metamorpherrat | 8a6f43aa5873f0671f68bc3e4dbae09e9e1efd965dc40d3bf8069a95c3af55c1

General

Target

8a6f43aa5873f0671f68bc3e4dbae09e9e1efd965dc40d3bf8069a95c3af55c1N.exe
Size

78KB
MD5

dc987ae5e2bef281450f46164c01ece0
SHA1

21d2f2010744470718e76908d1ea06df7c3c8e91
SHA256

8a6f43aa5873f0671f68bc3e4dbae09e9e1efd965dc40d3bf8069a95c3af55c1
SHA512

ba65e6d7b6161843c3b2963aa960e89bb37560e770424f9e4c41c972314f9a02e5fece762fd7d37b43dc47ae220c71945aef3ddade200358227d8279a677023f
SSDEEP

1536:158Tdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6E9/Yx1eE:158yn7N041Qqhg89/m

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2580	tmpEA4F.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2268	8a6f43aa5873f0671f68bc3e4dbae09e9e1efd965dc40d3bf8069a95c3af55c1N.exe
2268	8a6f43aa5873f0671f68bc3e4dbae09e9e1efd965dc40d3bf8069a95c3af55c1N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpEA4F.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpEA4F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8a6f43aa5873f0671f68bc3e4dbae09e9e1efd965dc40d3bf8069a95c3af55c1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2268	8a6f43aa5873f0671f68bc3e4dbae09e9e1efd965dc40d3bf8069a95c3af55c1N.exe
Token: SeDebugPrivilege	2580	tmpEA4F.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2768	2268	8a6f43aa5873f0671f68bc3e4dbae09e9e1efd965dc40d3bf8069a95c3af55c1N.exe	31
PID 2268 wrote to memory of 2768	2268	8a6f43aa5873f0671f68bc3e4dbae09e9e1efd965dc40d3bf8069a95c3af55c1N.exe	31
PID 2268 wrote to memory of 2768	2268	8a6f43aa5873f0671f68bc3e4dbae09e9e1efd965dc40d3bf8069a95c3af55c1N.exe	31
PID 2268 wrote to memory of 2768	2268	8a6f43aa5873f0671f68bc3e4dbae09e9e1efd965dc40d3bf8069a95c3af55c1N.exe	31
PID 2768 wrote to memory of 2560	2768	vbc.exe	33
PID 2768 wrote to memory of 2560	2768	vbc.exe	33
PID 2768 wrote to memory of 2560	2768	vbc.exe	33
PID 2768 wrote to memory of 2560	2768	vbc.exe	33
PID 2268 wrote to memory of 2580	2268	8a6f43aa5873f0671f68bc3e4dbae09e9e1efd965dc40d3bf8069a95c3af55c1N.exe	34
PID 2268 wrote to memory of 2580	2268	8a6f43aa5873f0671f68bc3e4dbae09e9e1efd965dc40d3bf8069a95c3af55c1N.exe	34
PID 2268 wrote to memory of 2580	2268	8a6f43aa5873f0671f68bc3e4dbae09e9e1efd965dc40d3bf8069a95c3af55c1N.exe	34
PID 2268 wrote to memory of 2580	2268	8a6f43aa5873f0671f68bc3e4dbae09e9e1efd965dc40d3bf8069a95c3af55c1N.exe	34

C:\Users\Admin\AppData\Local\Temp\8a6f43aa5873f0671f68bc3e4dbae09e9e1efd965dc40d3bf8069a95c3af55c1N.exe
"C:\Users\Admin\AppData\Local\Temp\8a6f43aa5873f0671f68bc3e4dbae09e9e1efd965dc40d3bf8069a95c3af55c1N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uxog4_fe.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEB69.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEB58.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2560
- C:\Users\Admin\AppData\Local\Temp\tmpEA4F.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpEA4F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8a6f43aa5873f0671f68bc3e4dbae09e9e1efd965dc40d3bf8069a95c3af55c1N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESEB69.tmp

Filesize
1KB

MD5
62b1c0c185db590b5fcc212b06a63fba

SHA1
c40fab9f4979d202aa7db6491729e8ae6d722c54

SHA256
59e42363b6c2592c9e851860962fe079ab6ee8b5383b8b18a5fc9f2a9e3525f3

SHA512
8b1a730d2daf7496cf029a7c6898268f61fd714fd1326be5f4d6ee8455dcb6e050d24eb72174be2d87515d008615cd535aca9da0d2eec75276e3460e32a5ee5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEA4F.tmp.exe

Filesize
78KB

MD5
617de3bd14b88c0aeed6956ff614a107

SHA1
296dbbc43d4b82522cb8c9f4399cffce9d98b4ea

SHA256
c74d9378dae8bd4be4a3bd4d5f0e38ee4d4a26b8256a7ae5788423052786a757

SHA512
a2a23c4c47ea398389b9159351cd2e841cf389398893591b076edc9c075efb4f3f236e72b8d32abd47fb32bf07de0df5ea16485bcfeef998159109d9676940e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\uxog4_fe.0.vb

Filesize
14KB

MD5
19235f63da008afb3b289c892fac9872

SHA1
42dc8fae210a91c46b39fb39cf26947698f883c4

SHA256
e5ae90822a9616c5f78be5d4214a152c034f34b723c30bcb910c6d97e94f8704

SHA512
80da0b7c91c4c0f082842b2660d03a9843dbbe94734632cf7ef99aa2f68b4b6a0b6e551eb36bb0efb5ec76ab8109bf572793d8c62c2b2b6e789653641885cc05

Download Submit
C:\Users\Admin\AppData\Local\Temp\uxog4_fe.cmdline

Filesize
266B

MD5
f8801b6e3137ab2e8c6ea15f7a403c0e

SHA1
1ec2d5140ae0dc7aad218fbdda50f0f0bf89bdc1

SHA256
4576fc3a8cfbe936eaeb7ff8db41eb457256f42fdddb225a5fca5007d1aa1730

SHA512
62d2052d4f5171a718ecf683feea6385618a283d65e20a6091fe0c855764f6c2e23821f9dd0ec60d7b0a0f6a28564a8b3c49cf640b6ebf15ce109da124c9eaa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEB58.tmp

Filesize
660B

MD5
bcb9b23093b39e494ba98c3152e20e08

SHA1
eb5c5d3c831f5bb40fa10f88ba66e25b42e939e1

SHA256
202d438333b235835ee6128ea0fcf974688be581ab85a42665a434edef940aa7

SHA512
c3cd6f0e3de7adbcb6fcb322d845e97ff24ba0f7d4f46379da2470731f2c2857183f2de6626634cfcdf57fb005e84d7ed811bf69b8100c80ee90dfdd8e18b880

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2268-0-0x00000000748D1000-0x00000000748D2000-memory.dmp

Filesize
4KB

Download
memory/2268-1-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/2268-2-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/2268-24-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/2768-8-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/2768-18-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads