metamorpherrat | 8ca63d2f53be90d96fd0bc8c280f35dbae3bed8fa5bdf92d0691619078f6565a

General

Target

8ca63d2f53be90d96fd0bc8c280f35dbae3bed8fa5bdf92d0691619078f6565aN.exe
Size

78KB
MD5

06d06fc07d067fe9f0828d930694b090
SHA1

c7b92a651f9d21968eb67b718c5b86574d3ab27d
SHA256

8ca63d2f53be90d96fd0bc8c280f35dbae3bed8fa5bdf92d0691619078f6565a
SHA512

e2881b8d082c779ca21e214976ca170faeb5e79087acf683b3c34cd8b36bcfe6bf99a75a1130a390273e045180068041b83626043ccda26f1b259b69ce174e3a
SSDEEP

1536:KHFo6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQteE9/N1au:KHFo53Ln7N041QqhgeE9/B

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
3060	tmpC64B.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2044	8ca63d2f53be90d96fd0bc8c280f35dbae3bed8fa5bdf92d0691619078f6565aN.exe
2044	8ca63d2f53be90d96fd0bc8c280f35dbae3bed8fa5bdf92d0691619078f6565aN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpC64B.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC64B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ca63d2f53be90d96fd0bc8c280f35dbae3bed8fa5bdf92d0691619078f6565aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2044	8ca63d2f53be90d96fd0bc8c280f35dbae3bed8fa5bdf92d0691619078f6565aN.exe
Token: SeDebugPrivilege	3060	tmpC64B.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 2352	2044	8ca63d2f53be90d96fd0bc8c280f35dbae3bed8fa5bdf92d0691619078f6565aN.exe	30
PID 2044 wrote to memory of 2352	2044	8ca63d2f53be90d96fd0bc8c280f35dbae3bed8fa5bdf92d0691619078f6565aN.exe	30
PID 2044 wrote to memory of 2352	2044	8ca63d2f53be90d96fd0bc8c280f35dbae3bed8fa5bdf92d0691619078f6565aN.exe	30
PID 2044 wrote to memory of 2352	2044	8ca63d2f53be90d96fd0bc8c280f35dbae3bed8fa5bdf92d0691619078f6565aN.exe	30
PID 2352 wrote to memory of 1800	2352	vbc.exe	32
PID 2352 wrote to memory of 1800	2352	vbc.exe	32
PID 2352 wrote to memory of 1800	2352	vbc.exe	32
PID 2352 wrote to memory of 1800	2352	vbc.exe	32
PID 2044 wrote to memory of 3060	2044	8ca63d2f53be90d96fd0bc8c280f35dbae3bed8fa5bdf92d0691619078f6565aN.exe	33
PID 2044 wrote to memory of 3060	2044	8ca63d2f53be90d96fd0bc8c280f35dbae3bed8fa5bdf92d0691619078f6565aN.exe	33
PID 2044 wrote to memory of 3060	2044	8ca63d2f53be90d96fd0bc8c280f35dbae3bed8fa5bdf92d0691619078f6565aN.exe	33
PID 2044 wrote to memory of 3060	2044	8ca63d2f53be90d96fd0bc8c280f35dbae3bed8fa5bdf92d0691619078f6565aN.exe	33

C:\Users\Admin\AppData\Local\Temp\8ca63d2f53be90d96fd0bc8c280f35dbae3bed8fa5bdf92d0691619078f6565aN.exe
"C:\Users\Admin\AppData\Local\Temp\8ca63d2f53be90d96fd0bc8c280f35dbae3bed8fa5bdf92d0691619078f6565aN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\67drhh0z.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC9D5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC9D4.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1800
- C:\Users\Admin\AppData\Local\Temp\tmpC64B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpC64B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8ca63d2f53be90d96fd0bc8c280f35dbae3bed8fa5bdf92d0691619078f6565aN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\67drhh0z.0.vb

Filesize
15KB

MD5
1168fc42bd06d29887d1fab2f3959afe

SHA1
b8b2b8b3fe667b431191acd6f09be57b7c1ffe70

SHA256
45b99b4ac9a874494b45a04c71fa9003275d1cfdad0e8a9c2318c7e51a49b8ac

SHA512
1c73f976aaa4ec6b5828d85a241986c4942697654c8f0f94dd48a2fe7294558d84f9434ac833d15f144f0e640198deaa9343ac98708cc7dc0c6195b1e9c99423

Download Submit
C:\Users\Admin\AppData\Local\Temp\67drhh0z.cmdline

Filesize
266B

MD5
87eeffa1f11c0028f4acb4bd387d3b7f

SHA1
0b11f302a7d28e3ed8f4488cd91a426c477adc61

SHA256
b21dbf3b45dcbc4f4b1ed1da39b550bc386785bdf67f004bb57427a758e79e48

SHA512
86cbd8d8be203db031751105be8c1fff751af0f7d9db51981cfd1af96896f79771027bcd52cce72b510132bf2de99f3c846e91c46658e47a6f8ace929b904abb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC9D5.tmp

Filesize
1KB

MD5
13f8fd32fd817df1a8890cc8c17cf7c8

SHA1
6914d44e9061b962b50d255115d90b2b510dfc10

SHA256
bc6957cba01aef715c88b0d43e2cfec915b120360306e634f66881988fda66a1

SHA512
98c554088fb62c8253f2b86a59208a97b75631cfba3cb0dd5a001a8cd8aa19a3d67177961e9c1b20e0836f9c7d0eaf147c4a91c29cce4e6ee73540fa005feb60

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC64B.tmp.exe

Filesize
78KB

MD5
19c2db1c3487fe86576091ab8ebcd3d1

SHA1
a841c40e2c278211f7360cbaffc4587fe6f8dba1

SHA256
a04ebc209eb4ec0bff830456d4c969282393650d4dd020c00e913cdb4796809e

SHA512
6a0c8c585e022c29b0b08fe2d0e62a639d85b39ca1685855e042a80050a9f62d8f6846baab8674a80544fb710ead23f4423d48f29b8aeb7c7156d74ef9ec9057

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC9D4.tmp

Filesize
660B

MD5
d548c1f050c277a0c399776d170bfd8a

SHA1
cd964bce4b99fbb30b24257630b4fccbef52f11b

SHA256
ba6bcd9dc55af92c9da53d1325bd07228c16f2c045cf1ece712c3ab6180e9521

SHA512
cd072bb5fab10e030be5aa88e25ddd42f771a0d55d40d7dc24d82ccf83faaad11290ef1b168d0259afd8ec0189d0544c24edd3fa9899554e88202af4006e8d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2044-0-0x0000000074B31000-0x0000000074B32000-memory.dmp

Filesize
4KB

Download
memory/2044-2-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/2044-1-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/2044-24-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/2352-8-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/2352-18-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads