metamorpherrat | 33e8d6fccc974679aae1c18b33011c51a4a7540d779b8a15834fe0efa6d918e3

General

Target

33e8d6fccc974679aae1c18b33011c51a4a7540d779b8a15834fe0efa6d918e3.exe
Size

78KB
MD5

83b7f40d778cee51afc453666cd7d164
SHA1

05b7e867a46835140ecb127dba64f51a03a65d89
SHA256

33e8d6fccc974679aae1c18b33011c51a4a7540d779b8a15834fe0efa6d918e3
SHA512

541a05024678e46ad498ceb13757d442e3f468789698b95f65e748d079791d83bb2851d53cea9d01c26c20bf607a2402daf4407905c6d7688269a1c26a38a196
SSDEEP

1536:iRy5jSNdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQt26tu9/NB1gI6:iRy5jSYn7N041QqhgA9/j6

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2760	tmpD92F.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2328	33e8d6fccc974679aae1c18b33011c51a4a7540d779b8a15834fe0efa6d918e3.exe
2328	33e8d6fccc974679aae1c18b33011c51a4a7540d779b8a15834fe0efa6d918e3.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpD92F.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	33e8d6fccc974679aae1c18b33011c51a4a7540d779b8a15834fe0efa6d918e3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD92F.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2328	33e8d6fccc974679aae1c18b33011c51a4a7540d779b8a15834fe0efa6d918e3.exe
Token: SeDebugPrivilege	2760	tmpD92F.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2456	2328	33e8d6fccc974679aae1c18b33011c51a4a7540d779b8a15834fe0efa6d918e3.exe	31
PID 2328 wrote to memory of 2456	2328	33e8d6fccc974679aae1c18b33011c51a4a7540d779b8a15834fe0efa6d918e3.exe	31
PID 2328 wrote to memory of 2456	2328	33e8d6fccc974679aae1c18b33011c51a4a7540d779b8a15834fe0efa6d918e3.exe	31
PID 2328 wrote to memory of 2456	2328	33e8d6fccc974679aae1c18b33011c51a4a7540d779b8a15834fe0efa6d918e3.exe	31
PID 2456 wrote to memory of 2088	2456	vbc.exe	33
PID 2456 wrote to memory of 2088	2456	vbc.exe	33
PID 2456 wrote to memory of 2088	2456	vbc.exe	33
PID 2456 wrote to memory of 2088	2456	vbc.exe	33
PID 2328 wrote to memory of 2760	2328	33e8d6fccc974679aae1c18b33011c51a4a7540d779b8a15834fe0efa6d918e3.exe	34
PID 2328 wrote to memory of 2760	2328	33e8d6fccc974679aae1c18b33011c51a4a7540d779b8a15834fe0efa6d918e3.exe	34
PID 2328 wrote to memory of 2760	2328	33e8d6fccc974679aae1c18b33011c51a4a7540d779b8a15834fe0efa6d918e3.exe	34
PID 2328 wrote to memory of 2760	2328	33e8d6fccc974679aae1c18b33011c51a4a7540d779b8a15834fe0efa6d918e3.exe	34

C:\Users\Admin\AppData\Local\Temp\33e8d6fccc974679aae1c18b33011c51a4a7540d779b8a15834fe0efa6d918e3.exe
"C:\Users\Admin\AppData\Local\Temp\33e8d6fccc974679aae1c18b33011c51a4a7540d779b8a15834fe0efa6d918e3.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fosbt7uo.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD9DC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD9CB.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2088
- C:\Users\Admin\AppData\Local\Temp\tmpD92F.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpD92F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\33e8d6fccc974679aae1c18b33011c51a4a7540d779b8a15834fe0efa6d918e3.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD9DC.tmp

Filesize
1KB

MD5
21aa4db41a59f12fad6172a7fdfd7bb6

SHA1
2d57eb8380465400b232bbbf8bb753713a7196cd

SHA256
9038265d138a480b5bdebd0a9fde3257aea57044c449f1f7d3a02da47c8c1a40

SHA512
30839ab31dcfc79fdae2988da17c0bb62cc64d870a82a9b3595dd92a91ea8efa482340d74a403bf178481afce9ba7aa2e6f638a213e8e7d551c49c0d4d1c727d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fosbt7uo.0.vb

Filesize
14KB

MD5
97b29eeff34ee1a00f0aad9f262c0438

SHA1
7b4571e558c698a4fdcd13f77d8af4ac91f8e90e

SHA256
7c96c76bafad320a6e6a8c49f68b0c5bbc69f457ce0689db271401c0b9c17820

SHA512
f11cc8842049f148e100917a00b22cf120588dbcee15ea34cad7e7cd6cae30ac46369cc5bf9ba987d061c285083b9dc52404f764341972a921a3a355a337c7c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\fosbt7uo.cmdline

Filesize
266B

MD5
4a838578309813ab008958b9538f17c6

SHA1
3667f611bb7efc1ed90b32dec95358d2d425bb58

SHA256
d0412a56bb53ba0e5f38ac4afaa3f71fba328d525f3111ca8a79aa67f0da8810

SHA512
5689a3e29215c8c0479c39549ba06f960c37d6b67be8378e5da0d4186e9f2605dfae17f3882be419450968c04f665707be760b7c91efc1d19aea0446acba2d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD92F.tmp.exe

Filesize
78KB

MD5
3718b42c032598b82f711e912f22afc0

SHA1
54930129d3b46dde61fc60ea782c709db42b9faa

SHA256
afbc87fa3814ebb46a633c05d39086516cb539c5b34e76e187ec890a2ab721b1

SHA512
cd204df496d1387e5c35055dcd32bb76f6c7c5fe3b082edfd6ac9a08f3090c5c3aeda2e728e7fcc6ce04cb604ba56cd63483639fac50ab43ea1dff400ff25269

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD9CB.tmp

Filesize
660B

MD5
8e767a03259e347fbd10b719df0f219f

SHA1
9f0041a2b07a9441754a77e6c6c4185be60a19a2

SHA256
acc93850f94fb1915dc566d83f5e1606ecd0351fc2d9d4ace6f8e86ade529253

SHA512
f9f2bb7e3c5619cb88ed26a841bbb8d6c06706cb5bbce770e6cfd85c19c1f44343cca93d1c9057d79b66cd16e47b59c3770b7c9a8ef6f8da29fd6ba10b8150da

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2328-0-0x0000000074221000-0x0000000074222000-memory.dmp

Filesize
4KB

Download
memory/2328-1-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/2328-2-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/2328-24-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/2456-8-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/2456-18-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads