metamorpherrat | 76e04a609b4e864573e24ab9ec846f6cf57318af83a986aa2c4c1415e21199ab

General

Target

76e04a609b4e864573e24ab9ec846f6cf57318af83a986aa2c4c1415e21199abN.exe
Size

78KB
MD5

61010335d8e998d2ac1492920b3e2090
SHA1

e485e13772b6dae5cc46a8aefa3082aff9778d6e
SHA256

76e04a609b4e864573e24ab9ec846f6cf57318af83a986aa2c4c1415e21199ab
SHA512

1f55ae2648502273faef5966341134ffdfdb3ff4b76b8d123c34f582388f4f09635fc9e3ea251ba5f881f4f1f0f74cd5977669ba239334e8114a82aa5d34b91c
SSDEEP

1536:WOc58rvZv0kH9gDDtWzYCnJPeoYrGQtC6T9/Xq1c8:Fc58rl0Y9MDYrm7b9/G

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2776	tmp7530.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2376	76e04a609b4e864573e24ab9ec846f6cf57318af83a986aa2c4c1415e21199abN.exe
2376	76e04a609b4e864573e24ab9ec846f6cf57318af83a986aa2c4c1415e21199abN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmp7530.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	76e04a609b4e864573e24ab9ec846f6cf57318af83a986aa2c4c1415e21199abN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7530.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2376	76e04a609b4e864573e24ab9ec846f6cf57318af83a986aa2c4c1415e21199abN.exe
Token: SeDebugPrivilege	2776	tmp7530.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2164	2376	76e04a609b4e864573e24ab9ec846f6cf57318af83a986aa2c4c1415e21199abN.exe	29
PID 2376 wrote to memory of 2164	2376	76e04a609b4e864573e24ab9ec846f6cf57318af83a986aa2c4c1415e21199abN.exe	29
PID 2376 wrote to memory of 2164	2376	76e04a609b4e864573e24ab9ec846f6cf57318af83a986aa2c4c1415e21199abN.exe	29
PID 2376 wrote to memory of 2164	2376	76e04a609b4e864573e24ab9ec846f6cf57318af83a986aa2c4c1415e21199abN.exe	29
PID 2164 wrote to memory of 2952	2164	vbc.exe	31
PID 2164 wrote to memory of 2952	2164	vbc.exe	31
PID 2164 wrote to memory of 2952	2164	vbc.exe	31
PID 2164 wrote to memory of 2952	2164	vbc.exe	31
PID 2376 wrote to memory of 2776	2376	76e04a609b4e864573e24ab9ec846f6cf57318af83a986aa2c4c1415e21199abN.exe	32
PID 2376 wrote to memory of 2776	2376	76e04a609b4e864573e24ab9ec846f6cf57318af83a986aa2c4c1415e21199abN.exe	32
PID 2376 wrote to memory of 2776	2376	76e04a609b4e864573e24ab9ec846f6cf57318af83a986aa2c4c1415e21199abN.exe	32
PID 2376 wrote to memory of 2776	2376	76e04a609b4e864573e24ab9ec846f6cf57318af83a986aa2c4c1415e21199abN.exe	32

C:\Users\Admin\AppData\Local\Temp\76e04a609b4e864573e24ab9ec846f6cf57318af83a986aa2c4c1415e21199abN.exe
"C:\Users\Admin\AppData\Local\Temp\76e04a609b4e864573e24ab9ec846f6cf57318af83a986aa2c4c1415e21199abN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hu000lwz.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES782D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc782C.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2952
- C:\Users\Admin\AppData\Local\Temp\tmp7530.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7530.tmp.exe" C:\Users\Admin\AppData\Local\Temp\76e04a609b4e864573e24ab9ec846f6cf57318af83a986aa2c4c1415e21199abN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES782D.tmp

Filesize
1KB

MD5
4dc29500afff48cd1468a1d384e5d6d6

SHA1
ab1d4dfdfa7e29f6c53914e4d4443a087541281a

SHA256
12c0da5e55f5a1c4ebd95aadd6069a2a6e4641ef614eaa0b27e2a5e7e4507dbb

SHA512
442e620d35a92b15bdb3b5c9fbfe7d3f5811f7dedfb1b4b8248523482a20cdc0ea39f099220d9237d571f50515cdad3522a5d796a26bab706cd936e9abc97b40

Download Submit
C:\Users\Admin\AppData\Local\Temp\hu000lwz.0.vb

Filesize
14KB

MD5
663e961a311fc5888fc2b2b70ab58f15

SHA1
9fdc45e4da7c09962241795ca08e32e6d090be5a

SHA256
2f892d6f7e1da6222016516ee261f930796eaa50e0db81bb862c0b5a378230b4

SHA512
0f8904dd55e8cfca481c8d554681598974ac545fc053eb12ee7c0d0838fc3c6383b9db108ee8edd2c0ea073b0e7889be45132b6e8e85664ea98aed09734ba0ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\hu000lwz.cmdline

Filesize
266B

MD5
c706876f27e7ad64093780bbaefd10c2

SHA1
67e3942b41b1695c30f77134833879a0d11cf8e4

SHA256
45a82988aacea12400f9efd8c97049c92d98cf10e08e927df30f6f9992bfaf85

SHA512
eb324a469ff3d44c61141ac35b2a48743d4173d7b7283a3cadfa4488f035aec1dcbd01080ce95a50209a48bfcabd77ad1d32e1cd146f951e8865ef61e4bf7668

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7530.tmp.exe

Filesize
78KB

MD5
06b8a61eb42192f02d2d1bfaa2579785

SHA1
380e4e00dbaa9d22039346bb054e6311b134866a

SHA256
ae6346e20fcebcce3ea92fdd4ffeb65f64be0819ad46363b004888faae359307

SHA512
5403cb68462b6d838aa056e69f92863be117630aa587da4e99f7aa174bda065aeeaea3fab0791d811e9e6a12b9a3331399a010e0617f445d1f5293538a20a84f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc782C.tmp

Filesize
660B

MD5
8660cdab048b3f85aaaf4627ad272718

SHA1
4fde7c92fbeda07c25f60f043bdf62057d2fe521

SHA256
995096c479dd7c04360bf24665e5276251777ea0b7faa101653f5781f9236666

SHA512
fe7227c4f099f4fd18a572c22be4164dd7b53944b5bb5a9c70c1746a375ddf2db94972fb9b5f0b69a59e3696c1f219f0b80b67361122ca04a23aea60ddeb7eb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/2164-8-0x00000000745B0000-0x0000000074B5B000-memory.dmp

Filesize
5.7MB

Download
memory/2164-18-0x00000000745B0000-0x0000000074B5B000-memory.dmp

Filesize
5.7MB

Download
memory/2376-0-0x00000000745B1000-0x00000000745B2000-memory.dmp

Filesize
4KB

Download
memory/2376-1-0x00000000745B0000-0x0000000074B5B000-memory.dmp

Filesize
5.7MB

Download
memory/2376-2-0x00000000745B0000-0x0000000074B5B000-memory.dmp

Filesize
5.7MB

Download
memory/2376-24-0x00000000745B0000-0x0000000074B5B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads