metamorpherrat | 5ef16e3f29ce0583fa11b5f65dba85436bb982cfd2af91bc56bb749d7a49b303

General

Target

5ef16e3f29ce0583fa11b5f65dba85436bb982cfd2af91bc56bb749d7a49b303N.exe
Size

78KB
MD5

8d3721144f7549df779020586ad65850
SHA1

3a8dbf3f448d419bedcd098b6bb9e1e1a5566e48
SHA256

5ef16e3f29ce0583fa11b5f65dba85436bb982cfd2af91bc56bb749d7a49b303
SHA512

18de0aa764229468fad3e2af7508024da5ff9170fe1b20a2242e18d3e5e17900905046a4b274976c30015885d0dfd6cd9aa9122f8e49181a85d6710d7c12f4b5
SSDEEP

1536:LRy5jJLT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQti6G9/C1BU:LRy5jhE2EwR4uY41HyvYO9/l

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2980	tmpBC6C.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1804	5ef16e3f29ce0583fa11b5f65dba85436bb982cfd2af91bc56bb749d7a49b303N.exe
1804	5ef16e3f29ce0583fa11b5f65dba85436bb982cfd2af91bc56bb749d7a49b303N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmpBC6C.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5ef16e3f29ce0583fa11b5f65dba85436bb982cfd2af91bc56bb749d7a49b303N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBC6C.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1804	5ef16e3f29ce0583fa11b5f65dba85436bb982cfd2af91bc56bb749d7a49b303N.exe
Token: SeDebugPrivilege	2980	tmpBC6C.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 2440	1804	5ef16e3f29ce0583fa11b5f65dba85436bb982cfd2af91bc56bb749d7a49b303N.exe	30
PID 1804 wrote to memory of 2440	1804	5ef16e3f29ce0583fa11b5f65dba85436bb982cfd2af91bc56bb749d7a49b303N.exe	30
PID 1804 wrote to memory of 2440	1804	5ef16e3f29ce0583fa11b5f65dba85436bb982cfd2af91bc56bb749d7a49b303N.exe	30
PID 1804 wrote to memory of 2440	1804	5ef16e3f29ce0583fa11b5f65dba85436bb982cfd2af91bc56bb749d7a49b303N.exe	30
PID 2440 wrote to memory of 2564	2440	vbc.exe	32
PID 2440 wrote to memory of 2564	2440	vbc.exe	32
PID 2440 wrote to memory of 2564	2440	vbc.exe	32
PID 2440 wrote to memory of 2564	2440	vbc.exe	32
PID 1804 wrote to memory of 2980	1804	5ef16e3f29ce0583fa11b5f65dba85436bb982cfd2af91bc56bb749d7a49b303N.exe	33
PID 1804 wrote to memory of 2980	1804	5ef16e3f29ce0583fa11b5f65dba85436bb982cfd2af91bc56bb749d7a49b303N.exe	33
PID 1804 wrote to memory of 2980	1804	5ef16e3f29ce0583fa11b5f65dba85436bb982cfd2af91bc56bb749d7a49b303N.exe	33
PID 1804 wrote to memory of 2980	1804	5ef16e3f29ce0583fa11b5f65dba85436bb982cfd2af91bc56bb749d7a49b303N.exe	33

C:\Users\Admin\AppData\Local\Temp\5ef16e3f29ce0583fa11b5f65dba85436bb982cfd2af91bc56bb749d7a49b303N.exe
"C:\Users\Admin\AppData\Local\Temp\5ef16e3f29ce0583fa11b5f65dba85436bb982cfd2af91bc56bb749d7a49b303N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dpsnosm3.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBDA5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBDA4.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2564
- C:\Users\Admin\AppData\Local\Temp\tmpBC6C.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpBC6C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5ef16e3f29ce0583fa11b5f65dba85436bb982cfd2af91bc56bb749d7a49b303N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBDA5.tmp

Filesize
1KB

MD5
40c6373b5bf72e9f5ca82d61ffed29d2

SHA1
610f5b3c990b95ded1d03017fa2ba868f4cbc854

SHA256
dcfb217785468e30875e390ec14660f7ba0bb074292f462447a3f4c03a1859c5

SHA512
f9c0b8c89b4fcd22acc54ece0ac31e192484ea1f6e3c42eea7603c4cc990ae7953b492ae37acd8a9dd16c25951e2b48fb9dc777ae1221a37e957157848290cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\dpsnosm3.0.vb

Filesize
14KB

MD5
a5330a8ea2716994c3d220710a7d5d15

SHA1
57599f94c1864f6a128ee1d7f753e6ee64be511f

SHA256
d09fa41dd406de70988dfc5c2d17e9cab32c4af151d8d772add98e07d9c39922

SHA512
e8a78210e53748ae08c753f3def28fb7af43dbc7070eebd2ae3d1e48f0261011e3a0e1c6a1a99be627afa63f76010cf6ec5f759ad40f9591e280a88ab16efa75

Download Submit
C:\Users\Admin\AppData\Local\Temp\dpsnosm3.cmdline

Filesize
266B

MD5
e88403f3d13d4a1ddb1a9af27d7fc9be

SHA1
b66fa6d4e6fa1f0bbdb29ed7d67634b8d6fdac03

SHA256
1010d4633a0ce2760bd08d8f9e5ffa5165f4073a053c499aa4231adb5d32047d

SHA512
b9dcb86860b0f0bcfe789ad8ab430040ce5f643e3134b59872e81ce85da3ad037f7226ecf14ac6d1bda55608c51e6c434f869f3a6c2345aeb9921962b8c61877

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBC6C.tmp.exe

Filesize
78KB

MD5
025eeb565bcd3d3890af9b284878904a

SHA1
f21519beb39489e9f242cb442d48c1751fb25b8b

SHA256
b1a1039288199deba932c8a2daa8540851b40f6d184b69408c22547cf2088e61

SHA512
15c33c41fc7d56db036ce58c1acd2e030c9ae3d89a5319f017e4c32a940ada8a7861b991fff8ac99d920e9845c1f65e7f30ede7727ae2fdee46029c6fefb4e8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBDA4.tmp

Filesize
660B

MD5
aab1e2f247df591be669b6d0558ef260

SHA1
d92ef51b1b1d8a395118dba118c28fac099beeeb

SHA256
4311517acbd31ef1e0b2d8bed02f4abdd2b75a19397c6cafc038974afc9a344c

SHA512
4e2f79e1f94541e4250a9533302c01dd68830de04951db78c86586e8c528cc15ac670be6de79fc7fcd7ddb5ca0eed4ae7b1d52bebaf3902f173cebe7db7bdd81

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/1804-0-0x0000000074D41000-0x0000000074D42000-memory.dmp

Filesize
4KB

Download
memory/1804-1-0x0000000074D40000-0x00000000752EB000-memory.dmp

Filesize
5.7MB

Download
memory/1804-2-0x0000000074D40000-0x00000000752EB000-memory.dmp

Filesize
5.7MB

Download
memory/1804-24-0x0000000074D40000-0x00000000752EB000-memory.dmp

Filesize
5.7MB

Download
memory/2440-8-0x0000000074D40000-0x00000000752EB000-memory.dmp

Filesize
5.7MB

Download
memory/2440-18-0x0000000074D40000-0x00000000752EB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads