exe	30
PID 2860 wrote to memory of 2744	2860	2e276a526de749d2ac256339726564eadd69985bc3c480a08b01b0d60b63d4fdN.exe	30
PID 2744 wrote to memory of 2752	2744	vbc.exe	32
PID 2744 wrote to memory of 2752	2744	vbc.exe	32
PID 2744 wrote to memory of 2752	2744	vbc.exe	32
PID 2744 wrote to memory of 2752	2744	vbc.exe	32
PID 2860 wrote to memory of 2808	2860	2e276a526de749d2ac256339726564eadd69985bc3c480a08b01b0d60b63d4fdN.exe	33
PID 2860 wrote to memory of 2808	2860	2e276a526de749d2ac256339726564eadd69985bc3c480a08b01b0d60b63d4fdN.exe	33
PID 2860 wrote to memory of 2808	2860	2e276a526de749d2ac256339726564eadd69985bc3c480a08b01b0d60b63d4fdN.exe	33
PID 2860 wrote to memory of 2808	2860	2e276a526de749d2ac256339726564eadd69985bc3c480a08b01b0d60b63d4fdN.exe	33

C:\Users\Admin\AppData\Local\Temp\2e276a526de749d2ac256339726564eadd69985bc3c480a08b01b0d60b63d4fdN.exe
"C:\Users\Admin\AppData\Local\Temp\2e276a526de749d2ac256339726564eadd69985bc3c480a08b01b0d60b63d4fdN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qsubejyo.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES339F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc339E.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2752
- C:\Users\Admin\AppData\Local\Temp\tmp2FD7.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp2FD7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2e276a526de749d2ac256339726564eadd69985bc3c480a08b01b0d60b63d4fdN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES339F.tmp

Filesize
1KB

MD5
9654c0aaf9c4290284893cc7cf711f6e

SHA1
81a5506818a59959564957e4c9b5c30bd95d1274

SHA256
3b6712d5aa7ebc0d5306f5337018234a4dd16b13ef61bb30ab46385da9f1a704

SHA512
1add086d71b82ac83c13f179b56f85a8178b5606bb4651ec9517993aecdb64f570010816f0487cf1461661cb5a198f48a99dfd6fbc78b91080b76aeca70ea346

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsubejyo.0.vb

Filesize
14KB

MD5
8cf05c5ec57c7caa97f00dc2739f022a

SHA1
ee6468ae2a6234e41925e3ed4b81119c782a21d8

SHA256
7772def2816a7f316832883c790cb9ac4635481f7cd5141b72314b8072322f20

SHA512
f9760262a3fa711fa28d6c01b89fa994fa28003e547b0082ef9f18388ea65f78e73905e653b89fa06f4bab1526e4b619f2af36de668eacd6078839fd94b0cbf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsubejyo.cmdline

Filesize
266B

MD5
5e60559cacf79b80177285191ba49c1b

SHA1
5a4b900ebe93be6b8d4d2d208f9f30bba9552411

SHA256
adaecf27fdc90b119ffd877be77971cb5dee812dbfe8b683f7d5cf70b15f772b

SHA512
320d57e1b452ea61f11fcb235537ac2a5bccce65280e4475da98137653a5be5e524cf0a91e89f54f9dd9ecfe536814535f1caac5ed71b39bf84fc999455b2684

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2FD7.tmp.exe

Filesize
78KB

MD5
94e882be3a5f741e3f1c4d8c0251f062

SHA1
7dd72d94ddbd5056d86531c2c4795428c2968d9b

SHA256
d8f8d5a19ceecf8eb4a1796663f34ee441328b9f0fbd93e5bd1496f5bcbdfa20

SHA512
50989121662e19bc571211992cf16986e438554d78a438aa5594cb5eec40e6ecde755c6b2dcc946bbdd918e2302e34ae470a39ec1400295878f5b90386d52611

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc339E.tmp

Filesize
660B

MD5
0b2620936470dbb6af9b9a83fe99bd5f

SHA1
39843f6a459225c6213e51520fdbbf592eaaed17

SHA256
e05bab01fa4e950b17651711c051cc84822d84878fa3af7c76ab392d57743efa

SHA512
df9a7b1a125ccfa9dfc8a94d38ce3dfc3830cf71200332fb665bfc655449cca77db422e3ea9a22077c7727d01dd0a53404e3db59ee2103d429ac1e742a7d17dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2744-8-0x0000000074F00000-0x00000000754AB000-memory.dmp

Filesize
5.7MB

Download
memory/2744-18-0x0000000074F00000-0x00000000754AB000-memory.dmp

Filesize
5.7MB

Download
memory/2860-0-0x0000000074F01000-0x0000000074F02000-memory.dmp

Filesize
4KB

Download
memory/2860-1-0x0000000074F00000-0x00000000754AB000-memory.dmp

Filesize
5.7MB

Download
memory/2860-2-0x0000000074F00000-0x00000000754AB000-memory.dmp

Filesize
5.7MB

Download
memory/2860-24-0x0000000074F00000-0x00000000754AB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads