metamorpherrat | 7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8

General

Target

7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8.exe
Size

78KB
MD5

a0644ba03ff17739ab64dac9d2af1130
SHA1

cc70c7053352b22f6f85460a96cf2cee20bf29f9
SHA256

7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8
SHA512

130b816cfc1bc6a32db07fcab17186fae9fbb8d4aecaf26179365b2e720264a526f6f7a64b1956dcfd3934fff7423b32735a53668e9c9788b61c4a7ebe1f253a
SSDEEP

1536:lRCHY6M7t/vZv0kH9gDDtWzYCnJPeoYrGQteA9/y1ADc:lRCHYnh/l0Y9MDYrm7eA9/pc

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2932	tmpBEDC.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2736	7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8.exe
2736	7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmpBEDC.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBEDC.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8.exe
Token: SeDebugPrivilege	2932	tmpBEDC.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 740	2736	7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8.exe	30
PID 2736 wrote to memory of 740	2736	7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8.exe	30
PID 2736 wrote to memory of 740	2736	7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8.exe	30
PID 2736 wrote to memory of 740	2736	7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8.exe	30
PID 740 wrote to memory of 2644	740	vbc.exe	32
PID 740 wrote to memory of 2644	740	vbc.exe	32
PID 740 wrote to memory of 2644	740	vbc.exe	32
PID 740 wrote to memory of 2644	740	vbc.exe	32
PID 2736 wrote to memory of 2932	2736	7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8.exe	33
PID 2736 wrote to memory of 2932	2736	7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8.exe	33
PID 2736 wrote to memory of 2932	2736	7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8.exe	33
PID 2736 wrote to memory of 2932	2736	7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8.exe	33

C:\Users\Admin\AppData\Local\Temp\7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8.exe
"C:\Users\Admin\AppData\Local\Temp\7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\f6abl8ic.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC266.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC255.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2644
- C:\Users\Admin\AppData\Local\Temp\tmpBEDC.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpBEDC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC266.tmp

Filesize
1KB

MD5
aa12a497be40e347acfe9814f35457fc

SHA1
5cf93a0d4daf8b7c879f69a7b86e6e152b906634

SHA256
7dc5b6ad29825e08daa5cd95d59d289dd47c51bd89056783d8ad0b8eb783f24b

SHA512
325829d7b40015aafdd646449289dd5bf51f544da48ceea5abb812b0a643e139201f06c117df623d5517f045eefaec1aaa5e3dc00bc5366096ed1f69559a37b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\f6abl8ic.0.vb

Filesize
15KB

MD5
cac0086147729ccc96f24579de978670

SHA1
e2bd9f5e3dbf8c82009bc9ea8b6b2fac53de175a

SHA256
a5d58248c357f237a9bdecd30a77959c96892db0788e387ddaf059fcb75121f5

SHA512
163f99eb7e83188cb3d079a388773938801d2a1d8af10e3e17e531c7d021a18b0f174b1be68088c96bc9293ba11ce16add84bcbfea903df3a0a4da5b660a9978

Download Submit
C:\Users\Admin\AppData\Local\Temp\f6abl8ic.cmdline

Filesize
266B

MD5
76a9685337f3f20817ab4084e0c7e5d8

SHA1
701fe5389c88d82f95ee0576005f2adcc5ec0a04

SHA256
c45bb7ca5ff7ba3e95ca4764816dc280c5196f1fad1a8f3dda2842daa0159e1d

SHA512
2e525d546e421e5ada0b9b11aa97016724b2501612f80cb260f5dd0fb59301adbee9b573fd02d1c67d1e3a0fae8124e2dff76929b436ad14615fd3cd5113fc73

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBEDC.tmp.exe

Filesize
78KB

MD5
0b3dc36eb8afa33ac0d0541ecb84c461

SHA1
2db8b29760e44a2a8b0e2bf7cc540b5675eb1dc9

SHA256
4b0ec235284d88ef046d97104956a34dd06283c1fe0e6b023791aed87aaf38f4

SHA512
e397bb61ad44a0f3d55e77127cae305875af59eab402aaaa0e842470c5b8e36297446caf090d1269b316b9e551b788c0a176a84d14561307e789b11ab484830d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC255.tmp

Filesize
660B

MD5
09d4a5e51cccafa837c818f9bcae3dbb

SHA1
8b77a2befffd3080e52ad088f6ec5681ea88a2b5

SHA256
59c3227e33797f6f8593831476509816aed92094d7ab07b37488ed0773c085f1

SHA512
943072b85bb31ddc96079081668476665e040816342501bd335e151d9882bce677c8bbec51d1eee64189c8fcfe9761dbe62bf3343338e7912617e26ba468bd5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/740-8-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/740-18-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/2736-0-0x0000000074621000-0x0000000074622000-memory.dmp

Filesize
4KB

Download
memory/2736-1-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/2736-2-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/2736-24-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads