metamorpherrat | a6916638eeed4aa8f0d538a03557e6cb2301ac04379ecdf0eebfdbb916a2935c

General

Target

a6916638eeed4aa8f0d538a03557e6cb2301ac04379ecdf0eebfdbb916a2935c.exe
Size

78KB
MD5

7ee472bfd0e44c494ea26d3f028a578e
SHA1

85c00e765a09c3f0fcbbb143d808fc3234b7ad59
SHA256

a6916638eeed4aa8f0d538a03557e6cb2301ac04379ecdf0eebfdbb916a2935c
SHA512

397db579c4a9013b76af8ff8f2cb98f382cdafcdf2f9f508d9127bd7d889072db435ad9feaee1ee7ad8bd6fea05b1c3a8e7d02d6a99b8945adb5d4d820aff348
SSDEEP

1536:DCHF3M7t/vZv0kH9gDDtWzYCnJPeoYrGQtRj9/q1gQy:DCHF8h/l0Y9MDYrm7Rj9/ay

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
784	tmpCD9B.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2232	a6916638eeed4aa8f0d538a03557e6cb2301ac04379ecdf0eebfdbb916a2935c.exe
2232	a6916638eeed4aa8f0d538a03557e6cb2301ac04379ecdf0eebfdbb916a2935c.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmpCD9B.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpCD9B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a6916638eeed4aa8f0d538a03557e6cb2301ac04379ecdf0eebfdbb916a2935c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2232	a6916638eeed4aa8f0d538a03557e6cb2301ac04379ecdf0eebfdbb916a2935c.exe
Token: SeDebugPrivilege	784	tmpCD9B.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2100	2232	a6916638eeed4aa8f0d538a03557e6cb2301ac04379ecdf0eebfdbb916a2935c.exe	31
PID 2232 wrote to memory of 2100	2232	a6916638eeed4aa8f0d538a03557e6cb2301ac04379ecdf0eebfdbb916a2935c.exe	31
PID 2232 wrote to memory of 2100	2232	a6916638eeed4aa8f0d538a03557e6cb2301ac04379ecdf0eebfdbb916a2935c.exe	31
PID 2232 wrote to memory of 2100	2232	a6916638eeed4aa8f0d538a03557e6cb2301ac04379ecdf0eebfdbb916a2935c.exe	31
PID 2100 wrote to memory of 2276	2100	vbc.exe	33
PID 2100 wrote to memory of 2276	2100	vbc.exe	33
PID 2100 wrote to memory of 2276	2100	vbc.exe	33
PID 2100 wrote to memory of 2276	2100	vbc.exe	33
PID 2232 wrote to memory of 784	2232	a6916638eeed4aa8f0d538a03557e6cb2301ac04379ecdf0eebfdbb916a2935c.exe	34
PID 2232 wrote to memory of 784	2232	a6916638eeed4aa8f0d538a03557e6cb2301ac04379ecdf0eebfdbb916a2935c.exe	34
PID 2232 wrote to memory of 784	2232	a6916638eeed4aa8f0d538a03557e6cb2301ac04379ecdf0eebfdbb916a2935c.exe	34
PID 2232 wrote to memory of 784	2232	a6916638eeed4aa8f0d538a03557e6cb2301ac04379ecdf0eebfdbb916a2935c.exe	34

C:\Users\Admin\AppData\Local\Temp\a6916638eeed4aa8f0d538a03557e6cb2301ac04379ecdf0eebfdbb916a2935c.exe
"C:\Users\Admin\AppData\Local\Temp\a6916638eeed4aa8f0d538a03557e6cb2301ac04379ecdf0eebfdbb916a2935c.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\no0bdejn.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE58.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCE57.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2276
- C:\Users\Admin\AppData\Local\Temp\tmpCD9B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpCD9B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a6916638eeed4aa8f0d538a03557e6cb2301ac04379ecdf0eebfdbb916a2935c.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESCE58.tmp

Filesize
1KB

MD5
df795e5ac56a095c8ca9a71b664081ef

SHA1
34acbef0b0d1bedc321f81813a7f3e88782b37f4

SHA256
d004933379f0f8be0eca8b867e548ade7fa48c9b6e6e5d6f9aa8376dd17ce5e7

SHA512
5bcd48e70c2fa607fad70cb215fc715963af9d4f0de9ce50ab3fe57f7036e565ec11b4fe90e7a7580640dc7dfee36ec1a0829c5b2ecb5bd9ca0027cc4a7af2d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\no0bdejn.0.vb

Filesize
15KB

MD5
178061fd6160f91ac312cf20c222d5dc

SHA1
e91d4c03a0b1ad47a4a698d6a8b5fe8d6e90106f

SHA256
09a0cca010e7a769362deafac71de4559fa2806abef8ce8c659588c6000ff849

SHA512
c968b83e6882c19d49f6973333699365ae2a97d2062c190020f2137daecaef8fcaae2fabecb0132a769d8b747a886e042e22d1845c904562f060375ff947e6e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\no0bdejn.cmdline

Filesize
266B

MD5
0a13d1a28b9379913af343823dd22e8d

SHA1
65e256aa388713d137dff8e709f7a5eba76473f5

SHA256
07b613b7981fb5bef3c8c59e6e66b642c41d4d04462f85e2a8b783570fa2d684

SHA512
3bec535c0a02e1cc002aca3cbba7f32bbc61c8fa562e15f04ad271b97defee9d3ebe06840170c7541e39e2961e26d98fe137037183135d7bf28599c529f29dab

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCD9B.tmp.exe

Filesize
78KB

MD5
fb3a85929cdac6bc0e1249cc8de35020

SHA1
f70d4f6c0b935056f9823367cf091bb14e6b27c9

SHA256
bb84af1275cbde28f6b762af0167856c895eaf1434f767512cbd5b41637b5ef0

SHA512
527f7c2235f358ebc217440e16a1c7b61d5b5f9b8feaef344cba9dca82d6b12423cf99e800fd518615460b2633132c61bdce985730a48996ab5f2b75c1c46bd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCE57.tmp

Filesize
660B

MD5
46b057b5c02bddcd30ef07ee98e203ca

SHA1
d95d29e85bf715b1538e7e92096c74875c1260b0

SHA256
2cc7a1c45e72d4469601a7d1a2d8b54806e1b29e611319d026a9b8ac325d022b

SHA512
49f59d46945472c6ae36551010ab72737ceedde154cca820d2212b799c676a1d8974be29dceedf90fefe6a6e372a5ced35396096eca460750e45872b0a82a385

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/2100-8-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download
memory/2100-18-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download
memory/2232-0-0x00000000748F1000-0x00000000748F2000-memory.dmp

Filesize
4KB

Download
memory/2232-1-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download
memory/2232-2-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download
memory/2232-24-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads