metamorpherrat | c94d4a44535c3f3f1cd2cb3c3f064355e3a326f95d665d2eaa7007b398058b4e

General

Target

c94d4a44535c3f3f1cd2cb3c3f064355e3a326f95d665d2eaa7007b398058b4eN.exe
Size

78KB
MD5

1646901318c424157fa013a4f19a2650
SHA1

8c1067841d9b53854f396f941923ec770a12a393
SHA256

c94d4a44535c3f3f1cd2cb3c3f064355e3a326f95d665d2eaa7007b398058b4e
SHA512

c4d40bee5772330c51fe87c09aa8c1b16c2e3d10abe5d40af35acd44f3c58ed54717a0dd529f9b28f6c62e8a2faeabec0092d81c680c57d68395b742383f89e6
SSDEEP

1536:BPy58cdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6S9/j1E8:BPy58rn7N041Qqhga9/b

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
992	tmpC429.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2128	c94d4a44535c3f3f1cd2cb3c3f064355e3a326f95d665d2eaa7007b398058b4eN.exe
2128	c94d4a44535c3f3f1cd2cb3c3f064355e3a326f95d665d2eaa7007b398058b4eN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpC429.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c94d4a44535c3f3f1cd2cb3c3f064355e3a326f95d665d2eaa7007b398058b4eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC429.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2128	c94d4a44535c3f3f1cd2cb3c3f064355e3a326f95d665d2eaa7007b398058b4eN.exe
Token: SeDebugPrivilege	992	tmpC429.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 1664	2128	c94d4a44535c3f3f1cd2cb3c3f064355e3a326f95d665d2eaa7007b398058b4eN.exe	30
PID 2128 wrote to memory of 1664	2128	c94d4a44535c3f3f1cd2cb3c3f064355e3a326f95d665d2eaa7007b398058b4eN.exe	30
PID 2128 wrote to memory of 1664	2128	c94d4a44535c3f3f1cd2cb3c3f064355e3a326f95d665d2eaa7007b398058b4eN.exe	30
PID 2128 wrote to memory of 1664	2128	c94d4a44535c3f3f1cd2cb3c3f064355e3a326f95d665d2eaa7007b398058b4eN.exe	30
PID 1664 wrote to memory of 2632	1664	vbc.exe	32
PID 1664 wrote to memory of 2632	1664	vbc.exe	32
PID 1664 wrote to memory of 2632	1664	vbc.exe	32
PID 1664 wrote to memory of 2632	1664	vbc.exe	32
PID 2128 wrote to memory of 992	2128	c94d4a44535c3f3f1cd2cb3c3f064355e3a326f95d665d2eaa7007b398058b4eN.exe	33
PID 2128 wrote to memory of 992	2128	c94d4a44535c3f3f1cd2cb3c3f064355e3a326f95d665d2eaa7007b398058b4eN.exe	33
PID 2128 wrote to memory of 992	2128	c94d4a44535c3f3f1cd2cb3c3f064355e3a326f95d665d2eaa7007b398058b4eN.exe	33
PID 2128 wrote to memory of 992	2128	c94d4a44535c3f3f1cd2cb3c3f064355e3a326f95d665d2eaa7007b398058b4eN.exe	33

C:\Users\Admin\AppData\Local\Temp\c94d4a44535c3f3f1cd2cb3c3f064355e3a326f95d665d2eaa7007b398058b4eN.exe
"C:\Users\Admin\AppData\Local\Temp\c94d4a44535c3f3f1cd2cb3c3f064355e3a326f95d665d2eaa7007b398058b4eN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_sqsmhcd.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC60E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC60D.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2632
- C:\Users\Admin\AppData\Local\Temp\tmpC429.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpC429.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c94d4a44535c3f3f1cd2cb3c3f064355e3a326f95d665d2eaa7007b398058b4eN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC60E.tmp

Filesize
1KB

MD5
0c9c9ec8fc25cb8afb538141bf9010b7

SHA1
bc7efa2a9d8fe0a96b4eeabeb6e5dc44cc6287ac

SHA256
b193c193845dd6c4bb7ee645f57639f9466c32e0dc450fc925e1f145a6b4de46

SHA512
bfd700e4382acd34936a7f18946143205d8db205c1dcac099efc91805327e8da19dc568878f581007e38af2bc247a3e2398ddac04dc7cac81490924f80f28892

Download Submit
C:\Users\Admin\AppData\Local\Temp\_sqsmhcd.0.vb

Filesize
14KB

MD5
1a566a18caefe117f85b5ad4e92d32f0

SHA1
6693198d0f4c9d392f39a7b5745911eb6040f9e9

SHA256
2922359c06021d94e9ee0994f2ad32f070d96d6a14a3aa70047915666d5336c2

SHA512
86e91bc46bdac13a2c742c4bb27e8cbdd77f3c5a0ce89714f35555a58a008bb5806ff16fde4cf9dd906775d50099a68db3fcd6bc32744086799d39de655d7f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\_sqsmhcd.cmdline

Filesize
266B

MD5
a71b4b0d8af1b6d51e43287e6e224a89

SHA1
3b8f7399f4c6a3edba8a52aaf8ecf1be0f267f18

SHA256
98b9366972f08fc0a5a232dd61624edcc998c70c72f83574f742ce9f3ec007e5

SHA512
7a9ccff1be3cbb5fc7af6344484bcac5240cc7dfb3e7d17f2d7429be43b432fbb0e5ca76e7a157d8e6c3e7915533446a6b72c665855464d62de44a8ec1b8b46a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC429.tmp.exe

Filesize
78KB

MD5
8c6e2dd306abee44cd7f4f6baafcf9ae

SHA1
dee902073d881679e33dd2d63ca91e87691097f7

SHA256
a670b7aafd8d019167fe841a8647791fbeffb0848c171e0768761533ff4d18ec

SHA512
8eef65e50808fdeecca95eaae8bfcfb3ad08de92b713ad4e0767d2047d0415b9d00dfd2d5eaaac40d78ea387350b491c96e6c9a52299102c064a3a4699a806fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC60D.tmp

Filesize
660B

MD5
1a712303612c709856be2f315e526a3b

SHA1
cddbcde382392051c7c1880ca0a91d4a967968dd

SHA256
dc8b120e855e8ad2c830fe1107cb48fee1597b59d64119399c4308d5dc366fd0

SHA512
b0e77e4d90ce01ec8a21854cb51e32652979d4b37913eecc685ef367e9ddcb72ef12556e279aa79183767b7ecc22c9e7db8130d773dd6b1519b863307de93815

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/1664-8-0x0000000074D60000-0x000000007530B000-memory.dmp

Filesize
5.7MB

Download
memory/1664-18-0x0000000074D60000-0x000000007530B000-memory.dmp

Filesize
5.7MB

Download
memory/2128-0-0x0000000074D61000-0x0000000074D62000-memory.dmp

Filesize
4KB

Download
memory/2128-1-0x0000000074D60000-0x000000007530B000-memory.dmp

Filesize
5.7MB

Download
memory/2128-2-0x0000000074D60000-0x000000007530B000-memory.dmp

Filesize
5.7MB

Download
memory/2128-24-0x0000000074D60000-0x000000007530B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads