metamorpherrat | 01b551c4acceda6651f2c8f21a618fa57c6acd3342c33be303b2d28cfba9af3c

General

Target

01b551c4acceda6651f2c8f21a618fa57c6acd3342c33be303b2d28cfba9af3cN.exe
Size

78KB
MD5

667d8b4cf55d8d417133c482d5c12860
SHA1

3388e21f716a6f84f7f4bd6f49416d5e135a674a
SHA256

01b551c4acceda6651f2c8f21a618fa57c6acd3342c33be303b2d28cfba9af3c
SHA512

fa9f6fc65101dca760ea21a63abd94b0158654d939c1e833c6b44acf4d2e31ae8c4ffe67a27395b93ccdeeb8d17f62dc2d552f1d91b2e8eecb271f95afb3c927
SSDEEP

1536:nRWtHF3rdELT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtLM9/R4X:nRWtHFbdSE2EwR4uY41HyvYLM9/u

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2712	tmpBCBA.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2440	01b551c4acceda6651f2c8f21a618fa57c6acd3342c33be303b2d28cfba9af3cN.exe
2440	01b551c4acceda6651f2c8f21a618fa57c6acd3342c33be303b2d28cfba9af3cN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmpBCBA.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBCBA.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	01b551c4acceda6651f2c8f21a618fa57c6acd3342c33be303b2d28cfba9af3cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2440	01b551c4acceda6651f2c8f21a618fa57c6acd3342c33be303b2d28cfba9af3cN.exe
Token: SeDebugPrivilege	2712	tmpBCBA.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 2164	2440	01b551c4acceda6651f2c8f21a618fa57c6acd3342c33be303b2d28cfba9af3cN.exe	30
PID 2440 wrote to memory of 2164	2440	01b551c4acceda6651f2c8f21a618fa57c6acd3342c33be303b2d28cfba9af3cN.exe	30
PID 2440 wrote to memory of 2164	2440	01b551c4acceda6651f2c8f21a618fa57c6acd3342c33be303b2d28cfba9af3cN.exe	30
PID 2440 wrote to memory of 2164	2440	01b551c4acceda6651f2c8f21a618fa57c6acd3342c33be303b2d28cfba9af3cN.exe	30
PID 2164 wrote to memory of 2012	2164	vbc.exe	32
PID 2164 wrote to memory of 2012	2164	vbc.exe	32
PID 2164 wrote to memory of 2012	2164	vbc.exe	32
PID 2164 wrote to memory of 2012	2164	vbc.exe	32
PID 2440 wrote to memory of 2712	2440	01b551c4acceda6651f2c8f21a618fa57c6acd3342c33be303b2d28cfba9af3cN.exe	33
PID 2440 wrote to memory of 2712	2440	01b551c4acceda6651f2c8f21a618fa57c6acd3342c33be303b2d28cfba9af3cN.exe	33
PID 2440 wrote to memory of 2712	2440	01b551c4acceda6651f2c8f21a618fa57c6acd3342c33be303b2d28cfba9af3cN.exe	33
PID 2440 wrote to memory of 2712	2440	01b551c4acceda6651f2c8f21a618fa57c6acd3342c33be303b2d28cfba9af3cN.exe	33

C:\Users\Admin\AppData\Local\Temp\01b551c4acceda6651f2c8f21a618fa57c6acd3342c33be303b2d28cfba9af3cN.exe
"C:\Users\Admin\AppData\Local\Temp\01b551c4acceda6651f2c8f21a618fa57c6acd3342c33be303b2d28cfba9af3cN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rwyajbfm.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBE41.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBE40.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2012
- C:\Users\Admin\AppData\Local\Temp\tmpBCBA.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpBCBA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\01b551c4acceda6651f2c8f21a618fa57c6acd3342c33be303b2d28cfba9af3cN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBE41.tmp

Filesize
1KB

MD5
ad665a3a023bee3f32c48bde04c99bdd

SHA1
fc3558c1b7aee017512de00a3213d98dad9fc375

SHA256
f01b3c34fe1ba240a9cdc3d07d2c3092f10eab778f82248368056628503163a8

SHA512
0b8f1912378250d59fee74245171ab9e04cb319e5f518e01bb607e43da4915eb921887234aa398ccc4a30e1b056850cd6d9afcf4648a0a0b29a1d40df3801a3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rwyajbfm.0.vb

Filesize
15KB

MD5
d72efd7efc51a633e6667f4ddca4387a

SHA1
d4f9af6fc48c59877929f3f54d0210b70012800c

SHA256
8f5333e51b7906dad155523a62253a910345d769d8ac993701f5105c33545601

SHA512
8b32bb67313547cc132b642b811386abedecdeb763440027efeccd17b7973f54f40ced0e832dba342a0c5a4a77b66e5de332d46d0c3e6ed7844272cde5c2ab67

Download Submit
C:\Users\Admin\AppData\Local\Temp\rwyajbfm.cmdline

Filesize
266B

MD5
67ccae3f99aa49db2e7998c5318afa89

SHA1
e8ccf63e7cb6796aa003ebf4e8ef7eeccb1a097f

SHA256
0cc3eb3f5453056fc07ac1e891353903554f721c4e4d654612af0804652d9274

SHA512
32661cf30a21b512e2d423ec7b25aa2cc33393991d9fa6e9dc27c4fef312752789c6de646154e17386f40ff4248a05792e827fd47de4726c62e7d0c33946e179

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBCBA.tmp.exe

Filesize
78KB

MD5
d3d12f09fd33e70e6906d20637b334a3

SHA1
9c2fd1592009de04b65f0714d23da9a87c4eea1b

SHA256
47f90c853c7fdaa0984c7bbe831bab97d7d3882c3a7cb7c093ebffa49b140473

SHA512
e804f807702d52ae0ed5de7033b2d2a612e421e08b114f524d829fd1789bdd5f7557e81abb608cca4cbac9f2b315996e6b862aa9310d228962ea7b9ff56a268d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBE40.tmp

Filesize
660B

MD5
7adb91e35fcd1d4cc3f675187880dbc1

SHA1
3b0e17eaa5e69f1581591998317bf971a0e29ff1

SHA256
6f60a595232b6a282b45e9e664a68d245f6eceee76f936a8a0988cf65196df4e

SHA512
cb564b5ecd387ad7fe8ce562829d58f91ca096e3a0d2900e56f5a9ffbd8fe9cc41e48e33d6592f7f2cd97c481a41addc84b68bc5a7333d3e6be235a9d33e1e17

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/2164-8-0x0000000073E00000-0x00000000743AB000-memory.dmp

Filesize
5.7MB

Download
memory/2164-18-0x0000000073E00000-0x00000000743AB000-memory.dmp

Filesize
5.7MB

Download
memory/2440-0-0x0000000073E01000-0x0000000073E02000-memory.dmp

Filesize
4KB

Download
memory/2440-1-0x0000000073E00000-0x00000000743AB000-memory.dmp

Filesize
5.7MB

Download
memory/2440-2-0x0000000073E00000-0x00000000743AB000-memory.dmp

Filesize
5.7MB

Download
memory/2440-24-0x0000000073E00000-0x00000000743AB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads