metamorpherrat | 15ea40cfb8aeedce17c4b3b29e1088ff39d0cad78e7cc54714748b18dc931c2d

General

Target

15ea40cfb8aeedce17c4b3b29e1088ff39d0cad78e7cc54714748b18dc931c2d.exe
Size

78KB
MD5

71f4db3c74f290a49e0008139fe2d4f2
SHA1

d137a3640e393da795b36219c630c25250ebb2de
SHA256

15ea40cfb8aeedce17c4b3b29e1088ff39d0cad78e7cc54714748b18dc931c2d
SHA512

9265edbd371ecc74a2c496e38bcb1759e5321fdfc6bbdc964b65d9fae03e4997951a370e191ecc9cbd6a43159c9d4251d52c410a68a53b054537ead953729d61
SSDEEP

1536:auHY6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQte89/5V1LEw:auHY53Ln7N041Qqhge89/5Iw

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2936	tmpB396.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
592	15ea40cfb8aeedce17c4b3b29e1088ff39d0cad78e7cc54714748b18dc931c2d.exe
592	15ea40cfb8aeedce17c4b3b29e1088ff39d0cad78e7cc54714748b18dc931c2d.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpB396.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB396.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	15ea40cfb8aeedce17c4b3b29e1088ff39d0cad78e7cc54714748b18dc931c2d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	592	15ea40cfb8aeedce17c4b3b29e1088ff39d0cad78e7cc54714748b18dc931c2d.exe
Token: SeDebugPrivilege	2936	tmpB396.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 592 wrote to memory of 2060	592	15ea40cfb8aeedce17c4b3b29e1088ff39d0cad78e7cc54714748b18dc931c2d.exe	30
PID 592 wrote to memory of 2060	592	15ea40cfb8aeedce17c4b3b29e1088ff39d0cad78e7cc54714748b18dc931c2d.exe	30
PID 592 wrote to memory of 2060	592	15ea40cfb8aeedce17c4b3b29e1088ff39d0cad78e7cc54714748b18dc931c2d.exe	30
PID 592 wrote to memory of 2060	592	15ea40cfb8aeedce17c4b3b29e1088ff39d0cad78e7cc54714748b18dc931c2d.exe	30
PID 2060 wrote to memory of 2252	2060	vbc.exe	32
PID 2060 wrote to memory of 2252	2060	vbc.exe	32
PID 2060 wrote to memory of 2252	2060	vbc.exe	32
PID 2060 wrote to memory of 2252	2060	vbc.exe	32
PID 592 wrote to memory of 2936	592	15ea40cfb8aeedce17c4b3b29e1088ff39d0cad78e7cc54714748b18dc931c2d.exe	33
PID 592 wrote to memory of 2936	592	15ea40cfb8aeedce17c4b3b29e1088ff39d0cad78e7cc54714748b18dc931c2d.exe	33
PID 592 wrote to memory of 2936	592	15ea40cfb8aeedce17c4b3b29e1088ff39d0cad78e7cc54714748b18dc931c2d.exe	33
PID 592 wrote to memory of 2936	592	15ea40cfb8aeedce17c4b3b29e1088ff39d0cad78e7cc54714748b18dc931c2d.exe	33

C:\Users\Admin\AppData\Local\Temp\15ea40cfb8aeedce17c4b3b29e1088ff39d0cad78e7cc54714748b18dc931c2d.exe
"C:\Users\Admin\AppData\Local\Temp\15ea40cfb8aeedce17c4b3b29e1088ff39d0cad78e7cc54714748b18dc931c2d.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:592
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\orotccwn.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB4A0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB49F.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2252
- C:\Users\Admin\AppData\Local\Temp\tmpB396.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB396.tmp.exe" C:\Users\Admin\AppData\Local\Temp\15ea40cfb8aeedce17c4b3b29e1088ff39d0cad78e7cc54714748b18dc931c2d.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB4A0.tmp

Filesize
1KB

MD5
3241d457eb2ef91be71c92e44874a8dd

SHA1
9da47f9339df36c8f5942486d85639a4857d0cbd

SHA256
46aed2a27d354d856a2385588eafe569521eebbaeebd49a3dc05df4410ea9471

SHA512
c2e27663711a4a0d2b35ac41de52385f1dec01d95475f11e459a177a6bc375289dce25d2dfa0e4da997b621cefaa659fa25a7a36638fe2a480e9491faa101b1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\orotccwn.0.vb

Filesize
15KB

MD5
5c2298c7afe0123f7b29206a6df19eaa

SHA1
ef824ea6e0f70c8bf981bc34591823ec6be01bfe

SHA256
cc48759fbdcec14bcbe827a34d042c26980336424cc63a8ea34b90d09ec46942

SHA512
54e103e295fc4399dae5c425975ba33de093870231b90050f2143a1d4d0f0510684abb5c2a67e4da2b2a7b2605b4537772586c5706cc6f52d181b1c7ad9795fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\orotccwn.cmdline

Filesize
266B

MD5
c60886ce7053742cc59b812fefda4b66

SHA1
8c84d1bcec82635d62ddc114efe631c5c0a6e88d

SHA256
faf7d618fb04b2d700fb4ce46c4af73d31171b8b2e20d4b73dafcebb30acc41e

SHA512
9f5657fbb3ec7a0558a4a6dd0ecc86be2892f79a1ea2db6be941c0a98e54f07c3a2d28eef4b043b385d9a07df7e21167272300307df9bdf8bfb50103236ced4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB396.tmp.exe

Filesize
78KB

MD5
fa88fca413bc023960f47be7fb3419b4

SHA1
c5986c399fa4d69295b78bcbf4060ed7e19b11fd

SHA256
fc09a9ab4e17b403b0270ff61d0c2a04d7fb7e4adc2e100a7ed9d0b1fea37d8d

SHA512
536f57ed6c3fc433a5bd4ac403b54792af8b1cca794ffda2d9bcba8e570500e945977595c823602ad63a7cf02fe3b02752ec3cb478f49d033fc2a667e07c93b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB49F.tmp

Filesize
660B

MD5
bca910f77c6625c4ebd154dc6060a4b5

SHA1
7ba8e3738612a572a5687bc8b013bc38bc214d33

SHA256
503d212b369c45b662d088934db3253da408d0c9224c4da094f23cd7d35c55bd

SHA512
8de3f537501a120e3b52276198ff70efd0feed2eecbba4fd89af7f289ab3c88bee112742fcccfd670c298b92710d4d7b16aebb59c1852e36b2ebca637387816d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/592-0-0x00000000741F1000-0x00000000741F2000-memory.dmp

Filesize
4KB

Download
memory/592-1-0x00000000741F0000-0x000000007479B000-memory.dmp

Filesize
5.7MB

Download
memory/592-2-0x00000000741F0000-0x000000007479B000-memory.dmp

Filesize
5.7MB

Download
memory/592-24-0x00000000741F0000-0x000000007479B000-memory.dmp

Filesize
5.7MB

Download
memory/2060-8-0x00000000741F0000-0x000000007479B000-memory.dmp

Filesize
5.7MB

Download
memory/2060-18-0x00000000741F0000-0x000000007479B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads