metamorpherrat | 15ec19f68e9851b6858a4aa80908254e01c4c6f49eaa47a72bec20af7a03caf8

General

Target

15ec19f68e9851b6858a4aa80908254e01c4c6f49eaa47a72bec20af7a03caf8.exe
Size

78KB
MD5

06c8b813e05563d88783ac17ddf078a8
SHA1

44b860c38f565f0d6be43832b2e793020fe7f611
SHA256

15ec19f68e9851b6858a4aa80908254e01c4c6f49eaa47a72bec20af7a03caf8
SHA512

22687eedd4218c8ea03b1cc9e898c6e5e9048fdc2ee0973f016c22b4421d35956161c399dbf59117af39522e8c6fa9f28ebdb59bf0d45f4e01b46d433249f5fc
SSDEEP

1536:DPWV5j/vZv0kH9gDDtWzYCnJPeoYrGQt9629/5R1gmY:DPWV5j/l0Y9MDYrm799/lY

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2752	tmp97AD.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1204	15ec19f68e9851b6858a4aa80908254e01c4c6f49eaa47a72bec20af7a03caf8.exe
1204	15ec19f68e9851b6858a4aa80908254e01c4c6f49eaa47a72bec20af7a03caf8.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmp97AD.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	15ec19f68e9851b6858a4aa80908254e01c4c6f49eaa47a72bec20af7a03caf8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp97AD.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1204	15ec19f68e9851b6858a4aa80908254e01c4c6f49eaa47a72bec20af7a03caf8.exe
Token: SeDebugPrivilege	2752	tmp97AD.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 2704	1204	15ec19f68e9851b6858a4aa80908254e01c4c6f49eaa47a72bec20af7a03caf8.exe	30
PID 1204 wrote to memory of 2704	1204	15ec19f68e9851b6858a4aa80908254e01c4c6f49eaa47a72bec20af7a03caf8.exe	30
PID 1204 wrote to memory of 2704	1204	15ec19f68e9851b6858a4aa80908254e01c4c6f49eaa47a72bec20af7a03caf8.exe	30
PID 1204 wrote to memory of 2704	1204	15ec19f68e9851b6858a4aa80908254e01c4c6f49eaa47a72bec20af7a03caf8.exe	30
PID 2704 wrote to memory of 2260	2704	vbc.exe	32
PID 2704 wrote to memory of 2260	2704	vbc.exe	32
PID 2704 wrote to memory of 2260	2704	vbc.exe	32
PID 2704 wrote to memory of 2260	2704	vbc.exe	32
PID 1204 wrote to memory of 2752	1204	15ec19f68e9851b6858a4aa80908254e01c4c6f49eaa47a72bec20af7a03caf8.exe	33
PID 1204 wrote to memory of 2752	1204	15ec19f68e9851b6858a4aa80908254e01c4c6f49eaa47a72bec20af7a03caf8.exe	33
PID 1204 wrote to memory of 2752	1204	15ec19f68e9851b6858a4aa80908254e01c4c6f49eaa47a72bec20af7a03caf8.exe	33
PID 1204 wrote to memory of 2752	1204	15ec19f68e9851b6858a4aa80908254e01c4c6f49eaa47a72bec20af7a03caf8.exe	33

C:\Users\Admin\AppData\Local\Temp\15ec19f68e9851b6858a4aa80908254e01c4c6f49eaa47a72bec20af7a03caf8.exe
"C:\Users\Admin\AppData\Local\Temp\15ec19f68e9851b6858a4aa80908254e01c4c6f49eaa47a72bec20af7a03caf8.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\84zpup8i.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9A2E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9A2D.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2260
- C:\Users\Admin\AppData\Local\Temp\tmp97AD.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp97AD.tmp.exe" C:\Users\Admin\AppData\Local\Temp\15ec19f68e9851b6858a4aa80908254e01c4c6f49eaa47a72bec20af7a03caf8.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\84zpup8i.0.vb

Filesize
14KB

MD5
9ab3b3d4170b976872c042b831dafb9a

SHA1
fd33c0cfa3488a95c85bb8b72b273cb39379109c

SHA256
5f5898cb7a68244723d049dd69ea63cfb9f155486774e178e51674a001aaa94e

SHA512
e286f024f278a0c421f22cc1e3bb1b52da7623dae3cb9f29ce8ae153d8c473a8308b4028e919d789534f23efaf6bb7c5585809dc6ca01b65da157c33190c772c

Download Submit
C:\Users\Admin\AppData\Local\Temp\84zpup8i.cmdline

Filesize
266B

MD5
5a681e132f733bf995e5dd93d5596638

SHA1
70633d468ca9cc6c2ce15ace101bd261dc801716

SHA256
832c1c77fe8662a7446789fa11bf6116b92065b8fe2c8758626f08a4b826ed7b

SHA512
659f485fb852641f70b3e36702f46984c90ba3de0d307646e070acd970dc1590a635c98d30d809d40789a8459d7ecd373ca95d96c4a45cad10ae92b83f6fea6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9A2E.tmp

Filesize
1KB

MD5
dc651b90f76a2f013ac223fa17bd8cbb

SHA1
e7fc8550b6ecf1a15d2ddc4646a40aaf24adcc71

SHA256
a001fbd2fd5f747b8dd85f127a3edbe762ed8695b14803c4c405a2826e2908da

SHA512
8ced3368799af2964c43a58ac1595b3cd59fddda46c95a0d46796cea017db980ffd09ed2dbad66299f97eb5ee24cdd700da74e88ca3b71c30c0d6e7512966486

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp97AD.tmp.exe

Filesize
78KB

MD5
1873ea4679f9d51e28844157545a5031

SHA1
8bf99c969bf3578723c93b5105e1befb02654a36

SHA256
ae0b43765f1a0f14b6851cbc0e3ffbf4a900b8eff4212340f6cb69798bafffb3

SHA512
c74dcacc497e92f7800d6a04f14d71d65f787d8c74ac283cf045734cea65612d2807e3eb2752b8a0d63b024f460302a54c2c047da6b3fdd33eacd24219280faf

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9A2D.tmp

Filesize
660B

MD5
bf54b85ec6aa58152fdf18d821bf9184

SHA1
2131ae5983c8f20e230ea9e9491f18d3063ebc5f

SHA256
52d1aa28ed4aa274b9e66cc5ab4cb0112dc9e8d411967836e5c75ef3d432aa01

SHA512
d64f2ec243349228bc94c05604a9f5aac1cdb67a216f7c4c54675ddb673c315bf702c4a169a626c5a337c5e123eab3e6d32f22d053dcee5389070c6bbfb8ae46

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/1204-0-0x0000000074601000-0x0000000074602000-memory.dmp

Filesize
4KB

Download
memory/1204-1-0x0000000074600000-0x0000000074BAB000-memory.dmp

Filesize
5.7MB

Download
memory/1204-2-0x0000000074600000-0x0000000074BAB000-memory.dmp

Filesize
5.7MB

Download
memory/1204-23-0x0000000074600000-0x0000000074BAB000-memory.dmp

Filesize
5.7MB

Download
memory/2704-8-0x0000000074600000-0x0000000074BAB000-memory.dmp

Filesize
5.7MB

Download
memory/2704-18-0x0000000074600000-0x0000000074BAB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads