metamorpherrat | 36bbee3658c49a98f4eaa25116c7a49bfa9a269e83f0478fc31fa3563705b71f

General

Target

36bbee3658c49a98f4eaa25116c7a49bfa9a269e83f0478fc31fa3563705b71f.exe
Size

78KB
MD5

a3eb3a25aa665925d3c1d1d63d80efac
SHA1

da2eebdb1492f2e8f554a208d47083d4b4856d99
SHA256

36bbee3658c49a98f4eaa25116c7a49bfa9a269e83f0478fc31fa3563705b71f
SHA512

4a059f9f552a8e003aef65feda5ff52f6268fb0623a43fe31bb5d1e330e079d8ae77458c84fbe66d682c7077f67b2933b5cc19677a6b82eac889d702f702eb74
SSDEEP

1536:6HFo6rdELT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQt99/NV1M+:6HFo8dSE2EwR4uY41HyvY99/h

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2880	tmp713A.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2600	36bbee3658c49a98f4eaa25116c7a49bfa9a269e83f0478fc31fa3563705b71f.exe
2600	36bbee3658c49a98f4eaa25116c7a49bfa9a269e83f0478fc31fa3563705b71f.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmp713A.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36bbee3658c49a98f4eaa25116c7a49bfa9a269e83f0478fc31fa3563705b71f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp713A.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2600	36bbee3658c49a98f4eaa25116c7a49bfa9a269e83f0478fc31fa3563705b71f.exe
Token: SeDebugPrivilege	2880	tmp713A.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 2156	2600	36bbee3658c49a98f4eaa25116c7a49bfa9a269e83f0478fc31fa3563705b71f.exe	29
PID 2600 wrote to memory of 2156	2600	36bbee3658c49a98f4eaa25116c7a49bfa9a269e83f0478fc31fa3563705b71f.exe	29
PID 2600 wrote to memory of 2156	2600	36bbee3658c49a98f4eaa25116c7a49bfa9a269e83f0478fc31fa3563705b71f.exe	29
PID 2600 wrote to memory of 2156	2600	36bbee3658c49a98f4eaa25116c7a49bfa9a269e83f0478fc31fa3563705b71f.exe	29
PID 2156 wrote to memory of 828	2156	vbc.exe	31
PID 2156 wrote to memory of 828	2156	vbc.exe	31
PID 2156 wrote to memory of 828	2156	vbc.exe	31
PID 2156 wrote to memory of 828	2156	vbc.exe	31
PID 2600 wrote to memory of 2880	2600	36bbee3658c49a98f4eaa25116c7a49bfa9a269e83f0478fc31fa3563705b71f.exe	32
PID 2600 wrote to memory of 2880	2600	36bbee3658c49a98f4eaa25116c7a49bfa9a269e83f0478fc31fa3563705b71f.exe	32
PID 2600 wrote to memory of 2880	2600	36bbee3658c49a98f4eaa25116c7a49bfa9a269e83f0478fc31fa3563705b71f.exe	32
PID 2600 wrote to memory of 2880	2600	36bbee3658c49a98f4eaa25116c7a49bfa9a269e83f0478fc31fa3563705b71f.exe	32

C:\Users\Admin\AppData\Local\Temp\36bbee3658c49a98f4eaa25116c7a49bfa9a269e83f0478fc31fa3563705b71f.exe
"C:\Users\Admin\AppData\Local\Temp\36bbee3658c49a98f4eaa25116c7a49bfa9a269e83f0478fc31fa3563705b71f.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\daad_qko.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7476.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7475.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:828
- C:\Users\Admin\AppData\Local\Temp\tmp713A.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp713A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\36bbee3658c49a98f4eaa25116c7a49bfa9a269e83f0478fc31fa3563705b71f.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7476.tmp

Filesize
1KB

MD5
b9f568fadb31b1b221d8320bbf1d5788

SHA1
0e52ea429f53cbc78b5c5d7b4767607decc67234

SHA256
aecafa2a6bc983abe3ec806a3a40bfb52665c87e52ef617c5beee13b0b7bd126

SHA512
d720305c7b2e7042c54e0f7f4345ab2979528fa686b4f007bd5b40960e1961f334fca30c6849ca235f98ca96d8386a04ed941ec932d2c1cd34bd5da08b9c7181

Download Submit
C:\Users\Admin\AppData\Local\Temp\daad_qko.0.vb

Filesize
15KB

MD5
7684eaf54d3ed01c91f7ad24ab18d6d8

SHA1
2be8d91afc3efc644972f6c18ba48964c9b7ca9f

SHA256
114b1becdc0096f39766ddbbaf849dfb3382dd548ff260cb75d9be95f6fbed5c

SHA512
8cbe57a2566bba3b360e719be2d79439edf452b6162bb72fb8c2b88a0401f8aa03398ef0fe3ed2adfac5a0660f5e557070bb9a2e1a4a4fa443a67d0e69e52177

Download Submit
C:\Users\Admin\AppData\Local\Temp\daad_qko.cmdline

Filesize
266B

MD5
6cf7bc2268c1c684953978836a74a3be

SHA1
85fcdabb3f98b431aed544ae000f803770223ca4

SHA256
025615de58614e8e1967f54e2197b14236b4c6fe555f1cca4c0ac2e3c7add213

SHA512
d09eab554cf3d06bff08f15a0a02f0c762f6d0b39c647590c19f86600f2f80ece00e6bca35e456183c3cf64b49187980c5b267fdcee6a3a27b9cb2b2be089485

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp713A.tmp.exe

Filesize
78KB

MD5
04ed00576b08a66f779cc4d0defbb0df

SHA1
30950d990f57440266c4d589ccb9f0c92ba7b9de

SHA256
ec900e38611a02ac322a8627181919f676201b564936b953093b887147b1e0e7

SHA512
e74593206ca92f724347e0e9bac08a7b202952e34e0d6ebbda50e280a0905b62d6f95efc617ebd17176fd8849e244e10a5fb57d24ad6e13095e783d1effc83f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7475.tmp

Filesize
660B

MD5
5a4c3034862b2c6a8fed629bf2bffe76

SHA1
1c13808ff3c6847cd93109c6652096977064a2a6

SHA256
7e95dbf2a8ab9a7463218749b7973c04bf9c899e0fca09c72409854c46df7563

SHA512
946b241b6a5bbaf3141f0a5d5abe2841b662299ac0027dc8e955dbb72b94855fad6768e3b02b4a6adf461e99f91ef2b143e14c8bdbeb62978274437127510b75

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/2156-8-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/2156-18-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/2600-0-0x0000000074B31000-0x0000000074B32000-memory.dmp

Filesize
4KB

Download
memory/2600-1-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/2600-2-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/2600-24-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads