metamorpherrat | 86e3c05bdb41130266949b3d80b9bba58660c84db8a0d79012fa023d6f7f6a68

General

Target

86e3c05bdb41130266949b3d80b9bba58660c84db8a0d79012fa023d6f7f6a68.exe
Size

78KB
MD5

5fa7c9bf57225c49df47e8c39b661e7f
SHA1

611b273a13eb9136ef73dda870d890b822e7f4dd
SHA256

86e3c05bdb41130266949b3d80b9bba58660c84db8a0d79012fa023d6f7f6a68
SHA512

635b3b3610c5764c9693aebb2a237a2a7ee7a09c0f2252536169c892127d89af9f7249fc576f3ab43c4debfe9a8bad50089fdfa9d8aa98c61101ed210a81705f
SSDEEP

1536:KPWtHFo6M7t/vZv0kH9gDDtWzYCnJPeoYrGQtq9/61wF:KPWtHFonh/l0Y9MDYrm7q9/f

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2768	tmp4F68.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2644	86e3c05bdb41130266949b3d80b9bba58660c84db8a0d79012fa023d6f7f6a68.exe
2644	86e3c05bdb41130266949b3d80b9bba58660c84db8a0d79012fa023d6f7f6a68.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmp4F68.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp4F68.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	86e3c05bdb41130266949b3d80b9bba58660c84db8a0d79012fa023d6f7f6a68.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2644	86e3c05bdb41130266949b3d80b9bba58660c84db8a0d79012fa023d6f7f6a68.exe
Token: SeDebugPrivilege	2768	tmp4F68.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2700	2644	86e3c05bdb41130266949b3d80b9bba58660c84db8a0d79012fa023d6f7f6a68.exe	30
PID 2644 wrote to memory of 2700	2644	86e3c05bdb41130266949b3d80b9bba58660c84db8a0d79012fa023d6f7f6a68.exe	30
PID 2644 wrote to memory of 2700	2644	86e3c05bdb41130266949b3d80b9bba58660c84db8a0d79012fa023d6f7f6a68.exe	30
PID 2644 wrote to memory of 2700	2644	86e3c05bdb41130266949b3d80b9bba58660c84db8a0d79012fa023d6f7f6a68.exe	30
PID 2700 wrote to memory of 2692	2700	vbc.exe	32
PID 2700 wrote to memory of 2692	2700	vbc.exe	32
PID 2700 wrote to memory of 2692	2700	vbc.exe	32
PID 2700 wrote to memory of 2692	2700	vbc.exe	32
PID 2644 wrote to memory of 2768	2644	86e3c05bdb41130266949b3d80b9bba58660c84db8a0d79012fa023d6f7f6a68.exe	33
PID 2644 wrote to memory of 2768	2644	86e3c05bdb41130266949b3d80b9bba58660c84db8a0d79012fa023d6f7f6a68.exe	33
PID 2644 wrote to memory of 2768	2644	86e3c05bdb41130266949b3d80b9bba58660c84db8a0d79012fa023d6f7f6a68.exe	33
PID 2644 wrote to memory of 2768	2644	86e3c05bdb41130266949b3d80b9bba58660c84db8a0d79012fa023d6f7f6a68.exe	33

C:\Users\Admin\AppData\Local\Temp\86e3c05bdb41130266949b3d80b9bba58660c84db8a0d79012fa023d6f7f6a68.exe
"C:\Users\Admin\AppData\Local\Temp\86e3c05bdb41130266949b3d80b9bba58660c84db8a0d79012fa023d6f7f6a68.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7ainm9a6.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES50A1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc50A0.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2692
- C:\Users\Admin\AppData\Local\Temp\tmp4F68.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4F68.tmp.exe" C:\Users\Admin\AppData\Local\Temp\86e3c05bdb41130266949b3d80b9bba58660c84db8a0d79012fa023d6f7f6a68.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ainm9a6.0.vb

Filesize
15KB

MD5
2c5c3ee8d6ebec3a7a93f3e05eb3d3b7

SHA1
d8080351417ad870148a854d79abca7c8ffaa81b

SHA256
8300e2aa0774a4a4e8a575995cef00c213c4e48ba11cc8f0eef2b079d303b66a

SHA512
a944c3b5ce9130455f67c2aa424aafe8f0a667ae185cdbc21d4fab6bb8ebb0e9ba4d6cf136b8de283c7f4c27a304c7b037fb491361ad3827cc67f5602183b5aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ainm9a6.cmdline

Filesize
266B

MD5
48ac812d7370778b25d079e917d81c33

SHA1
4e5a79245e1c58c3a1a7377f8c80929848ee2a8d

SHA256
3f65237187282720d9234f407ba0badd02ea23f8304269021f1fadc8e45f9ded

SHA512
9e2886f4ed10d973c04b126752d1b50be9cb3960d5cec760f456b5d92b4dde8ecf24441a1918d8dcabfa92568679913682492cb9b512d2d8df06c06704ec59c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES50A1.tmp

Filesize
1KB

MD5
f365b2ec1ab2658690f3478b96f9dfd6

SHA1
0398c59ee7316cec92f2857c19cc3ce02827cba5

SHA256
85303a000752cc57300c2cc37ef3a92f91c7df6f82bcb356dc21157198cccb83

SHA512
9daf7436a6bbc9c3c5c925394c35e1211bddca886de50bf0752a0916760226aeb999efed39fc3869d018017a910a72646ab6cc8973a5219c4d3303c4ffebc375

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4F68.tmp.exe

Filesize
78KB

MD5
c2800983b756fdb58271e7dd67ac71e0

SHA1
ab43852be94a3d5936f2328a022dbbd5645a1da3

SHA256
a9e75ca32a14f826aa171f6d568b82849dbc4d8450cbb89d080d5c81823730eb

SHA512
86d978e40d604c5ed345e57b9811f05cd966b23374fde1d86f5c3442d6aa5307916d77487932f5435a353a14d753147a8b377870f8cf9002f645dd5d683f78ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc50A0.tmp

Filesize
660B

MD5
2a8133c482e05e945d51a828896d3e40

SHA1
765d8cb78e9ac1ed78c735aef028960bf4d49884

SHA256
dd40762078383bf7935a1f84f977a0dae83c986caa5d17dcf3c55f797402e749

SHA512
2736028820748f7a1b630359e006ba854a6f533fb0a1faf56a0a3d0e1e07526f47ee9e15c0256cb5d138c876e24cd46c03ba0fc2d66814c40a59d383632e3a19

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/2644-0-0x0000000074301000-0x0000000074302000-memory.dmp

Filesize
4KB

Download
memory/2644-1-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download
memory/2644-2-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download
memory/2644-24-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download
memory/2700-8-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download
memory/2700-18-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads