metamorpherrat | 0521b6344c04d8c0a3ba1912c4d382bd158cfdda17c5d9f89df79eca24ef1677

General

Target

0521b6344c04d8c0a3ba1912c4d382bd158cfdda17c5d9f89df79eca24ef1677.exe
Size

78KB
MD5

a594e7da4c6fac8895052aeb377aedf5
SHA1

db6c769a57bdfeba85039618219cf2ad01281356
SHA256

0521b6344c04d8c0a3ba1912c4d382bd158cfdda17c5d9f89df79eca24ef1677
SHA512

f74e75a09b5b100d962974fe9d39e5bf1a9b5bd0fd0ba812c8e440e73fa3194d921f4b65b4b9c4f07784758ac5728668d29bf8a419874d774d46922b7fa7d202
SSDEEP

1536:bPy589dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6u9/Z21KEY:bPy58on7N041QqhgW9/Z8Y

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
3004	tmpAB3D.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2084	0521b6344c04d8c0a3ba1912c4d382bd158cfdda17c5d9f89df79eca24ef1677.exe
2084	0521b6344c04d8c0a3ba1912c4d382bd158cfdda17c5d9f89df79eca24ef1677.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpAB3D.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0521b6344c04d8c0a3ba1912c4d382bd158cfdda17c5d9f89df79eca24ef1677.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpAB3D.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2084	0521b6344c04d8c0a3ba1912c4d382bd158cfdda17c5d9f89df79eca24ef1677.exe
Token: SeDebugPrivilege	3004	tmpAB3D.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2368	2084	0521b6344c04d8c0a3ba1912c4d382bd158cfdda17c5d9f89df79eca24ef1677.exe	30
PID 2084 wrote to memory of 2368	2084	0521b6344c04d8c0a3ba1912c4d382bd158cfdda17c5d9f89df79eca24ef1677.exe	30
PID 2084 wrote to memory of 2368	2084	0521b6344c04d8c0a3ba1912c4d382bd158cfdda17c5d9f89df79eca24ef1677.exe	30
PID 2084 wrote to memory of 2368	2084	0521b6344c04d8c0a3ba1912c4d382bd158cfdda17c5d9f89df79eca24ef1677.exe	30
PID 2368 wrote to memory of 2256	2368	vbc.exe	32
PID 2368 wrote to memory of 2256	2368	vbc.exe	32
PID 2368 wrote to memory of 2256	2368	vbc.exe	32
PID 2368 wrote to memory of 2256	2368	vbc.exe	32
PID 2084 wrote to memory of 3004	2084	0521b6344c04d8c0a3ba1912c4d382bd158cfdda17c5d9f89df79eca24ef1677.exe	33
PID 2084 wrote to memory of 3004	2084	0521b6344c04d8c0a3ba1912c4d382bd158cfdda17c5d9f89df79eca24ef1677.exe	33
PID 2084 wrote to memory of 3004	2084	0521b6344c04d8c0a3ba1912c4d382bd158cfdda17c5d9f89df79eca24ef1677.exe	33
PID 2084 wrote to memory of 3004	2084	0521b6344c04d8c0a3ba1912c4d382bd158cfdda17c5d9f89df79eca24ef1677.exe	33

C:\Users\Admin\AppData\Local\Temp\0521b6344c04d8c0a3ba1912c4d382bd158cfdda17c5d9f89df79eca24ef1677.exe
"C:\Users\Admin\AppData\Local\Temp\0521b6344c04d8c0a3ba1912c4d382bd158cfdda17c5d9f89df79eca24ef1677.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6uj4v1ok.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAC57.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAC56.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2256
- C:\Users\Admin\AppData\Local\Temp\tmpAB3D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpAB3D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0521b6344c04d8c0a3ba1912c4d382bd158cfdda17c5d9f89df79eca24ef1677.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6uj4v1ok.0.vb

Filesize
14KB

MD5
5d17006407392087b72e266b68e19540

SHA1
6b7db598d6fb56c28f858e8f44aa37b2598da984

SHA256
cfadf14d93137b377eab126b3fd10417fd755d580aca4c7bcdb7b98ed2106025

SHA512
9c0e26b83e4d3c2c0655757300012a715a6fe88e379ca1f370b663ace9e0002c01425b56b5744d4b1bc764340baf96de7c329f4deeabe847878b451cadd24fbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\6uj4v1ok.cmdline

Filesize
266B

MD5
abc6a7667854efb57a3bf91cdcff3e6c

SHA1
5a9249c4adbf957a84518f15e4f9234d90b0a226

SHA256
5f991c6d041e76391939955b182fbe3f5d5c9545c7818efb91d170fd9a90a245

SHA512
4ff9abce9ba4dc2334d84349e9009799121dda31e5279050cb4f43e45363cc9c6e6923ad95ff812ed2c3d55dd69e2d913ac664e901548bad64e124631b802686

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAC57.tmp

Filesize
1KB

MD5
7bc50732b79a56e48d16c061a45dcb2c

SHA1
89ad832a6606539d87272d1798cbaf426d6719e8

SHA256
cdbd70f0970b1afaf0c07384cfbae518a1663e71d083ebe57e7f107220e7b40a

SHA512
3748502d8a44a3c28fa166c81ec481f81fb2ecb256d3eae0a8c34122a10194810058b325e1da18403f78577e259e3b82ae8e4bfb478973126a08d82e2db8b5bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAB3D.tmp.exe

Filesize
78KB

MD5
bfb00ac9c3dd48b069d08065a5d5bceb

SHA1
adb9f32de9a0196f21f6c8cdb1a3234f3915698e

SHA256
350bd610deb625c7def4ddf9857bd9864fa659b4c87fa28b4c0981d844962042

SHA512
5d9580f4cd41503b7d6c4fac6a89441aa45e6d29c4ea497c82d97556b496863589de38a7520029854a84b74ce719fa307b18c4fd29a97727c0504d3af3aa4450

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAC56.tmp

Filesize
660B

MD5
53953dac5a3af15a74d627da6703d2d5

SHA1
7257afaff6e3333c915d6a534933be37b5d56219

SHA256
ea8d8ba7a1af4e813902986f6856aac9190a834c9f117dcfd10ab9b1973c3df8

SHA512
b997eb56fd578698fd03dc13589559ceecc3925e493ad228d39aad0a2dafcb7f272d5ec3421d8eaaa3c8006d39cf5195a4b4451fbb5d9299e7098f707edbbfd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2084-0-0x0000000074991000-0x0000000074992000-memory.dmp

Filesize
4KB

Download
memory/2084-1-0x0000000074990000-0x0000000074F3B000-memory.dmp

Filesize
5.7MB

Download
memory/2084-2-0x0000000074990000-0x0000000074F3B000-memory.dmp

Filesize
5.7MB

Download
memory/2084-24-0x0000000074990000-0x0000000074F3B000-memory.dmp

Filesize
5.7MB

Download
memory/2368-8-0x0000000074990000-0x0000000074F3B000-memory.dmp

Filesize
5.7MB

Download
memory/2368-18-0x0000000074990000-0x0000000074F3B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads