metamorpherrat | 37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317

General

Target

37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317.exe
Size

78KB
MD5

94aa56de2a40839fcd86450b31deafac
SHA1

b761513b32928cb7fdcf7877d9add4642ded0a49
SHA256

37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317
SHA512

cc89b81449272c58982291e3c13a278b4178d7db441dd38e8ca030b2a282150c73e0d71c4928e1e0ee8fb22203d1dbd2be012a6abf640e8fe8e6c0ddd0f4a705
SSDEEP

1536:C4V5jULT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtt6Vs9/e1Wpb:C4V5jiE2EwR4uY41HyvY+s9/Bb

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2748	tmp6F27.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2792	37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317.exe
2792	37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmp6F27.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6F27.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2792	37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317.exe
Token: SeDebugPrivilege	2748	tmp6F27.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2584	2792	37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317.exe	30
PID 2792 wrote to memory of 2584	2792	37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317.exe	30
PID 2792 wrote to memory of 2584	2792	37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317.exe	30
PID 2792 wrote to memory of 2584	2792	37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317.exe	30
PID 2584 wrote to memory of 2948	2584	vbc.exe	32
PID 2584 wrote to memory of 2948	2584	vbc.exe	32
PID 2584 wrote to memory of 2948	2584	vbc.exe	32
PID 2584 wrote to memory of 2948	2584	vbc.exe	32
PID 2792 wrote to memory of 2748	2792	37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317.exe	33
PID 2792 wrote to memory of 2748	2792	37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317.exe	33
PID 2792 wrote to memory of 2748	2792	37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317.exe	33
PID 2792 wrote to memory of 2748	2792	37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317.exe	33

C:\Users\Admin\AppData\Local\Temp\37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317.exe
"C:\Users\Admin\AppData\Local\Temp\37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hk8ieakb.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6FF3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6FF2.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2948
- C:\Users\Admin\AppData\Local\Temp\tmp6F27.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp6F27.tmp.exe" C:\Users\Admin\AppData\Local\Temp\37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6FF3.tmp

Filesize
1KB

MD5
f41aa6e2073d276a5a307bdf117de796

SHA1
c85ae195758852c89e6aab4ea1713845d7794012

SHA256
fb559ab6642b6978bed0f121ce11a62ce26ba8d30415e50098889fdca502a7a5

SHA512
84bdecacc886e5d6eb34955bfcf37cab263431f094de648ce7686109d473b84fda7251c56b9029af693c020cbbd3848472244c4182e24ab0c118c37b8b7ebf7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hk8ieakb.0.vb

Filesize
14KB

MD5
fccf0cec083f144c5ee35c5fb2a893ba

SHA1
dc24da761d22da32b69f1e8a98cb9f02624261c2

SHA256
86f5ac37174e75aa48e6cbb43eeecd4aac8efcf3fa53a0606a1405171bd0124b

SHA512
74bcc7a384ca599acb0939a8a53ddd11cf5968ac6442e43dd16b6ff03374702bc03ff02132637428d2418ab7fe6a7133476bbb9daf6522a494957c001eaab0f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hk8ieakb.cmdline

Filesize
266B

MD5
1de3a53628b7920885164d5888c9741b

SHA1
94b3affc1d6eb0092124752d74ddc760c2f09e39

SHA256
a2cd00029444fbb1e5d2e122ebaacdac2be558627a73754acb23d51c40e51c20

SHA512
cffb4463047343aa3d6c7a0df1373e592870c5c7c680855275234014f13a91f76f5754555e218dbeba9de5d23426dd04743797fbb14f1b527acde2c289bcd51f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6F27.tmp.exe

Filesize
78KB

MD5
6460ee0a137d5f07ef19444aa7eeb760

SHA1
aa0bcb375490fb0aa21dff6a774e74a275c4feaf

SHA256
3054b339d68da7b1f93d3c78d250afb37e84426a0d7c4458135e829314bdaa83

SHA512
8afab95943c06ef080bddb265e349a50de86ad1d55ac40da8f361ff33a849c9343ad67634773365363eba8a73fbc49e4ef8b49614608436080db9a4e27d95aa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6FF2.tmp

Filesize
660B

MD5
1652e93bdd49b6a4023e6a8be0ec8576

SHA1
b955f0e46c42e62d21c89b5e29c83d5ac1af1eb5

SHA256
575743bf2cb8433cc3d2149d53d8fc511405e44d34ae14279b9f006b3557740c

SHA512
188f8ba9a41c2744fb5a287bc6d992aaa9785f90a10808edcda864e02e8f29f9da49b80e38089c266824db1862b5925bffdac59577756a064e0ea7a54f6ecb98

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/2584-8-0x00000000747F0000-0x0000000074D9B000-memory.dmp

Filesize
5.7MB

Download
memory/2584-18-0x00000000747F0000-0x0000000074D9B000-memory.dmp

Filesize
5.7MB

Download
memory/2792-0-0x00000000747F1000-0x00000000747F2000-memory.dmp

Filesize
4KB

Download
memory/2792-1-0x00000000747F0000-0x0000000074D9B000-memory.dmp

Filesize
5.7MB

Download
memory/2792-2-0x00000000747F0000-0x0000000074D9B000-memory.dmp

Filesize
5.7MB

Download
memory/2792-24-0x00000000747F0000-0x0000000074D9B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads