metamorpherrat | 12b2eea0b70ac72b28576602a3a73a7a6a5e194b2b77d470f311675d3ea0407a

General

Target

12b2eea0b70ac72b28576602a3a73a7a6a5e194b2b77d470f311675d3ea0407aN.exe
Size

78KB
MD5

9460011b1ecf577107187844257003d0
SHA1

4f4359ba3adf88379408d65ae2a6df8af61385a5
SHA256

12b2eea0b70ac72b28576602a3a73a7a6a5e194b2b77d470f311675d3ea0407a
SHA512

24b39278f066f740695b537051ac1a9fb249617ec8ba35f373426bfd73d7191cf4ed56c2c5030c6d189ca67859df40a2667aba3db4d141aea59734f188b37e1a
SSDEEP

1536:ARCHFo6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQt/D9/21aG:ARCHFo53Ln7N041Qqhg/D9/2

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2944	tmp7BF3.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2904	12b2eea0b70ac72b28576602a3a73a7a6a5e194b2b77d470f311675d3ea0407aN.exe
2904	12b2eea0b70ac72b28576602a3a73a7a6a5e194b2b77d470f311675d3ea0407aN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp7BF3.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7BF3.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12b2eea0b70ac72b28576602a3a73a7a6a5e194b2b77d470f311675d3ea0407aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2904	12b2eea0b70ac72b28576602a3a73a7a6a5e194b2b77d470f311675d3ea0407aN.exe
Token: SeDebugPrivilege	2944	tmp7BF3.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2804	2904	12b2eea0b70ac72b28576602a3a73a7a6a5e194b2b77d470f311675d3ea0407aN.exe	30
PID 2904 wrote to memory of 2804	2904	12b2eea0b70ac72b28576602a3a73a7a6a5e194b2b77d470f311675d3ea0407aN.exe	30
PID 2904 wrote to memory of 2804	2904	12b2eea0b70ac72b28576602a3a73a7a6a5e194b2b77d470f311675d3ea0407aN.exe	30
PID 2904 wrote to memory of 2804	2904	12b2eea0b70ac72b28576602a3a73a7a6a5e194b2b77d470f311675d3ea0407aN.exe	30
PID 2804 wrote to memory of 1600	2804	vbc.exe	32
PID 2804 wrote to memory of 1600	2804	vbc.exe	32
PID 2804 wrote to memory of 1600	2804	vbc.exe	32
PID 2804 wrote to memory of 1600	2804	vbc.exe	32
PID 2904 wrote to memory of 2944	2904	12b2eea0b70ac72b28576602a3a73a7a6a5e194b2b77d470f311675d3ea0407aN.exe	33
PID 2904 wrote to memory of 2944	2904	12b2eea0b70ac72b28576602a3a73a7a6a5e194b2b77d470f311675d3ea0407aN.exe	33
PID 2904 wrote to memory of 2944	2904	12b2eea0b70ac72b28576602a3a73a7a6a5e194b2b77d470f311675d3ea0407aN.exe	33
PID 2904 wrote to memory of 2944	2904	12b2eea0b70ac72b28576602a3a73a7a6a5e194b2b77d470f311675d3ea0407aN.exe	33

C:\Users\Admin\AppData\Local\Temp\12b2eea0b70ac72b28576602a3a73a7a6a5e194b2b77d470f311675d3ea0407aN.exe
"C:\Users\Admin\AppData\Local\Temp\12b2eea0b70ac72b28576602a3a73a7a6a5e194b2b77d470f311675d3ea0407aN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sndvx9ap.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7F10.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7F0F.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1600
- C:\Users\Admin\AppData\Local\Temp\tmp7BF3.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7BF3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\12b2eea0b70ac72b28576602a3a73a7a6a5e194b2b77d470f311675d3ea0407aN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7F10.tmp

Filesize
1KB

MD5
eb9a9ae577b428a7204db7ca31116d48

SHA1
5aa3c0a8c80cbf46794997e817bbea74b39c1e68

SHA256
289729b3890137d1bded064728c115618366d5e9748656fc33cf0a011e434974

SHA512
875dd770be94a78052607e52abeed29338f6bf7a669cca303be7f793bfb0cd624c91cf04ae749c22c11d1b3d2cb1cb1ca4b415f6bb22b324767cced86af1d71f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sndvx9ap.0.vb

Filesize
15KB

MD5
a89ae2a61af17a82f8b4d4e2314ca8a6

SHA1
40f0ebdaaf72d297fb92d59bcf2f362a5ff2eb31

SHA256
29ca3bfe92b6d5d26d69cbdd66d3c4922c64ec6e3974c825f9e28795179c6a87

SHA512
baa85dabf2f6082814f9f0a6fc9e16d70cfd226f5952df4c64774461b0f9f9bee382f6931613fb1189c9bcc4ffea660463ecff3231ac2dda6b3eecd7747a623e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sndvx9ap.cmdline

Filesize
266B

MD5
aef34e77384c4da3e425812a6ce39b51

SHA1
e5df3f127eaccad7805865eca0eba146caeb54ce

SHA256
fa9b7f8ba743bcdae34c37e9f5dc87f07bda73de28c77b6a3d29d0dac56a19b3

SHA512
1e93842d45ebca43b302690972c50b9297ede1cfa524a550ee64b5db017ea322c5bf5ceea00fae1d07208bb2a1bb0902a3cbd8264712f2fc25e5fb0d15a8d04a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7BF3.tmp.exe

Filesize
78KB

MD5
4d770de5c64430ecb33c1baa3970f317

SHA1
5fbad294ae4906a3c3ae35ddc1041c50c3ae6bc2

SHA256
b19fe829a1113bca6189db8248055bf79ac6f34364cc6d511df86cbaf2a0c5d7

SHA512
8226408e0e664a59fe43ab9ea63aa17ea6aa12c4ac502b014268ed5735a254c2556c7e1a1bc61dc593036a81dc0b80913e66812650106c2f4468a06badd629a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7F0F.tmp

Filesize
660B

MD5
c342537445e7102f5ee07ee836763eed

SHA1
b2092bb6e466d9b7dac1cac21cfee71526b61d9a

SHA256
8b93354c9318ed94ae4652f10ee0bdb6ee4c91b8aa3c87a56dd02450bb4c7932

SHA512
47f77fe9279d3f4646266488b30f579626ed09003d281a101a21bf21cc6dc31c75de2deea30fc5f295f80169f1699794f867beca0b3d1155cae368018b98e648

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2804-8-0x0000000074C60000-0x000000007520B000-memory.dmp

Filesize
5.7MB

Download
memory/2804-18-0x0000000074C60000-0x000000007520B000-memory.dmp

Filesize
5.7MB

Download
memory/2904-0-0x0000000074C61000-0x0000000074C62000-memory.dmp

Filesize
4KB

Download
memory/2904-1-0x0000000074C60000-0x000000007520B000-memory.dmp

Filesize
5.7MB

Download
memory/2904-2-0x0000000074C60000-0x000000007520B000-memory.dmp

Filesize
5.7MB

Download
memory/2904-24-0x0000000074C60000-0x000000007520B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads