metamorpherrat | aa93fbd100c27c8476e9f47808d621ec70578c563c7a776b7109025601cadfb7

General

Target

aa93fbd100c27c8476e9f47808d621ec70578c563c7a776b7109025601cadfb7N.exe
Size

78KB
MD5

0614c702da39a31d85639c01833f4760
SHA1

bb5985ab6dc59dc80a735d2959ef98e8bf150b12
SHA256

aa93fbd100c27c8476e9f47808d621ec70578c563c7a776b7109025601cadfb7
SHA512

edb6235adbefe09f16a7df6d5c10e372dcd7a6f34d535567ead644a96ac6fd242bf35ebd5b4fe3698e38e1410d8871fc75efb5de7087aa2160c260ea47c6af82
SSDEEP

1536:EsHH638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtz9/z10T:EsHa3Ln7N041Qqhgz9/w

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
780	tmpBA0C.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1956	aa93fbd100c27c8476e9f47808d621ec70578c563c7a776b7109025601cadfb7N.exe
1956	aa93fbd100c27c8476e9f47808d621ec70578c563c7a776b7109025601cadfb7N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpBA0C.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aa93fbd100c27c8476e9f47808d621ec70578c563c7a776b7109025601cadfb7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBA0C.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1956	aa93fbd100c27c8476e9f47808d621ec70578c563c7a776b7109025601cadfb7N.exe
Token: SeDebugPrivilege	780	tmpBA0C.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 2468	1956	aa93fbd100c27c8476e9f47808d621ec70578c563c7a776b7109025601cadfb7N.exe	30
PID 1956 wrote to memory of 2468	1956	aa93fbd100c27c8476e9f47808d621ec70578c563c7a776b7109025601cadfb7N.exe	30
PID 1956 wrote to memory of 2468	1956	aa93fbd100c27c8476e9f47808d621ec70578c563c7a776b7109025601cadfb7N.exe	30
PID 1956 wrote to memory of 2468	1956	aa93fbd100c27c8476e9f47808d621ec70578c563c7a776b7109025601cadfb7N.exe	30
PID 2468 wrote to memory of 2544	2468	vbc.exe	32
PID 2468 wrote to memory of 2544	2468	vbc.exe	32
PID 2468 wrote to memory of 2544	2468	vbc.exe	32
PID 2468 wrote to memory of 2544	2468	vbc.exe	32
PID 1956 wrote to memory of 780	1956	aa93fbd100c27c8476e9f47808d621ec70578c563c7a776b7109025601cadfb7N.exe	33
PID 1956 wrote to memory of 780	1956	aa93fbd100c27c8476e9f47808d621ec70578c563c7a776b7109025601cadfb7N.exe	33
PID 1956 wrote to memory of 780	1956	aa93fbd100c27c8476e9f47808d621ec70578c563c7a776b7109025601cadfb7N.exe	33
PID 1956 wrote to memory of 780	1956	aa93fbd100c27c8476e9f47808d621ec70578c563c7a776b7109025601cadfb7N.exe	33

C:\Users\Admin\AppData\Local\Temp\aa93fbd100c27c8476e9f47808d621ec70578c563c7a776b7109025601cadfb7N.exe
"C:\Users\Admin\AppData\Local\Temp\aa93fbd100c27c8476e9f47808d621ec70578c563c7a776b7109025601cadfb7N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4vrplg9d.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC1F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBC1E.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2544
- C:\Users\Admin\AppData\Local\Temp\tmpBA0C.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpBA0C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\aa93fbd100c27c8476e9f47808d621ec70578c563c7a776b7109025601cadfb7N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4vrplg9d.0.vb

Filesize
15KB

MD5
9c7b1d123e24b2587de8884e2c5b4ba4

SHA1
28f7cd7b1038dd0821cd6614ec007a407a3a381f

SHA256
6b10c1893edb46d77c963d790731bdc4a75b6f2e4e8718342657f0f7ea5b30ef

SHA512
1ed2d5ce70d89887add217e44d8ae9715fb23a4e7153fae2c08d2383356266c034a38e61caac9e7fb47a1caa23f2ba47582647e01d3563289843d4869bc94013

Download Submit
C:\Users\Admin\AppData\Local\Temp\4vrplg9d.cmdline

Filesize
266B

MD5
8e5a3da6899b384f4c3495655dd155fd

SHA1
c9628555bba7cb8e8f3c79fb588a99e0bdfa2710

SHA256
75a4e0b8841ab5605c01bf6ff9555656a687873a063329c0afcd452837865531

SHA512
584c9ca5e742099eacad4d6ccfb118870055f9d3fbacfa72b38cc5ce7296d931a5cdefdfe9cdb85ade69fcb9cd64495f54687f417dd2b02daf0cc8fa88fd8258

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBC1F.tmp

Filesize
1KB

MD5
03d134ce449ac97934278e8888ef8349

SHA1
c1742eb80c37fa34ee366c9fb7fc46d12678483e

SHA256
47ca56a1f7f9723ecd75c2a2b1494a2ee4254c236dc99cad9240bcf1a13ea022

SHA512
572f5dacc21596da9efdfae2239827d78e91cfc9cb456e65d2e1549e802e88f1dbeeed7054d13bc710ce874558733eee0c853f2846fbf3370982f57d5b1bcde8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBA0C.tmp.exe

Filesize
78KB

MD5
0cc1d75418a3593a449fb00955164604

SHA1
bfe73974c75e52f9708c239a64d45c06c53a828f

SHA256
96fee77d208c0bdb8b16ae2b7f9ed53edf855832d971592a05854b4509dbe9b7

SHA512
b7e278036d82f8b12397312fd903d0afc1d1024f0a0ed8677638e83cfd762b34eab5f1f433d2eba145cc7b5b973cff2297001612ef9a7a190adaf3389571d92f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBC1E.tmp

Filesize
660B

MD5
dc6fed78bca8f74a9b182192659e3c16

SHA1
44b25cca962c2e1f61dbbd5f358d1e308a7b7764

SHA256
fff93982294bec27e1dde6ac72cc67c55b0cafa492e1201e30d4197e008ffe33

SHA512
1dd0a8c646a227ca86a732be9690b2edd20022981448ec87286731c6b0681b746656e44aa5557ae5becc1c90824e693323e7bc83d785033aacd60833c97c09cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/1956-0-0x0000000074BC1000-0x0000000074BC2000-memory.dmp

Filesize
4KB

Download
memory/1956-1-0x0000000074BC0000-0x000000007516B000-memory.dmp

Filesize
5.7MB

Download
memory/1956-6-0x0000000074BC0000-0x000000007516B000-memory.dmp

Filesize
5.7MB

Download
memory/1956-24-0x0000000074BC0000-0x000000007516B000-memory.dmp

Filesize
5.7MB

Download
memory/2468-8-0x0000000074BC0000-0x000000007516B000-memory.dmp

Filesize
5.7MB

Download
memory/2468-18-0x0000000074BC0000-0x000000007516B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads