metamorpherrat | 3505c902314ab1baf65f504db50e1449efa839474cc0cd8b07620783d9f45893

General

Target

3505c902314ab1baf65f504db50e1449efa839474cc0cd8b07620783d9f45893.exe
Size

78KB
MD5

ef682ffb9e0ac12101887b24890cb155
SHA1

71bf4626b84c79c1067a2dc15abe876a33dbf272
SHA256

3505c902314ab1baf65f504db50e1449efa839474cc0cd8b07620783d9f45893
SHA512

43825930fb999b4f0dbb0920190dd2b86f1bbfba7eb25685da207a0ddd74ae42d2bbe266411b9e0eae0fd9498ab54d5d09a1aa67199a90b612702697ce7b1bd3
SSDEEP

1536:VCHHrdELT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtdC9/41fy:VCHLdSE2EwR4uY41HyvY89/v

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
536	tmp6EE9.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2824	3505c902314ab1baf65f504db50e1449efa839474cc0cd8b07620783d9f45893.exe
2824	3505c902314ab1baf65f504db50e1449efa839474cc0cd8b07620783d9f45893.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmp6EE9.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6EE9.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3505c902314ab1baf65f504db50e1449efa839474cc0cd8b07620783d9f45893.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2824	3505c902314ab1baf65f504db50e1449efa839474cc0cd8b07620783d9f45893.exe
Token: SeDebugPrivilege	536	tmp6EE9.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2140	2824	3505c902314ab1baf65f504db50e1449efa839474cc0cd8b07620783d9f45893.exe	30
PID 2824 wrote to memory of 2140	2824	3505c902314ab1baf65f504db50e1449efa839474cc0cd8b07620783d9f45893.exe	30
PID 2824 wrote to memory of 2140	2824	3505c902314ab1baf65f504db50e1449efa839474cc0cd8b07620783d9f45893.exe	30
PID 2824 wrote to memory of 2140	2824	3505c902314ab1baf65f504db50e1449efa839474cc0cd8b07620783d9f45893.exe	30
PID 2140 wrote to memory of 2916	2140	vbc.exe	32
PID 2140 wrote to memory of 2916	2140	vbc.exe	32
PID 2140 wrote to memory of 2916	2140	vbc.exe	32
PID 2140 wrote to memory of 2916	2140	vbc.exe	32
PID 2824 wrote to memory of 536	2824	3505c902314ab1baf65f504db50e1449efa839474cc0cd8b07620783d9f45893.exe	33
PID 2824 wrote to memory of 536	2824	3505c902314ab1baf65f504db50e1449efa839474cc0cd8b07620783d9f45893.exe	33
PID 2824 wrote to memory of 536	2824	3505c902314ab1baf65f504db50e1449efa839474cc0cd8b07620783d9f45893.exe	33
PID 2824 wrote to memory of 536	2824	3505c902314ab1baf65f504db50e1449efa839474cc0cd8b07620783d9f45893.exe	33

C:\Users\Admin\AppData\Local\Temp\3505c902314ab1baf65f504db50e1449efa839474cc0cd8b07620783d9f45893.exe
"C:\Users\Admin\AppData\Local\Temp\3505c902314ab1baf65f504db50e1449efa839474cc0cd8b07620783d9f45893.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jjxxawv7.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6FC4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6FC3.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2916
- C:\Users\Admin\AppData\Local\Temp\tmp6EE9.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp6EE9.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3505c902314ab1baf65f504db50e1449efa839474cc0cd8b07620783d9f45893.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6FC4.tmp

Filesize
1KB

MD5
81c3add405e752ff94a369a0cda6a525

SHA1
e610f6442a654d9050eee37f1da9036ecfc8f161

SHA256
f22f6ad550244a347c6f8168d23e63e27485f567cd651cf30e9a732a11ca78c3

SHA512
7ae1f4d9de57b05ad2398cfc87e26f209243f3481ba2e7e44c418563c1c1076e0f5d0ce109f5c5bf46c34cf21f8da831ba0e6600805d3a6458ff2e39b466b34d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jjxxawv7.0.vb

Filesize
15KB

MD5
7878af8d9e04dc05962d1e2eaf3f2930

SHA1
09dea4191ab215ed6f05a1ac365abaa541cdfb88

SHA256
2fc63f5ec6a1cd0576a5ff0986c1b9a75d0565aca9a2dbcc53c9b86573848a01

SHA512
acf07d6852829a817cb920e1fe9ec2891866fb58a7ef36eb62333ef31860a1469f535fda1b9f823603a7d003c8883a19377a6f7991461cac9507178d71712a39

Download Submit
C:\Users\Admin\AppData\Local\Temp\jjxxawv7.cmdline

Filesize
266B

MD5
066bb9f3b04a9cefe6624a0ea8406fbf

SHA1
7fadba3cb3b8e59e1d75cf674596e902524eda48

SHA256
da3a9d07dd2856fdf3bc66f845e9096d4ccc1620b2d84e8030116044306dd4de

SHA512
107f9704e3f4a927281119a01f158dcd303201a2a5215745a914c950bbe756590dcf5e0a83dd0e99ed6deb5a5b22f91fc65dcecff73138eff2c63bbd6615e276

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6EE9.tmp.exe

Filesize
78KB

MD5
e25a2ea6eaf0d80f9cbb83e03791ef2f

SHA1
da14c66677dd383be19a00cb138ec207f162a53e

SHA256
f6de5fcfee00d62715db828f08087f64c7a8eac64ee058be55685cce5bf03705

SHA512
29cb417041ec9fd71c8db2f49ac0162f56a3ec4bfa69a870f3b15a7911a765a1c5a1e0bd0fac3a40e729dd5bef8a88f227768edec534ab12383b09d62557cce5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6FC3.tmp

Filesize
660B

MD5
2b832845c9293ed2a66c93727e5405f6

SHA1
575e19685178e881cb4a4937f17dd6cd1857b5e0

SHA256
5f56a373482ec529d38ff79d177d5ac29b1107d227e7e12117cf595867ae4361

SHA512
ef9486a51497ba55afc847934e7cd2fad56790d2b307ee21ee5d542b06f37e8eb09254dd57d3516142bfa9b578384c6a96ab93679d32f89f2eea0e557f07359a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/2140-8-0x00000000747F0000-0x0000000074D9B000-memory.dmp

Filesize
5.7MB

Download
memory/2140-18-0x00000000747F0000-0x0000000074D9B000-memory.dmp

Filesize
5.7MB

Download
memory/2824-0-0x00000000747F1000-0x00000000747F2000-memory.dmp

Filesize
4KB

Download
memory/2824-1-0x00000000747F0000-0x0000000074D9B000-memory.dmp

Filesize
5.7MB

Download
memory/2824-2-0x00000000747F0000-0x0000000074D9B000-memory.dmp

Filesize
5.7MB

Download
memory/2824-24-0x00000000747F0000-0x0000000074D9B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads