metamorpherrat | 8a79f33b9235dd641518e2d0e659ff43500c30bcce109283a179332d8e92d3b6

General

Target

8a79f33b9235dd641518e2d0e659ff43500c30bcce109283a179332d8e92d3b6N.exe
Size

78KB
MD5

600e83c24bad9a1299454e32daa605d0
SHA1

621deb0a82fbfe04370fbb8e96252d0dd453a7e2
SHA256

8a79f33b9235dd641518e2d0e659ff43500c30bcce109283a179332d8e92d3b6
SHA512

2a51608ec3415f36003be13f01724d6b8a6db604a819a0624852fecb2fa58594ea3c1be1134604c39d81c4ff3123d49b35a0007c5041fe7a5fba002699a1e0be
SSDEEP

1536:5CHFo6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtp9/I1vNn:5CHFo53Ln7N041Qqhgp9/2p

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
1500	tmp982A.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2528	8a79f33b9235dd641518e2d0e659ff43500c30bcce109283a179332d8e92d3b6N.exe
2528	8a79f33b9235dd641518e2d0e659ff43500c30bcce109283a179332d8e92d3b6N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp982A.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8a79f33b9235dd641518e2d0e659ff43500c30bcce109283a179332d8e92d3b6N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp982A.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2528	8a79f33b9235dd641518e2d0e659ff43500c30bcce109283a179332d8e92d3b6N.exe
Token: SeDebugPrivilege	1500	tmp982A.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2396	2528	8a79f33b9235dd641518e2d0e659ff43500c30bcce109283a179332d8e92d3b6N.exe	30
PID 2528 wrote to memory of 2396	2528	8a79f33b9235dd641518e2d0e659ff43500c30bcce109283a179332d8e92d3b6N.exe	30
PID 2528 wrote to memory of 2396	2528	8a79f33b9235dd641518e2d0e659ff43500c30bcce109283a179332d8e92d3b6N.exe	30
PID 2528 wrote to memory of 2396	2528	8a79f33b9235dd641518e2d0e659ff43500c30bcce109283a179332d8e92d3b6N.exe	30
PID 2396 wrote to memory of 2980	2396	vbc.exe	32
PID 2396 wrote to memory of 2980	2396	vbc.exe	32
PID 2396 wrote to memory of 2980	2396	vbc.exe	32
PID 2396 wrote to memory of 2980	2396	vbc.exe	32
PID 2528 wrote to memory of 1500	2528	8a79f33b9235dd641518e2d0e659ff43500c30bcce109283a179332d8e92d3b6N.exe	33
PID 2528 wrote to memory of 1500	2528	8a79f33b9235dd641518e2d0e659ff43500c30bcce109283a179332d8e92d3b6N.exe	33
PID 2528 wrote to memory of 1500	2528	8a79f33b9235dd641518e2d0e659ff43500c30bcce109283a179332d8e92d3b6N.exe	33
PID 2528 wrote to memory of 1500	2528	8a79f33b9235dd641518e2d0e659ff43500c30bcce109283a179332d8e92d3b6N.exe	33

C:\Users\Admin\AppData\Local\Temp\8a79f33b9235dd641518e2d0e659ff43500c30bcce109283a179332d8e92d3b6N.exe
"C:\Users\Admin\AppData\Local\Temp\8a79f33b9235dd641518e2d0e659ff43500c30bcce109283a179332d8e92d3b6N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uaulo3t9.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9B37.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9B27.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2980
- C:\Users\Admin\AppData\Local\Temp\tmp982A.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp982A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8a79f33b9235dd641518e2d0e659ff43500c30bcce109283a179332d8e92d3b6N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9B37.tmp

Filesize
1KB

MD5
99feb35e25093f1e49b517d2cfe7d127

SHA1
73e3ed8a138bd63dc6a08017405836bfd958df34

SHA256
235201a198369063aa520d86a22153ff8eecb44176baae9d570dc9b5f3d6123b

SHA512
c7db98e1b76c6410359a0d07f7f7165a930915bac2626d252627252f701f0eb9709d11b895a28838f2622a630de07aff8998764561302e72cf65c89a833635eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp982A.tmp.exe

Filesize
78KB

MD5
75989505bf71bed45930d47000ef98ab

SHA1
6fc21de1d7716edf197416da10a32a7b40607cb7

SHA256
2df7b61ea94b530897611472b0af1dc8ef7f23dcc2f7da0e86da204ecbae7f7e

SHA512
f99c463bc1306de3cd049a1251a2fd76004c177f10de3485f05354f9f85f022730d554b65ee5590cd4ef3bf985ef7ce3e00736c4c0d6928040c019bef5f4c5ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\uaulo3t9.0.vb

Filesize
15KB

MD5
86bd8a65d16b5223b2187006a0df7311

SHA1
243a9b388c10e6d33d7d46f627e1126f05f7fc03

SHA256
2145a1aec4f234e4df1a0a4c6375e319b40dfb732d7ca463b232429a429377db

SHA512
e64991c1dce2dec314e437ba5c0404f511543f3779c3dba6933f7a0a2cc4066643fb95cc3e64d0701aeb8f2c3bff9cc71a8630b501858522b7e1822e8f5a8502

Download Submit
C:\Users\Admin\AppData\Local\Temp\uaulo3t9.cmdline

Filesize
266B

MD5
4477fcdaa840d0a5435f11e5cdd53d3f

SHA1
561879f29261a6ee132be58cad77d7f5e9d435f0

SHA256
b6082fdc244cfaed82c1331d8f8e13c5e1de9f5da1970a3e7b67f2d3bc1b7ceb

SHA512
fd90ffb40cc8d0845f038bea78095fab9ec3d6c57a05c6360e89c0ab3e620cbad46d1249b1146ce4282c3ce2f8fbe931842e23515027a2c8d44a2dca89a39a05

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9B27.tmp

Filesize
660B

MD5
8764aa7511ccee29ed2a9d40e015503c

SHA1
479598794138f3b009992cfcfe600859fc907c9e

SHA256
b8ade6ca2cbfebf6d40ce92a8de95bf8f85397dc2fbe59861154f97e1541108d

SHA512
fe950f2944287cc17d64a027e5cb8f97bf5fd1bee6c0405aa5a50e075484923becc00ad41cefa2f53b3078af4a4149a78e38bf0a02fffd1250d2e25ca2964a3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2396-8-0x0000000074C50000-0x00000000751FB000-memory.dmp

Filesize
5.7MB

Download
memory/2396-18-0x0000000074C50000-0x00000000751FB000-memory.dmp

Filesize
5.7MB

Download
memory/2528-0-0x0000000074C51000-0x0000000074C52000-memory.dmp

Filesize
4KB

Download
memory/2528-1-0x0000000074C50000-0x00000000751FB000-memory.dmp

Filesize
5.7MB

Download
memory/2528-2-0x0000000074C50000-0x00000000751FB000-memory.dmp

Filesize
5.7MB

Download
memory/2528-24-0x0000000074C50000-0x00000000751FB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads