metamorpherrat | 3c5c99d576292d002e5dfdb683c285780c8dd6b6474e0f405b799f6d617962f4

General

Target

3c5c99d576292d002e5dfdb683c285780c8dd6b6474e0f405b799f6d617962f4.exe
Size

78KB
MD5

6374b401c0df839391cf21aa30f7a247
SHA1

9eeeaf015204caafca8273b09fadb663553b7fe7
SHA256

3c5c99d576292d002e5dfdb683c285780c8dd6b6474e0f405b799f6d617962f4
SHA512

5bc6b7bcb28ec9809a6a113ce0f11fd2967ffbcfb819296b068d428d954cc6f6daba853142d3dbcbef13a76d5d3da519695514bbaff69e593a160bdc10a96785
SSDEEP

1536:0WtHFo6rdELT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtLc9/w18:0WtHFo8dSE2EwR4uY41HyvYLc9/xH

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2780	tmp4357.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1228	3c5c99d576292d002e5dfdb683c285780c8dd6b6474e0f405b799f6d617962f4.exe
1228	3c5c99d576292d002e5dfdb683c285780c8dd6b6474e0f405b799f6d617962f4.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmp4357.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c5c99d576292d002e5dfdb683c285780c8dd6b6474e0f405b799f6d617962f4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp4357.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1228	3c5c99d576292d002e5dfdb683c285780c8dd6b6474e0f405b799f6d617962f4.exe
Token: SeDebugPrivilege	2780	tmp4357.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 2828	1228	3c5c99d576292d002e5dfdb683c285780c8dd6b6474e0f405b799f6d617962f4.exe	30
PID 1228 wrote to memory of 2828	1228	3c5c99d576292d002e5dfdb683c285780c8dd6b6474e0f405b799f6d617962f4.exe	30
PID 1228 wrote to memory of 2828	1228	3c5c99d576292d002e5dfdb683c285780c8dd6b6474e0f405b799f6d617962f4.exe	30
PID 1228 wrote to memory of 2828	1228	3c5c99d576292d002e5dfdb683c285780c8dd6b6474e0f405b799f6d617962f4.exe	30
PID 2828 wrote to memory of 2304	2828	vbc.exe	32
PID 2828 wrote to memory of 2304	2828	vbc.exe	32
PID 2828 wrote to memory of 2304	2828	vbc.exe	32
PID 2828 wrote to memory of 2304	2828	vbc.exe	32
PID 1228 wrote to memory of 2780	1228	3c5c99d576292d002e5dfdb683c285780c8dd6b6474e0f405b799f6d617962f4.exe	33
PID 1228 wrote to memory of 2780	1228	3c5c99d576292d002e5dfdb683c285780c8dd6b6474e0f405b799f6d617962f4.exe	33
PID 1228 wrote to memory of 2780	1228	3c5c99d576292d002e5dfdb683c285780c8dd6b6474e0f405b799f6d617962f4.exe	33
PID 1228 wrote to memory of 2780	1228	3c5c99d576292d002e5dfdb683c285780c8dd6b6474e0f405b799f6d617962f4.exe	33

C:\Users\Admin\AppData\Local\Temp\3c5c99d576292d002e5dfdb683c285780c8dd6b6474e0f405b799f6d617962f4.exe
"C:\Users\Admin\AppData\Local\Temp\3c5c99d576292d002e5dfdb683c285780c8dd6b6474e0f405b799f6d617962f4.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mevnljbb.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES44FD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc44FC.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2304
- C:\Users\Admin\AppData\Local\Temp\tmp4357.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4357.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3c5c99d576292d002e5dfdb683c285780c8dd6b6474e0f405b799f6d617962f4.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES44FD.tmp

Filesize
1KB

MD5
f1dc05b6b5df0d26103f23ba013415b7

SHA1
08440eb70038133ce100a23e00954c5c9058986e

SHA256
af7447b5a0e9f1c0a95865bdeb4dcb1111c59c337241bad3f1bf816ff660cc04

SHA512
2655cd60b97f2b7913396c497998f15caf92ec363a5fb7301316e1700bc7c8160ff9f43fb65cc8d84bbddf71962c86f1936b480610d03a5cccdea18f1ebb9d9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mevnljbb.0.vb

Filesize
15KB

MD5
bd9fcc5119c7c5e320a796fc259a0ed8

SHA1
1d95c4b3899ae7c60f33bd67cf6874d0f8f4f093

SHA256
549f4f4b2b4bbfed2591476cb6a03400e6f0f4cae52e8d6821bf86ced67025e7

SHA512
f87c8bf48d919e3686ef838fd4ced2cef78896615cfcf9a0f032ba75f806c35531c6a4bd2bce72f991067219116e0d51788d83fe7183e31acf2fea1d18b80eae

Download Submit
C:\Users\Admin\AppData\Local\Temp\mevnljbb.cmdline

Filesize
266B

MD5
51e4e617f9af8395644702cc8d7c27ee

SHA1
c2e09207971212173c1e32f282f693a12f4be61b

SHA256
904b441564524c04eecc67f83f467f91e6c75564161fe0b1640ba20411d91024

SHA512
fc7ae797832757ecf2291a174a7a85d5deead3ef193dc370f78c6ed4e3e60d64363554cfc012babbe13206d2c629ee91715d87f2fe4bd56248038341ff84a556

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4357.tmp.exe

Filesize
78KB

MD5
08d2543022f5d9e018dde0b0af542bb3

SHA1
9ab29465c18815baa047707eb4624c2bb0b16327

SHA256
3e91519d82d190e282c332558e9ae8b58aaa824fc130e6c816a21676485ddbbf

SHA512
487b5910189a32ff6061d49886e5fa3afd3547b96d59446f5b1a4f01fd6d114759268b77ba41244735138f6da42089a0fb093147da5bea5dfeb550aa9573c1af

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc44FC.tmp

Filesize
660B

MD5
d1ce2cf5622953f7024cf295c7440f1a

SHA1
00ff4785f4b9027b2b3e6a99657e46ce530b3df6

SHA256
08ced9514aa7ba7223f47f74249fdb821dac08d9bb0ba870e8c54648e24f1f51

SHA512
9d45ee75a4c1ec8f40734b07a47aa95e9bb884fb28e447142ff99a279221858a65d297daa8043a364249d09eb73c4986fc4448aa2497b56f841795a169c76f9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/1228-0-0x00000000742B1000-0x00000000742B2000-memory.dmp

Filesize
4KB

Download
memory/1228-1-0x00000000742B0000-0x000000007485B000-memory.dmp

Filesize
5.7MB

Download
memory/1228-2-0x00000000742B0000-0x000000007485B000-memory.dmp

Filesize
5.7MB

Download
memory/1228-24-0x00000000742B0000-0x000000007485B000-memory.dmp

Filesize
5.7MB

Download
memory/2828-8-0x00000000742B0000-0x000000007485B000-memory.dmp

Filesize
5.7MB

Download
memory/2828-18-0x00000000742B0000-0x000000007485B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads