metamorpherrat | 37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317

General

Target

37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317.exe
Size

78KB
MD5

94aa56de2a40839fcd86450b31deafac
SHA1

b761513b32928cb7fdcf7877d9add4642ded0a49
SHA256

37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317
SHA512

cc89b81449272c58982291e3c13a278b4178d7db441dd38e8ca030b2a282150c73e0d71c4928e1e0ee8fb22203d1dbd2be012a6abf640e8fe8e6c0ddd0f4a705
SSDEEP

1536:C4V5jULT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtt6Vs9/e1Wpb:C4V5jiE2EwR4uY41HyvY+s9/Bb

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2752	tmp6420.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2160	37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317.exe
2160	37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmp6420.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6420.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2160	37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317.exe
Token: SeDebugPrivilege	2752	tmp6420.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2808	2160	37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317.exe	30
PID 2160 wrote to memory of 2808	2160	37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317.exe	30
PID 2160 wrote to memory of 2808	2160	37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317.exe	30
PID 2160 wrote to memory of 2808	2160	37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317.exe	30
PID 2808 wrote to memory of 2168	2808	vbc.exe	32
PID 2808 wrote to memory of 2168	2808	vbc.exe	32
PID 2808 wrote to memory of 2168	2808	vbc.exe	32
PID 2808 wrote to memory of 2168	2808	vbc.exe	32
PID 2160 wrote to memory of 2752	2160	37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317.exe	33
PID 2160 wrote to memory of 2752	2160	37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317.exe	33
PID 2160 wrote to memory of 2752	2160	37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317.exe	33
PID 2160 wrote to memory of 2752	2160	37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317.exe	33

C:\Users\Admin\AppData\Local\Temp\37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317.exe
"C:\Users\Admin\AppData\Local\Temp\37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fd5pu4yt.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6672.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6671.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2168
- C:\Users\Admin\AppData\Local\Temp\tmp6420.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp6420.tmp.exe" C:\Users\Admin\AppData\Local\Temp\37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6672.tmp

Filesize
1KB

MD5
522b0cacd079881254eeed22ddfbaf93

SHA1
4dc918ece963a4c0f38d7618ae42ddcb57029cfe

SHA256
e9f4e9fd5dc3c1c70a494b8e3d5919702dbf247486d06e7cbcda9fd92e74134b

SHA512
d78e37660f120334856b47e2b069a54f2a9e9acf1834e12813a5e61fe666afe71249c3db32598cac4c0dc8415ab65b770fa25efc07e83d16ddfe3f3efe770b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd5pu4yt.0.vb

Filesize
14KB

MD5
ec13382cda8868d51e3eac201099a986

SHA1
0dad3f139d35a606096a1344675ca214490d470a

SHA256
31dde1f13e96a4d06f76e9c8e7b838c3de8c8271708f9888461207c7607573b0

SHA512
f8172bf03ec1ef324224a434f6daad801ae46b393baa0ff21e1e81b409d2676e1f9b4423a515aecf55181eb26ae3064de018fb1e19356a9bea88c785a5b51b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd5pu4yt.cmdline

Filesize
266B

MD5
fba179250c6b5efb43d10af04dbd96ea

SHA1
939dd6778fae76a512a83b231d1d12359e1e6ac8

SHA256
dec1325c8557a30f4b7bf0234db2a50f42cb9b4d1994c4ded654b2537d09b68a

SHA512
b2b83fcd817595246d6493feaa5555467242e988d4b60b2db87de1094f206c7d6151bf72344cbe9c8272511b0fb1e4f2b77affbe76822f251d0b6e12cb8efbe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6420.tmp.exe

Filesize
78KB

MD5
2a61ccfde5cade4684351708576780ac

SHA1
537aa20cd2feb0b3ddd41bdb682c333af0fa01c2

SHA256
9dad0241dabde60c5a080e7aba0cba79beccda0fbabf7bf9d43b4559745d8fa7

SHA512
dccde2938c9d945a54e1803f1bfa25860ebfab89d785800e1ae9552856dff2ab272f4c5677334b47ae6d413b2a7b1ea2bdc861ea18a3bc48dc42d2dc9a1befb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6671.tmp

Filesize
660B

MD5
07df1492b6b47f59d764958fc1404825

SHA1
6790d5276978d52d6f417ec0843a437e755f1d65

SHA256
fb8d3e91356daac60e9a922cd5600227a02ae88859565e4780c506c90dd61a9a

SHA512
30f03bd0624a0053d8cf2c94adf31696a81370583f7916888fcb3d29358fc0aab0d1086862226889083d741bff04693022f311407b975d67167741ff75dcb06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/2160-0-0x00000000742D1000-0x00000000742D2000-memory.dmp

Filesize
4KB

Download
memory/2160-1-0x00000000742D0000-0x000000007487B000-memory.dmp

Filesize
5.7MB

Download
memory/2160-3-0x00000000742D0000-0x000000007487B000-memory.dmp

Filesize
5.7MB

Download
memory/2160-24-0x00000000742D0000-0x000000007487B000-memory.dmp

Filesize
5.7MB

Download
memory/2808-8-0x00000000742D0000-0x000000007487B000-memory.dmp

Filesize
5.7MB

Download
memory/2808-18-0x00000000742D0000-0x000000007487B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads