metamorpherrat | 4c19ee3e69b6b0712a37ae8abc2d5f2345e64f7360ee358e0cfa2e470f748812

General

Target

4c19ee3e69b6b0712a37ae8abc2d5f2345e64f7360ee358e0cfa2e470f748812N.exe
Size

78KB
MD5

8c96d33d0a3ee3c6a9e762a87c47a560
SHA1

86976142da1bc564116819699997c4a6f6f86a62
SHA256

4c19ee3e69b6b0712a37ae8abc2d5f2345e64f7360ee358e0cfa2e470f748812
SHA512

8bcefcc9dc38b9ed49b05367def6a10f668681deb31a0690a3516839f8cfb96e1f2337ef0c43f8e5ceecabf0cb9c4837124ea355d2d2ebe8667b07853368d2cb
SSDEEP

1536:8PWV58Vdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6J49/+k1bf:8PWV58An7N041Qqhgx49/Z

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
3056	tmpDA39.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2148	4c19ee3e69b6b0712a37ae8abc2d5f2345e64f7360ee358e0cfa2e470f748812N.exe
2148	4c19ee3e69b6b0712a37ae8abc2d5f2345e64f7360ee358e0cfa2e470f748812N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpDA39.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4c19ee3e69b6b0712a37ae8abc2d5f2345e64f7360ee358e0cfa2e470f748812N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpDA39.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2148	4c19ee3e69b6b0712a37ae8abc2d5f2345e64f7360ee358e0cfa2e470f748812N.exe
Token: SeDebugPrivilege	3056	tmpDA39.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 2896	2148	4c19ee3e69b6b0712a37ae8abc2d5f2345e64f7360ee358e0cfa2e470f748812N.exe	31
PID 2148 wrote to memory of 2896	2148	4c19ee3e69b6b0712a37ae8abc2d5f2345e64f7360ee358e0cfa2e470f748812N.exe	31
PID 2148 wrote to memory of 2896	2148	4c19ee3e69b6b0712a37ae8abc2d5f2345e64f7360ee358e0cfa2e470f748812N.exe	31
PID 2148 wrote to memory of 2896	2148	4c19ee3e69b6b0712a37ae8abc2d5f2345e64f7360ee358e0cfa2e470f748812N.exe	31
PID 2896 wrote to memory of 2420	2896	vbc.exe	33
PID 2896 wrote to memory of 2420	2896	vbc.exe	33
PID 2896 wrote to memory of 2420	2896	vbc.exe	33
PID 2896 wrote to memory of 2420	2896	vbc.exe	33
PID 2148 wrote to memory of 3056	2148	4c19ee3e69b6b0712a37ae8abc2d5f2345e64f7360ee358e0cfa2e470f748812N.exe	34
PID 2148 wrote to memory of 3056	2148	4c19ee3e69b6b0712a37ae8abc2d5f2345e64f7360ee358e0cfa2e470f748812N.exe	34
PID 2148 wrote to memory of 3056	2148	4c19ee3e69b6b0712a37ae8abc2d5f2345e64f7360ee358e0cfa2e470f748812N.exe	34
PID 2148 wrote to memory of 3056	2148	4c19ee3e69b6b0712a37ae8abc2d5f2345e64f7360ee358e0cfa2e470f748812N.exe	34

C:\Users\Admin\AppData\Local\Temp\4c19ee3e69b6b0712a37ae8abc2d5f2345e64f7360ee358e0cfa2e470f748812N.exe
"C:\Users\Admin\AppData\Local\Temp\4c19ee3e69b6b0712a37ae8abc2d5f2345e64f7360ee358e0cfa2e470f748812N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nuru6s_r.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDB33.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDB32.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2420
- C:\Users\Admin\AppData\Local\Temp\tmpDA39.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpDA39.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4c19ee3e69b6b0712a37ae8abc2d5f2345e64f7360ee358e0cfa2e470f748812N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESDB33.tmp

Filesize
1KB

MD5
1f038bb339fd44e58b29d1f13c2d3bd8

SHA1
17fc67a0c6dfa02099bcafbc9a6887b4881c1d6e

SHA256
92fc4603341711f9ea850ff5c67cb34436c3d5c341ed75fb189438b8bb900bd5

SHA512
b45bfe91bcece4d74c898b73ec7a116c8e4c0ac77144ccf0c8790b44a5fea7aa82265344d74ed725bd3b9ab06acb8b994f898405c34512d981d2e2c3e7221291

Download Submit
C:\Users\Admin\AppData\Local\Temp\nuru6s_r.0.vb

Filesize
14KB

MD5
99ab5f280bc029bb61c355761a5eac8f

SHA1
92f847f2a2c8dd6e80bc69a5e13c04d4aa8ddebb

SHA256
d43b7fdbdd8183afd0f4ac23f4c98e3f34dfdff5350c83c03a18a82a117a1ee4

SHA512
e3fd85572cab97f06d2ac145c97240d745d7d7129af886202dabdf4734694c0aa58834b59292610bff3ec558b5fdf2b3496ba08bb2a802226c23f0024ca69b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\nuru6s_r.cmdline

Filesize
266B

MD5
01656a9f2be349de0b71a567c7bd04b3

SHA1
1b67407f405846277465ed0eeb1ecb14c7ad9bec

SHA256
3f681d868badb3afb4236002eace596808a8e093a0d8cfd43876968574cd2a46

SHA512
4af4b7910fd2e45d8ad9acbabbcf455c878204c098c0d3f31121f08852084a0e266556e8f22ea98b5704d67da776373b02337919e1bfa3305be24f37bd29d757

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDA39.tmp.exe

Filesize
78KB

MD5
ac9bc640593d28c051a29dd81b634002

SHA1
56f37489de06df3447b5a047bd8567110557c2cf

SHA256
a9e6da90182458b6b31665d5b250e0dafedd209ac28564453a54d669ef4be054

SHA512
4d8fafbcdb547523b380c2cd12b025d193c6bb70de49fb141cdb2ec21a538631035846239bc34af61cd87ca64641c3248d990dd1dfbdb6d5f49038eafcc7e4d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDB32.tmp

Filesize
660B

MD5
c704b09269a2e2bb061d0182a2e45803

SHA1
ba091d964305ae5dde6200042de6d2c1376fbfb6

SHA256
145a6227faf07a9745fab96051b7e75d1f4bd7c0dc8a7dd28ada406ac7443d12

SHA512
6cdf686de5f6bee86451fc35df26e2e92c5ba0b39533f7f59d22fae1b8355ff017df436efed897dd2a6d58e019496dfe5af5162052ab6b4fb52ceddcf6ea5aa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2148-0-0x0000000074771000-0x0000000074772000-memory.dmp

Filesize
4KB

Download
memory/2148-1-0x0000000074770000-0x0000000074D1B000-memory.dmp

Filesize
5.7MB

Download
memory/2148-2-0x0000000074770000-0x0000000074D1B000-memory.dmp

Filesize
5.7MB

Download
memory/2148-24-0x0000000074770000-0x0000000074D1B000-memory.dmp

Filesize
5.7MB

Download
memory/2896-8-0x0000000074770000-0x0000000074D1B000-memory.dmp

Filesize
5.7MB

Download
memory/2896-18-0x0000000074770000-0x0000000074D1B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads