metamorpherrat | efa80d35db452df70f3addd9d6565578ebf80276e06dd70af98a93cb5c086890

General

Target

efa80d35db452df70f3addd9d6565578ebf80276e06dd70af98a93cb5c086890.exe
Size

78KB
MD5

9a412ac39baa32f0bfaa8191e951b5da
SHA1

8881fbf8cc4a33a8d067febb7df6e7d5a45e4548
SHA256

efa80d35db452df70f3addd9d6565578ebf80276e06dd70af98a93cb5c086890
SHA512

800f5155e2dd51df7051cdac16a73b1e57f270195d7f4c721935236744214cd4cedfc38283232a13a72a954482ea0ece7f44c06115f3330e0220e624f655050c
SSDEEP

1536:7zV5jS2vZv0kH9gDDtWzYCnJPeoYrGQtC6N9/M1+V9:nV5jS2l0Y9MDYrm719/f9

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2308	tmp8CA6.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
864	efa80d35db452df70f3addd9d6565578ebf80276e06dd70af98a93cb5c086890.exe
864	efa80d35db452df70f3addd9d6565578ebf80276e06dd70af98a93cb5c086890.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmp8CA6.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efa80d35db452df70f3addd9d6565578ebf80276e06dd70af98a93cb5c086890.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8CA6.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	864	efa80d35db452df70f3addd9d6565578ebf80276e06dd70af98a93cb5c086890.exe
Token: SeDebugPrivilege	2308	tmp8CA6.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 2508	864	efa80d35db452df70f3addd9d6565578ebf80276e06dd70af98a93cb5c086890.exe	30
PID 864 wrote to memory of 2508	864	efa80d35db452df70f3addd9d6565578ebf80276e06dd70af98a93cb5c086890.exe	30
PID 864 wrote to memory of 2508	864	efa80d35db452df70f3addd9d6565578ebf80276e06dd70af98a93cb5c086890.exe	30
PID 864 wrote to memory of 2508	864	efa80d35db452df70f3addd9d6565578ebf80276e06dd70af98a93cb5c086890.exe	30
PID 2508 wrote to memory of 2352	2508	vbc.exe	32
PID 2508 wrote to memory of 2352	2508	vbc.exe	32
PID 2508 wrote to memory of 2352	2508	vbc.exe	32
PID 2508 wrote to memory of 2352	2508	vbc.exe	32
PID 864 wrote to memory of 2308	864	efa80d35db452df70f3addd9d6565578ebf80276e06dd70af98a93cb5c086890.exe	33
PID 864 wrote to memory of 2308	864	efa80d35db452df70f3addd9d6565578ebf80276e06dd70af98a93cb5c086890.exe	33
PID 864 wrote to memory of 2308	864	efa80d35db452df70f3addd9d6565578ebf80276e06dd70af98a93cb5c086890.exe	33
PID 864 wrote to memory of 2308	864	efa80d35db452df70f3addd9d6565578ebf80276e06dd70af98a93cb5c086890.exe	33

C:\Users\Admin\AppData\Local\Temp\efa80d35db452df70f3addd9d6565578ebf80276e06dd70af98a93cb5c086890.exe
"C:\Users\Admin\AppData\Local\Temp\efa80d35db452df70f3addd9d6565578ebf80276e06dd70af98a93cb5c086890.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:864
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\attbvyix.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D43.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8D42.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2352
- C:\Users\Admin\AppData\Local\Temp\tmp8CA6.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8CA6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\efa80d35db452df70f3addd9d6565578ebf80276e06dd70af98a93cb5c086890.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8D43.tmp

Filesize
1KB

MD5
9537bf7d250e653aa7ce933679efa93f

SHA1
c405a571c95b6ed1341656972e4aaaa724045010

SHA256
6c46df8f8873e8fa3300dc183f5bec14252b3f10a2b838a005ece0df1bcbc496

SHA512
3860454a8c92589144b674d3afb3e5c4fd5bde51b8a2cec0d2ab44968e2ef239595c9f60ce139052cec8e22a143e9ccb9191b95f803aa26761eed784425ad396

Download Submit
C:\Users\Admin\AppData\Local\Temp\attbvyix.0.vb

Filesize
14KB

MD5
8f7443cdf69f4a982dde08ef65176750

SHA1
f424180e342267251ff142cc1778498fec745b22

SHA256
a3607b05bb2e36a94cced180ac221ab959abf278745c0109a99e5163d4a1339c

SHA512
e8847361363b1ee20e30d26e667bcc1f78bc68036319ec32001073fa87dc5cff3e5047b8c5f9c55d0be4b6880053bef531426ecb479c6079d91eb500e487126e

Download Submit
C:\Users\Admin\AppData\Local\Temp\attbvyix.cmdline

Filesize
266B

MD5
71acc93dc3e48af0e2e3ea77da412d09

SHA1
1edd33211ca9dcdf5e241c5549481687a548a367

SHA256
f0d3017ffbc22ca848577de0421deff31210ea4aa26e71bd00226702a3712867

SHA512
9655d6e16652e9d7156edea31cefff84d6c56e9187eec86cdc0fd6798c27a8662d770225424e759f28f2668e8beba0d3732ba4e1c62e6618559631a1fe7c27ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8CA6.tmp.exe

Filesize
78KB

MD5
eff757c62a2cd9224bfb2bf7b2d8504d

SHA1
0f08e776c1d75121edda7b663985fb83e09d6120

SHA256
be82a70acaa7e9c539c9f7fb3b49263fccde2dbdc1061789b18694ecc6ca86a0

SHA512
9d3fd212ce70a6bf64e71e6f8c0e64c7cb94684c0c98a4c24f6258fb39de101a84b19cfea8544f7542ff86a122e40a01879d57254bbe88d7d41a5a3f240be37e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8D42.tmp

Filesize
660B

MD5
9febb9465156cf8be5b529d49ee6226f

SHA1
d5cde4adbb69378b058d666b01136d35b7793651

SHA256
e50980a916b3e1b909d10faa1c86a93b5ad94152138ecb8998487d5c8bf85e0c

SHA512
62da85a081c0108b633fcf1877321aa65a098bea5cc6c5232b0c7f4bb4052ba206d484c150adc6221757e5a18ddef3a8284c1d82e8df756f839d9688e7d7e731

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/864-24-0x0000000074D80000-0x000000007532B000-memory.dmp

Filesize
5.7MB

Download
memory/864-2-0x0000000074D80000-0x000000007532B000-memory.dmp

Filesize
5.7MB

Download
memory/864-1-0x0000000074D80000-0x000000007532B000-memory.dmp

Filesize
5.7MB

Download
memory/864-0-0x0000000074D81000-0x0000000074D82000-memory.dmp

Filesize
4KB

Download
memory/2508-18-0x0000000074D80000-0x000000007532B000-memory.dmp

Filesize
5.7MB

Download
memory/2508-8-0x0000000074D80000-0x000000007532B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads