metamorpherrat | 35ec26ca5aaa88764b2ffb2f9a2cf393ebd15001cbdcff26dc9d0fa8252a81de

General

Target

35ec26ca5aaa88764b2ffb2f9a2cf393ebd15001cbdcff26dc9d0fa8252a81deN.exe
Size

78KB
MD5

d0771a42f642684f74b2a5500f25dd80
SHA1

f152283ca95706ea2e1912c618d468d231b3ff60
SHA256

35ec26ca5aaa88764b2ffb2f9a2cf393ebd15001cbdcff26dc9d0fa8252a81de
SHA512

82325eb105048da5cfa6226bbffd4f8fca145a6b5bae84d4288db162b13431a9e0258640b7a54804d8315e5e98c0b4202473a4ec86e55218f8dbaa735e012b14
SSDEEP

1536:DCHF3M7t/vZv0kH9gDDtWzYCnJPeoYrGQtRj9/q1gQ:DCHF8h/l0Y9MDYrm7Rj9/a

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2296	tmpAEA7.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
804	35ec26ca5aaa88764b2ffb2f9a2cf393ebd15001cbdcff26dc9d0fa8252a81deN.exe
804	35ec26ca5aaa88764b2ffb2f9a2cf393ebd15001cbdcff26dc9d0fa8252a81deN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmpAEA7.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpAEA7.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	35ec26ca5aaa88764b2ffb2f9a2cf393ebd15001cbdcff26dc9d0fa8252a81deN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	804	35ec26ca5aaa88764b2ffb2f9a2cf393ebd15001cbdcff26dc9d0fa8252a81deN.exe
Token: SeDebugPrivilege	2296	tmpAEA7.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 804 wrote to memory of 2548	804	35ec26ca5aaa88764b2ffb2f9a2cf393ebd15001cbdcff26dc9d0fa8252a81deN.exe	30
PID 804 wrote to memory of 2548	804	35ec26ca5aaa88764b2ffb2f9a2cf393ebd15001cbdcff26dc9d0fa8252a81deN.exe	30
PID 804 wrote to memory of 2548	804	35ec26ca5aaa88764b2ffb2f9a2cf393ebd15001cbdcff26dc9d0fa8252a81deN.exe	30
PID 804 wrote to memory of 2548	804	35ec26ca5aaa88764b2ffb2f9a2cf393ebd15001cbdcff26dc9d0fa8252a81deN.exe	30
PID 2548 wrote to memory of 2940	2548	vbc.exe	32
PID 2548 wrote to memory of 2940	2548	vbc.exe	32
PID 2548 wrote to memory of 2940	2548	vbc.exe	32
PID 2548 wrote to memory of 2940	2548	vbc.exe	32
PID 804 wrote to memory of 2296	804	35ec26ca5aaa88764b2ffb2f9a2cf393ebd15001cbdcff26dc9d0fa8252a81deN.exe	33
PID 804 wrote to memory of 2296	804	35ec26ca5aaa88764b2ffb2f9a2cf393ebd15001cbdcff26dc9d0fa8252a81deN.exe	33
PID 804 wrote to memory of 2296	804	35ec26ca5aaa88764b2ffb2f9a2cf393ebd15001cbdcff26dc9d0fa8252a81deN.exe	33
PID 804 wrote to memory of 2296	804	35ec26ca5aaa88764b2ffb2f9a2cf393ebd15001cbdcff26dc9d0fa8252a81deN.exe	33

C:\Users\Admin\AppData\Local\Temp\35ec26ca5aaa88764b2ffb2f9a2cf393ebd15001cbdcff26dc9d0fa8252a81deN.exe
"C:\Users\Admin\AppData\Local\Temp\35ec26ca5aaa88764b2ffb2f9a2cf393ebd15001cbdcff26dc9d0fa8252a81deN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:804
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ae8pa51g.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAF44.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAF43.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2940
- C:\Users\Admin\AppData\Local\Temp\tmpAEA7.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpAEA7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\35ec26ca5aaa88764b2ffb2f9a2cf393ebd15001cbdcff26dc9d0fa8252a81deN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESAF44.tmp

Filesize
1KB

MD5
f70529a6fcb6f74bf06f101feafa2886

SHA1
973917676b02b5ca35ca613702c035be1833b3f7

SHA256
ff432ed09d78c315183b33c8170a5a15446a4f90dc9d13c98afbdba49e4db658

SHA512
1b3e004b2f2b36a70ef8fe0ef725625e91878b3e16491502692f72711e3c0931fb37538e0d73140867f6471fe635be3c7f5d84c36df8966f89b996ef18897eb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae8pa51g.0.vb

Filesize
15KB

MD5
5ab05aa3f55a9f21c00b3adcefd42bf4

SHA1
dac922a1088052df3142522036389fd5a8ed87a7

SHA256
29177a75a6f098eac183d477fe01d456e46b85383b23b1a4476811376a751610

SHA512
2c2758fef71fab607f5eee5885bbaa3d0a4608f9245112fdb27553daeeb782a674e32893d8c3fc42f8e984fd0464bee3f2c07a3ca0c397d7b5b99f3a3222084f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae8pa51g.cmdline

Filesize
266B

MD5
8278da30865e49164b997a16888500d7

SHA1
0eca76f4588a2c2caeb77791d64207879b17bf7e

SHA256
b48f1847bd3592d732e28a5a0650c900ae28ff5e09a06f7b6c3fc35933b2c842

SHA512
f5b5635cf656cab05214d6e39b143f549eb0c4fa8621ba508d937a64a5948ca2df25faacac9db52fc099f21dd905e6b83a70a0469bb74a859f97be073c5e18ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAEA7.tmp.exe

Filesize
78KB

MD5
80bf10742dbc298464baba598968acb6

SHA1
4784757788e22e9e4f3b2db3fea883252aafd6c7

SHA256
904a8bdbeea616f17ec651ec0f6f8bdbec14fe3a2c0a420333915bb716d3abda

SHA512
53257727073bb7a0714d5a1165f61d1d73fbffd350ee1d27bf140d0848c0910b573bd41f01a98530e6953def5f9bc25ec95f3462ff10a76dfa0691913a5610bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAF43.tmp

Filesize
660B

MD5
dd2ff17a9ec9b81eb9e337bbb530e5ce

SHA1
78cadced11d771820f667c2e087cbb5cbadeb0aa

SHA256
7141bc111776b48bbda4361d3b64b738f5bc94537c240b2d290b483ae49b6054

SHA512
68767b28c31faff7ef6cefbe0b870a06785521a25a3eef5ae02021f608b0ceb954da1354102d835073c8820769422448c7d70a2f4394fae7dfa51afa08dd80d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/804-0-0x0000000074161000-0x0000000074162000-memory.dmp

Filesize
4KB

Download
memory/804-1-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/804-2-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/804-24-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/2548-8-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/2548-18-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads