metamorpherrat | e9d811bbc2a069808758431bcdacddcf81fef8aefafe9d733d881682548c56b8

General

Target

e9d811bbc2a069808758431bcdacddcf81fef8aefafe9d733d881682548c56b8.exe
Size

78KB
MD5

e1dc68718d5eda4005030486b6e5e373
SHA1

a268407a73d548241411b41722d5bd6723dbb385
SHA256

e9d811bbc2a069808758431bcdacddcf81fef8aefafe9d733d881682548c56b8
SHA512

8e21637d7bd1c3f1c0cbeeadcc07d1f8f509baac0c5f1a47bddfd8574dcc33211b24ba23c73740e3857cde50b3fae9d136a7c46e0128cea83101194f160c24fa
SSDEEP

1536:EsHH638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtz9/z10TF:EsHa3Ln7N041Qqhgz9/wF

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2788	tmpE447.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1576	e9d811bbc2a069808758431bcdacddcf81fef8aefafe9d733d881682548c56b8.exe
1576	e9d811bbc2a069808758431bcdacddcf81fef8aefafe9d733d881682548c56b8.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpE447.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e9d811bbc2a069808758431bcdacddcf81fef8aefafe9d733d881682548c56b8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE447.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1576	e9d811bbc2a069808758431bcdacddcf81fef8aefafe9d733d881682548c56b8.exe
Token: SeDebugPrivilege	2788	tmpE447.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 2516	1576	e9d811bbc2a069808758431bcdacddcf81fef8aefafe9d733d881682548c56b8.exe	31
PID 1576 wrote to memory of 2516	1576	e9d811bbc2a069808758431bcdacddcf81fef8aefafe9d733d881682548c56b8.exe	31
PID 1576 wrote to memory of 2516	1576	e9d811bbc2a069808758431bcdacddcf81fef8aefafe9d733d881682548c56b8.exe	31
PID 1576 wrote to memory of 2516	1576	e9d811bbc2a069808758431bcdacddcf81fef8aefafe9d733d881682548c56b8.exe	31
PID 2516 wrote to memory of 3036	2516	vbc.exe	33
PID 2516 wrote to memory of 3036	2516	vbc.exe	33
PID 2516 wrote to memory of 3036	2516	vbc.exe	33
PID 2516 wrote to memory of 3036	2516	vbc.exe	33
PID 1576 wrote to memory of 2788	1576	e9d811bbc2a069808758431bcdacddcf81fef8aefafe9d733d881682548c56b8.exe	34
PID 1576 wrote to memory of 2788	1576	e9d811bbc2a069808758431bcdacddcf81fef8aefafe9d733d881682548c56b8.exe	34
PID 1576 wrote to memory of 2788	1576	e9d811bbc2a069808758431bcdacddcf81fef8aefafe9d733d881682548c56b8.exe	34
PID 1576 wrote to memory of 2788	1576	e9d811bbc2a069808758431bcdacddcf81fef8aefafe9d733d881682548c56b8.exe	34

C:\Users\Admin\AppData\Local\Temp\e9d811bbc2a069808758431bcdacddcf81fef8aefafe9d733d881682548c56b8.exe
"C:\Users\Admin\AppData\Local\Temp\e9d811bbc2a069808758431bcdacddcf81fef8aefafe9d733d881682548c56b8.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\shnjoxew.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE4E4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE4E3.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3036
- C:\Users\Admin\AppData\Local\Temp\tmpE447.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpE447.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e9d811bbc2a069808758431bcdacddcf81fef8aefafe9d733d881682548c56b8.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE4E4.tmp

Filesize
1KB

MD5
c16db602286a292a506d173718d523e0

SHA1
9d69c1b6f9dc202acbe016a29eea8c2d64d2ed87

SHA256
1a1ed0f93cfdc47fbc6ae54657149378e2c081588a73f14651f7445e66e298f5

SHA512
7889cfb98cde7ae65eaf49d7dca433545ebe2e3b1f5185886d8eebd6611b29d7576bc65017e833f451faf1c02296d2c2cc50ebd5db58077a29d09009850b29d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\shnjoxew.0.vb

Filesize
15KB

MD5
eab754a679c41a868cdb714ba5f54d35

SHA1
8d1093b9126b8d2d0062157f42dfe5d42484cfff

SHA256
2bf113968ca1534eeed8180539c958334a5bea8f43816f43ca9a76547078d749

SHA512
a5df2781fa7c50d48014c40ee1868829f77218db02639dc518178a76c5f4ec3715948a96014e7c92a2ced5441054e648f2ea5af4727a75a7a82ba5a429f0e0df

Download Submit
C:\Users\Admin\AppData\Local\Temp\shnjoxew.cmdline

Filesize
266B

MD5
8d75b1a63c86ee1efc3f44bfc695c936

SHA1
e9b91fe58eb524dc4f9c6665d1a6071da0fc0714

SHA256
a039ab716a53f90d8298456afd18e475b8fabaca4042e9db07eccafa9097b556

SHA512
f18d5088fe9afc45e1cd14e9cfc7850b1ac85ae7574ed45e5a4088c7816ca665454c4cfa4dc775c0011a357c2d58006b896aa7efa2517c539db5d0b258c9a114

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE447.tmp.exe

Filesize
78KB

MD5
ba724a2297ea1ff5caa121de883ce815

SHA1
da040587f835cd98b5b8ad8f247c740a9e2d5b10

SHA256
92e262acf9c2079a6fc6fe297973b0957c7e53f6414d3c0201f570e75f498f39

SHA512
c7097eaf5f2e93ac603ed39c43a9aa989e8cdc47afa6fe87e432e9f640f6c2f7746283645b1fe6350c9fd08ef5ddc36a00bbe10814e3d57c0f168f00327852e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE4E3.tmp

Filesize
660B

MD5
f57a64241fd1b2cb4ae70fa69e6cdce6

SHA1
a27052d36683d9dc6046eec4452affb348c19187

SHA256
2c2f9c3b0ff118fac2d5ce04ce2761b542fa452ac059067768f5512b91ba238b

SHA512
3c83e48030876431ba179cc705e73996a60f057c650f783383ebee82b79e8b6ec69ac21bada842f604ae666ba92cd63a025b4925597174beb92f5ebd10ff7f33

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/1576-0-0x0000000074571000-0x0000000074572000-memory.dmp

Filesize
4KB

Download
memory/1576-1-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/1576-2-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/1576-24-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2516-8-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2516-18-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads