metamorpherrat | 98724722ff6b8af816319e305401aea6f9ec8cf6ce332bb0a0e34734bca0f8c5

General

Target

98724722ff6b8af816319e305401aea6f9ec8cf6ce332bb0a0e34734bca0f8c5N.exe
Size

78KB
MD5

82c8c5720f1c5886ae255297d5d65450
SHA1

170fe35f4931919dcc1f38fbb30561cf8d723fee
SHA256

98724722ff6b8af816319e305401aea6f9ec8cf6ce332bb0a0e34734bca0f8c5
SHA512

eda89ef3e98f38bc1527d89c1c752fd9d742e59a06006e3c28e11461a88b461049f0b4ea6d8d9080aaee61cc6bdd212f6fcbc640c2b1d0aa93f5a2f00a37cbfe
SSDEEP

1536:me5jJLT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQti6x9/F1sp:me5jhE2EwR4uY41HyvYJ9/4

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2948	tmp816F.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2408	98724722ff6b8af816319e305401aea6f9ec8cf6ce332bb0a0e34734bca0f8c5N.exe
2408	98724722ff6b8af816319e305401aea6f9ec8cf6ce332bb0a0e34734bca0f8c5N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmp816F.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	98724722ff6b8af816319e305401aea6f9ec8cf6ce332bb0a0e34734bca0f8c5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp816F.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2408	98724722ff6b8af816319e305401aea6f9ec8cf6ce332bb0a0e34734bca0f8c5N.exe
Token: SeDebugPrivilege	2948	tmp816F.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 1944	2408	98724722ff6b8af816319e305401aea6f9ec8cf6ce332bb0a0e34734bca0f8c5N.exe	28
PID 2408 wrote to memory of 1944	2408	98724722ff6b8af816319e305401aea6f9ec8cf6ce332bb0a0e34734bca0f8c5N.exe	28
PID 2408 wrote to memory of 1944	2408	98724722ff6b8af816319e305401aea6f9ec8cf6ce332bb0a0e34734bca0f8c5N.exe	28
PID 2408 wrote to memory of 1944	2408	98724722ff6b8af816319e305401aea6f9ec8cf6ce332bb0a0e34734bca0f8c5N.exe	28
PID 1944 wrote to memory of 2228	1944	vbc.exe	30
PID 1944 wrote to memory of 2228	1944	vbc.exe	30
PID 1944 wrote to memory of 2228	1944	vbc.exe	30
PID 1944 wrote to memory of 2228	1944	vbc.exe	30
PID 2408 wrote to memory of 2948	2408	98724722ff6b8af816319e305401aea6f9ec8cf6ce332bb0a0e34734bca0f8c5N.exe	31
PID 2408 wrote to memory of 2948	2408	98724722ff6b8af816319e305401aea6f9ec8cf6ce332bb0a0e34734bca0f8c5N.exe	31
PID 2408 wrote to memory of 2948	2408	98724722ff6b8af816319e305401aea6f9ec8cf6ce332bb0a0e34734bca0f8c5N.exe	31
PID 2408 wrote to memory of 2948	2408	98724722ff6b8af816319e305401aea6f9ec8cf6ce332bb0a0e34734bca0f8c5N.exe	31

C:\Users\Admin\AppData\Local\Temp\98724722ff6b8af816319e305401aea6f9ec8cf6ce332bb0a0e34734bca0f8c5N.exe
"C:\Users\Admin\AppData\Local\Temp\98724722ff6b8af816319e305401aea6f9ec8cf6ce332bb0a0e34734bca0f8c5N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\aa7yzwj6.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES83A2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc83A1.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2228
- C:\Users\Admin\AppData\Local\Temp\tmp816F.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp816F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\98724722ff6b8af816319e305401aea6f9ec8cf6ce332bb0a0e34734bca0f8c5N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES83A2.tmp

Filesize
1KB

MD5
e2d41b22b29b5211849769c5d38f2b65

SHA1
e8a856232c507e7b3eacb2c06861374ad85affff

SHA256
f7d10e4668f3a1b848e27e9d5335c518c0f141e7ea58617b4d2c038a3f2da83f

SHA512
8372f47ca4d7bb092dff0570485a24221559a94fe7c59d6189c45edf92b43f4acd24db3c0055ab6622c4ffbb8af57eb4b086755e3fc47c6665adea5f5602a670

Download Submit
C:\Users\Admin\AppData\Local\Temp\aa7yzwj6.0.vb

Filesize
14KB

MD5
69b01a79bca486b4e2d87bb3e72a5b57

SHA1
0096e28dd179c8f0e5de3b15fdc4e64ca5a5440e

SHA256
bf29a90099d306faa054da04c88d102c6f792072ff0abebff0c37cfd8f7599a2

SHA512
babda5a494e815b4a6d2f3fa2abf8e6b24b3792d18ceb2782ee45d9a9b56af6888ccb9f8d1a2f7ea77588c4e8df24d28c098352d61f4f322159ce1fdf60f237a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aa7yzwj6.cmdline

Filesize
266B

MD5
7d3290f7e96e0ce941d288bed2e1eaf6

SHA1
0155c9a4ebc789663ba5e3757df7e5d2268a98a6

SHA256
7d6c5aae1893efa5b3d7f262221d3f002a95d9b7e92ff38b64341970b1414d24

SHA512
1701aa8e366a55330c30be94e165b6a47b02572fc9cd46a41b8a626fc7ed9893236801290d4e880d440cba28d4fe1a3ab52439df8ed3a2c11a7a5fa260f5efc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp816F.tmp.exe

Filesize
78KB

MD5
67101d5de30e968ad5e8484eaa520377

SHA1
61438267276465c5d74e2d4d139ef78506cdeadb

SHA256
b82e14e3761685e07c891e865a2eb4327ee038f3dd8f578865b3c2de7b57b9ef

SHA512
797db47c5eca5b1e0ce233d27275a8a5de801d010adbb4bf592ce1aa53ce5d22261eaec6b5bd5e31f3bb97fa3f825654bdb52407a0c0877d86986d8d54b7046c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc83A1.tmp

Filesize
660B

MD5
cdb214f900a61a9160b0cd1f3ce6f952

SHA1
028aa319f8467bc4cdf61336b13ecbdc95f4e0ce

SHA256
8776703fb5828922bb8f8a1d187b98e74e5ae71c4649443f69b60fde041da7d3

SHA512
61be11c2e530d15edf2d802bc6691c4a7e2ce2319967ecf1b0859fee7b94fa0af8715f10174c13491d223862c864b43501d1e28c02f14f862e333e69068df528

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/1944-8-0x0000000074BF0000-0x000000007519B000-memory.dmp

Filesize
5.7MB

Download
memory/1944-18-0x0000000074BF0000-0x000000007519B000-memory.dmp

Filesize
5.7MB

Download
memory/2408-0-0x0000000074BF1000-0x0000000074BF2000-memory.dmp

Filesize
4KB

Download
memory/2408-1-0x0000000074BF0000-0x000000007519B000-memory.dmp

Filesize
5.7MB

Download
memory/2408-6-0x0000000074BF0000-0x000000007519B000-memory.dmp

Filesize
5.7MB

Download
memory/2408-24-0x0000000074BF0000-0x000000007519B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads