metamorpherrat | 7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8

General

Target

7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8.exe
Size

78KB
MD5

a0644ba03ff17739ab64dac9d2af1130
SHA1

cc70c7053352b22f6f85460a96cf2cee20bf29f9
SHA256

7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8
SHA512

130b816cfc1bc6a32db07fcab17186fae9fbb8d4aecaf26179365b2e720264a526f6f7a64b1956dcfd3934fff7423b32735a53668e9c9788b61c4a7ebe1f253a
SSDEEP

1536:lRCHY6M7t/vZv0kH9gDDtWzYCnJPeoYrGQteA9/y1ADc:lRCHYnh/l0Y9MDYrm7eA9/pc

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2776	tmpFB11.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2260	7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8.exe
2260	7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmpFB11.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpFB11.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2260	7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8.exe
Token: SeDebugPrivilege	2776	tmpFB11.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2816	2260	7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8.exe	30
PID 2260 wrote to memory of 2816	2260	7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8.exe	30
PID 2260 wrote to memory of 2816	2260	7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8.exe	30
PID 2260 wrote to memory of 2816	2260	7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8.exe	30
PID 2816 wrote to memory of 2684	2816	vbc.exe	32
PID 2816 wrote to memory of 2684	2816	vbc.exe	32
PID 2816 wrote to memory of 2684	2816	vbc.exe	32
PID 2816 wrote to memory of 2684	2816	vbc.exe	32
PID 2260 wrote to memory of 2776	2260	7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8.exe	33
PID 2260 wrote to memory of 2776	2260	7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8.exe	33
PID 2260 wrote to memory of 2776	2260	7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8.exe	33
PID 2260 wrote to memory of 2776	2260	7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8.exe	33

C:\Users\Admin\AppData\Local\Temp\7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8.exe
"C:\Users\Admin\AppData\Local\Temp\7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uwy3csif.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFC2B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFC2A.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2684
- C:\Users\Admin\AppData\Local\Temp\tmpFB11.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpFB11.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESFC2B.tmp

Filesize
1KB

MD5
c727f515c81fd606cb9a0fa691ea8221

SHA1
90c7e2ba82095c7a94014b0a522b9930c10135a7

SHA256
6cff684e58c7e9714596f0ad34f0ef10d5dc0ec11e9b87cd4b7d1f32d91a9892

SHA512
149a640f9d72efa5a6e39cc425b38dc4b88f94d74919a13127cfa72123582bb59841e4acf92b6d4ee8fc792c76b31d28577878d2d0cfa4e78873f8d219ea67a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFB11.tmp.exe

Filesize
78KB

MD5
2c278c74c4969202d3530bdd3381cee0

SHA1
721897ec57c1da335af3df9370ae3f05d05a4222

SHA256
8d69923ea67b48ef9249ae8a53f89679a4bc1032a4fbe9724adda6af577f02d2

SHA512
bd56cd687661f197ecccd5c9b6851df8626708e010005f28e98d097d8785c6752a604a8a5e0550de960b1e2fa3d49eb376cf3df1e81071c2b2d7a02069ab65da

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwy3csif.0.vb

Filesize
15KB

MD5
78ce8910cb1045a218df7b7a763b7d4a

SHA1
764cf1491a8653d11291f8e5b9825cd8c64dac66

SHA256
7b4573dd4a25ce6668b0ec7971b224254cf3e2bc9454a5f59dc4284bfc589dbb

SHA512
eaa3c1faa5875fbcc8d243a2c7b0cc0d571a61f1eaabdf1fe0523f47ad5b00a5515cd03e1449855e92f29c1d9d08e9019fc9f17c0fa21ff21a0ae8ff0b49e48d

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwy3csif.cmdline

Filesize
266B

MD5
bac57e6bffe8caa4a5a15304a24fbd00

SHA1
cab72e0373415fe37df541d8e02d72c2f8e66aa4

SHA256
c461dbef6eb70c1bcf7dcbd0a3a0baa7b9a155e62a3d55f97be289a27c318a9b

SHA512
5fc9153f4b4d0f4b5457ba31a044f00af63b9c09c7d10e2cbea71f2ccb015b7e6eb6d3acfb563fcc44bef9de99407f30b905ca80787a57ec92b36de04a078e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFC2A.tmp

Filesize
660B

MD5
587d48ad65f1f7a4e0741483ff0dbc75

SHA1
52d6d49814ab3d65d133e020290ae69c3c7c28e4

SHA256
6c765db7f172565ad10293cc97d8383a81f062b6e57b29d5e9f79d96c80c5a8c

SHA512
77ec3fd41122104e50ccc058b51f7d4206e57f4c0fa35c3268474f50f8acb7fe926c4cce75cbcd02563d1c7ae12dff38de507e5bd428bc51693173c2948724e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/2260-0-0x0000000074F51000-0x0000000074F52000-memory.dmp

Filesize
4KB

Download
memory/2260-1-0x0000000074F50000-0x00000000754FB000-memory.dmp

Filesize
5.7MB

Download
memory/2260-2-0x0000000074F50000-0x00000000754FB000-memory.dmp

Filesize
5.7MB

Download
memory/2260-24-0x0000000074F50000-0x00000000754FB000-memory.dmp

Filesize
5.7MB

Download
memory/2816-8-0x0000000074F50000-0x00000000754FB000-memory.dmp

Filesize
5.7MB

Download
memory/2816-18-0x0000000074F50000-0x00000000754FB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads