metamorpherrat | 0b1741e79d2d639e8ad5e46835cb117f98a13e62cc58f841afbcd94cb2a9a5ba

General

Target

0b1741e79d2d639e8ad5e46835cb117f98a13e62cc58f841afbcd94cb2a9a5ba.exe
Size

78KB
MD5

c12627e95afa28641ab02f70fe8de18c
SHA1

e8a0e47f4aaa342977705427463117971c9b9309
SHA256

0b1741e79d2d639e8ad5e46835cb117f98a13e62cc58f841afbcd94cb2a9a5ba
SHA512

fdcce2ec2ee74c0fca3065d028e6c9b5ef8a1278d99224ba637734b7faa9a9a47a630312c2e43521fcbfd31dba12da7468bdf7176ace7f9b27c5bdf54c3e5a54
SSDEEP

1536:bRWV5jEdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6F9/7Y1ei:bRWV5jzn7N041Qqhgt9/7E

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2772	tmpD0F5.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2136	0b1741e79d2d639e8ad5e46835cb117f98a13e62cc58f841afbcd94cb2a9a5ba.exe
2136	0b1741e79d2d639e8ad5e46835cb117f98a13e62cc58f841afbcd94cb2a9a5ba.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpD0F5.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD0F5.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b1741e79d2d639e8ad5e46835cb117f98a13e62cc58f841afbcd94cb2a9a5ba.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2136	0b1741e79d2d639e8ad5e46835cb117f98a13e62cc58f841afbcd94cb2a9a5ba.exe
Token: SeDebugPrivilege	2772	tmpD0F5.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 1740	2136	0b1741e79d2d639e8ad5e46835cb117f98a13e62cc58f841afbcd94cb2a9a5ba.exe	30
PID 2136 wrote to memory of 1740	2136	0b1741e79d2d639e8ad5e46835cb117f98a13e62cc58f841afbcd94cb2a9a5ba.exe	30
PID 2136 wrote to memory of 1740	2136	0b1741e79d2d639e8ad5e46835cb117f98a13e62cc58f841afbcd94cb2a9a5ba.exe	30
PID 2136 wrote to memory of 1740	2136	0b1741e79d2d639e8ad5e46835cb117f98a13e62cc58f841afbcd94cb2a9a5ba.exe	30
PID 1740 wrote to memory of 2084	1740	vbc.exe	32
PID 1740 wrote to memory of 2084	1740	vbc.exe	32
PID 1740 wrote to memory of 2084	1740	vbc.exe	32
PID 1740 wrote to memory of 2084	1740	vbc.exe	32
PID 2136 wrote to memory of 2772	2136	0b1741e79d2d639e8ad5e46835cb117f98a13e62cc58f841afbcd94cb2a9a5ba.exe	33
PID 2136 wrote to memory of 2772	2136	0b1741e79d2d639e8ad5e46835cb117f98a13e62cc58f841afbcd94cb2a9a5ba.exe	33
PID 2136 wrote to memory of 2772	2136	0b1741e79d2d639e8ad5e46835cb117f98a13e62cc58f841afbcd94cb2a9a5ba.exe	33
PID 2136 wrote to memory of 2772	2136	0b1741e79d2d639e8ad5e46835cb117f98a13e62cc58f841afbcd94cb2a9a5ba.exe	33

C:\Users\Admin\AppData\Local\Temp\0b1741e79d2d639e8ad5e46835cb117f98a13e62cc58f841afbcd94cb2a9a5ba.exe
"C:\Users\Admin\AppData\Local\Temp\0b1741e79d2d639e8ad5e46835cb117f98a13e62cc58f841afbcd94cb2a9a5ba.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\irh_7yfy.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD2BB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD2BA.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2084
- C:\Users\Admin\AppData\Local\Temp\tmpD0F5.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpD0F5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0b1741e79d2d639e8ad5e46835cb117f98a13e62cc58f841afbcd94cb2a9a5ba.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2772

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD2BB.tmp

Filesize
1KB

MD5
b9191996eeaf114d13a6b02c6a292e64

SHA1
d1d86d2486b22a4f8eac7a691fdc4aaff99cb837

SHA256
98e6ee7292c818ac839e1ac16d8d53aa528bc2fdc147321e7ea9ac129be19b9b

SHA512
4e8d7d0cad54a2ce4882cbfeb12d89fa2d6ca37e4a6e17286e73f33a924ce99346c3bbad034207694bede0b9ad4cbfeb38a039504ec3053f4f06daeb091ab7a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\irh_7yfy.0.vb

Filesize
14KB

MD5
99bc9ebc735eb161f5964a61aa294b37

SHA1
48445e88ee22a0c042e8686c35a9654e827f4e3b

SHA256
ffbe4211db822941de69e4bbe4e1301c8f23440b4eff34a658f2492e5e75a614

SHA512
50d18e60c7379867f09ac092bb570fb0532e168a4ab4d276a44d9b5382176b7de5b325144bdbfb64fb8574e4f98012de67fe6cb08a5e0a42ba98802901dfb6ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\irh_7yfy.cmdline

Filesize
266B

MD5
5dde29622449f04f33e24e67bc89f9a2

SHA1
3d363fd8f480befea11e9bbaffe710063521301f

SHA256
a13faee5398cbc24200e06d9bbebf60054b1bf48a2f5f38122dd451258c5952c

SHA512
3e18c71d252b765de06cdd587d3bb5deb0d9eb03e24849997bbd76e0ee7500b0dcb537221fdeeadc07ff014db68e4226d77f93faf0fcd4c23624140f381c544e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD0F5.tmp.exe

Filesize
78KB

MD5
c382824f4bea741b44fa2bcc38bd1304

SHA1
aac8ebe1e1e152dc5676b17af54fb43cbe4df9d4

SHA256
73d9a8c99f011570d387d0e6cfc98a4fa168a33ad51534ed82bc03a5fe7fa221

SHA512
d3187b845b0697df8b666c1fc2e7be52bda1bf60c495c309f46e20f902b17de174f73ab5ad4fbc48053198e84d77895c072421f113afb384973717855e110d0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD2BA.tmp

Filesize
660B

MD5
d002ca595762fd179c521eb6f52b9898

SHA1
f2a428e5f0f57e74593b97c7396993714e210282

SHA256
16cee14a6d8793938804faf6ea1cd7e4bb2e521f2f1bb44fc1476d20f83a059e

SHA512
8023aa9b9105bb8db0d668a2d49f92ec3cc7f1ae123021dba91d40a7d9025d7f3aff35279dd3eea7073b3bbc658534dc7bd5ade7f31227622aa4252a5deab7e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/1740-8-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/1740-18-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2136-0-0x00000000747C1000-0x00000000747C2000-memory.dmp

Filesize
4KB

Download
memory/2136-1-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2136-2-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2136-24-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads