metamorpherrat | 975e4eec33188500ac1b490a273a3bf013f74b7816d92eab057e11fb8098be5e

General

Target

975e4eec33188500ac1b490a273a3bf013f74b7816d92eab057e11fb8098be5e.exe
Size

78KB
MD5

f1eecaef677c048818600768038fe196
SHA1

885202b3391134c6c3032b962c42548245e76ec7
SHA256

975e4eec33188500ac1b490a273a3bf013f74b7816d92eab057e11fb8098be5e
SHA512

8a752562cc4b2e34aa727ec4726d408405f7042771972647f2e20931a88983d9312bec91622c3836a58f9d6c6853cf676e370e3cdd814fef850b403c7a0a33e1
SSDEEP

1536:lRCHF3638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtRJ9/N1pU3C:lRCHFq3Ln7N041QqhgRJ9/JqC

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Deletes itself 1 IoCs

pid	Process
2844	tmpA94A.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2844	tmpA94A.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2604	975e4eec33188500ac1b490a273a3bf013f74b7816d92eab057e11fb8098be5e.exe
2604	975e4eec33188500ac1b490a273a3bf013f74b7816d92eab057e11fb8098be5e.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpA94A.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA94A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	975e4eec33188500ac1b490a273a3bf013f74b7816d92eab057e11fb8098be5e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2604	975e4eec33188500ac1b490a273a3bf013f74b7816d92eab057e11fb8098be5e.exe
Token: SeDebugPrivilege	2844	tmpA94A.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2380	2604	975e4eec33188500ac1b490a273a3bf013f74b7816d92eab057e11fb8098be5e.exe	30
PID 2604 wrote to memory of 2380	2604	975e4eec33188500ac1b490a273a3bf013f74b7816d92eab057e11fb8098be5e.exe	30
PID 2604 wrote to memory of 2380	2604	975e4eec33188500ac1b490a273a3bf013f74b7816d92eab057e11fb8098be5e.exe	30
PID 2604 wrote to memory of 2380	2604	975e4eec33188500ac1b490a273a3bf013f74b7816d92eab057e11fb8098be5e.exe	30
PID 2380 wrote to memory of 2876	2380	vbc.exe	32
PID 2380 wrote to memory of 2876	2380	vbc.exe	32
PID 2380 wrote to memory of 2876	2380	vbc.exe	32
PID 2380 wrote to memory of 2876	2380	vbc.exe	32
PID 2604 wrote to memory of 2844	2604	975e4eec33188500ac1b490a273a3bf013f74b7816d92eab057e11fb8098be5e.exe	33
PID 2604 wrote to memory of 2844	2604	975e4eec33188500ac1b490a273a3bf013f74b7816d92eab057e11fb8098be5e.exe	33
PID 2604 wrote to memory of 2844	2604	975e4eec33188500ac1b490a273a3bf013f74b7816d92eab057e11fb8098be5e.exe	33
PID 2604 wrote to memory of 2844	2604	975e4eec33188500ac1b490a273a3bf013f74b7816d92eab057e11fb8098be5e.exe	33

C:\Users\Admin\AppData\Local\Temp\975e4eec33188500ac1b490a273a3bf013f74b7816d92eab057e11fb8098be5e.exe
"C:\Users\Admin\AppData\Local\Temp\975e4eec33188500ac1b490a273a3bf013f74b7816d92eab057e11fb8098be5e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\guz85rhe.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAA25.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAA24.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2876
- C:\Users\Admin\AppData\Local\Temp\tmpA94A.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA94A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\975e4eec33188500ac1b490a273a3bf013f74b7816d92eab057e11fb8098be5e.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESAA25.tmp

Filesize
1KB

MD5
f51f607df611fb163246d96ac8bcb1c3

SHA1
ba5df37f400e81f2b344d9a63650b91060fa3236

SHA256
b0deeaeb2907b48acfc5f36c2c61d449ba7d023f2a46fdb5df86516ceb8eda4e

SHA512
1cc87a5e0be9f65a40ad9eece615d36ddff8fb4948180eaab88feae37a4a12155bdb951ca9c6310bc297cdf26191cb427d2184a1a95a165c8b2e97fa758ff162

Download Submit
C:\Users\Admin\AppData\Local\Temp\guz85rhe.0.vb

Filesize
15KB

MD5
be354546cbd8642dbf940b0290efd1ea

SHA1
88d75b22779af0b562e76ad61ffba2094f6e6179

SHA256
f97c478a7840a16427bf80aa04fb22d9d778804b06fb46bc7de2a3f5b6625896

SHA512
80f4053d21e1ff1933cd1b37bb36339b9b6d30b4233fa9a4f4d55c78330fa7d111a71a6a5776efe75bafa90c800736066c4489e0cebb3865aa65d276663ca355

Download Submit
C:\Users\Admin\AppData\Local\Temp\guz85rhe.cmdline

Filesize
266B

MD5
38f1ac3b1e1fcaa64cca70fd9992cc9f

SHA1
4b058a41a391cf0d163f69a22d6a977e45653dad

SHA256
8c5c18dcd8999671eab434ad6e1dcadd6bcae0dbed0b60819efc157a114cc622

SHA512
46415392ffd214fe9b6adea1335337a9850c232000a0e9ad00b37098b96548ca032c0ec27648ef5fc7e0d6e40b19f9d6afeb95ada6335a5046189e0a15265e5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA94A.tmp.exe

Filesize
78KB

MD5
326449c74dd75fd8d3dcbf19c0740343

SHA1
39a0e4d0356e1e0d0e64615656a2db3142c1a02c

SHA256
04badfbfd1377fde85e52a81d3822dd3a6732408c2f7de4285c034029f59f96d

SHA512
94fa5704f368ea52cf6a68947beb7ea523751dc9209ab06c81e47f7a936c6593c93a8fa3710854a724828145135174323fa1c828893760535e79350d126f19ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAA24.tmp

Filesize
660B

MD5
161407f282bb37abbaf5cd8d9d155a3d

SHA1
494c51b03d9829c82865fe57d8eecc09e660cab6

SHA256
196e7043276a493bbc9db598a24ee0de294f7b22aea920a123bd2ff1077ff49b

SHA512
89d04b68bf7af59ef2b76d2d7a2b4b8a6f04d3c796b27dc5b10558272b0df3801df92b4f800cb00022e6c465cad43a7a89080607874bd4472bf654fb812c11fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2380-9-0x0000000074930000-0x0000000074EDB000-memory.dmp

Filesize
5.7MB

Download
memory/2380-18-0x0000000074930000-0x0000000074EDB000-memory.dmp

Filesize
5.7MB

Download
memory/2604-0-0x0000000074931000-0x0000000074932000-memory.dmp

Filesize
4KB

Download
memory/2604-1-0x0000000074930000-0x0000000074EDB000-memory.dmp

Filesize
5.7MB

Download
memory/2604-2-0x0000000074930000-0x0000000074EDB000-memory.dmp

Filesize
5.7MB

Download
memory/2604-24-0x0000000074930000-0x0000000074EDB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads