metamorpherrat | bfe8038d77f9eac20a942d13cabaeab52ae1e6aa2bf38bd5fc9730cb441e6d57

General

Target

bfe8038d77f9eac20a942d13cabaeab52ae1e6aa2bf38bd5fc9730cb441e6d57.exe
Size

78KB
MD5

4c0e7335774001ac719761c8a5a747d6
SHA1

b11527c1ed0630a86c7c33f8834c3add90d51b9d
SHA256

bfe8038d77f9eac20a942d13cabaeab52ae1e6aa2bf38bd5fc9730cb441e6d57
SHA512

ba146ce7de02c4c1e693bc8f8bf82aea688f3af1c28cebaba9d0834a959c4eedfb93c9e8056208c1341fde9c3b42150ee2846a89fd698338a2f9858b41c10990
SSDEEP

1536:oSV5Ody0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6O9/r1fD:oSV55n7N041Qqhg29/B

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2708	tmp4E30.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2640	bfe8038d77f9eac20a942d13cabaeab52ae1e6aa2bf38bd5fc9730cb441e6d57.exe
2640	bfe8038d77f9eac20a942d13cabaeab52ae1e6aa2bf38bd5fc9730cb441e6d57.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp4E30.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp4E30.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bfe8038d77f9eac20a942d13cabaeab52ae1e6aa2bf38bd5fc9730cb441e6d57.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2640	bfe8038d77f9eac20a942d13cabaeab52ae1e6aa2bf38bd5fc9730cb441e6d57.exe
Token: SeDebugPrivilege	2708	tmp4E30.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2808	2640	bfe8038d77f9eac20a942d13cabaeab52ae1e6aa2bf38bd5fc9730cb441e6d57.exe	30
PID 2640 wrote to memory of 2808	2640	bfe8038d77f9eac20a942d13cabaeab52ae1e6aa2bf38bd5fc9730cb441e6d57.exe	30
PID 2640 wrote to memory of 2808	2640	bfe8038d77f9eac20a942d13cabaeab52ae1e6aa2bf38bd5fc9730cb441e6d57.exe	30
PID 2640 wrote to memory of 2808	2640	bfe8038d77f9eac20a942d13cabaeab52ae1e6aa2bf38bd5fc9730cb441e6d57.exe	30
PID 2808 wrote to memory of 2944	2808	vbc.exe	32
PID 2808 wrote to memory of 2944	2808	vbc.exe	32
PID 2808 wrote to memory of 2944	2808	vbc.exe	32
PID 2808 wrote to memory of 2944	2808	vbc.exe	32
PID 2640 wrote to memory of 2708	2640	bfe8038d77f9eac20a942d13cabaeab52ae1e6aa2bf38bd5fc9730cb441e6d57.exe	33
PID 2640 wrote to memory of 2708	2640	bfe8038d77f9eac20a942d13cabaeab52ae1e6aa2bf38bd5fc9730cb441e6d57.exe	33
PID 2640 wrote to memory of 2708	2640	bfe8038d77f9eac20a942d13cabaeab52ae1e6aa2bf38bd5fc9730cb441e6d57.exe	33
PID 2640 wrote to memory of 2708	2640	bfe8038d77f9eac20a942d13cabaeab52ae1e6aa2bf38bd5fc9730cb441e6d57.exe	33

C:\Users\Admin\AppData\Local\Temp\bfe8038d77f9eac20a942d13cabaeab52ae1e6aa2bf38bd5fc9730cb441e6d57.exe
"C:\Users\Admin\AppData\Local\Temp\bfe8038d77f9eac20a942d13cabaeab52ae1e6aa2bf38bd5fc9730cb441e6d57.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yirg6orh.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4FB7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4FB6.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2944
- C:\Users\Admin\AppData\Local\Temp\tmp4E30.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4E30.tmp.exe" C:\Users\Admin\AppData\Local\Temp\bfe8038d77f9eac20a942d13cabaeab52ae1e6aa2bf38bd5fc9730cb441e6d57.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4FB7.tmp

Filesize
1KB

MD5
d7753d02fabe2c8b91f86538f9a9e037

SHA1
76e8b0fcbc16ad47b2b02cee6d8fd5347cea9009

SHA256
14318e75f942e5e95ef1f466d9c6ef21fad2ad9de6d086842ea94f800985227c

SHA512
e622709856106e2b740807fbffb2e195f37299a7c4f66c8750051184fef833b32b9e7d4dab537d31c8e854dfc2cdba0f542ae7f40ee05732c652fba2fe0d6165

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4E30.tmp.exe

Filesize
78KB

MD5
8824a871ccf24a2911db9e01bbcc1477

SHA1
e0616009fcd29d5b775b3faeb97b71f63d453b77

SHA256
272121a63d0a81f7ed82b5bbc29c39db3acaea5fc412ca86fd61feb558bf07ce

SHA512
23444b9a1a0a9a581ccfa12a6229cc09905ed56f128c91fe9ac3284a9a1d71cbd594d08cf619af53ad89d19fbfc4b29900282917b5af4ce34d06ca3bb0af2b2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4FB6.tmp

Filesize
660B

MD5
e0f7b027084b17fa9926849c53c74ec6

SHA1
794069fd4574324bc738e224400712e972c6c6f0

SHA256
1adc73f370b86b990921cb173534ec38f5d94676ec61ec660d7738a34d6c14e6

SHA512
2c1c2dacf100744e05d3e5397189fccb673d6ee3e69fb90fa23a9a6f6388c1bfefd43fc8c1f4437e96c81671669c62260587c7efe50bede230e234d0540cbb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\yirg6orh.0.vb

Filesize
14KB

MD5
bf765f111fbeaa3cfa8919f5f124a002

SHA1
20438eae317d8810f49aa626957a37273524606e

SHA256
3d37770baf68dca404cadf6a6176c263fd797a340659502b477729189b2d9e4a

SHA512
67e1019905d940710e9729e1ab09b98fca017d2ef7d4a77cc9a7a132c6107558a54ac24226d6ab60261a536bddb869f0d5e310e11061f68f6cfee4918ac67a46

Download Submit
C:\Users\Admin\AppData\Local\Temp\yirg6orh.cmdline

Filesize
266B

MD5
b3a36739930889e1cd5ea15de9db14d0

SHA1
f6b4c820c635706c77d7149587b3b7cacb9f2582

SHA256
5cdca28b57573b928593b88cb5aac9b001bcf220cc8507cc97a10aa47e39c9b2

SHA512
eb064b35f005912beb21a8fc6b11ef159a9c46e98b503f25393060b75ab6539b8d99072a0c49c4609a5a00f99b97ebc95e31e2e2f8e0c50e2a5ba01466779e1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2640-0-0x00000000741D1000-0x00000000741D2000-memory.dmp

Filesize
4KB

Download
memory/2640-1-0x00000000741D0000-0x000000007477B000-memory.dmp

Filesize
5.7MB

Download
memory/2640-2-0x00000000741D0000-0x000000007477B000-memory.dmp

Filesize
5.7MB

Download
memory/2640-24-0x00000000741D0000-0x000000007477B000-memory.dmp

Filesize
5.7MB

Download
memory/2808-8-0x00000000741D0000-0x000000007477B000-memory.dmp

Filesize
5.7MB

Download
memory/2808-18-0x00000000741D0000-0x000000007477B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads