metamorpherrat | 0652036defd5d49dc407052472a2772d895e29808e3df666a095b578109694a0

General

Target

0652036defd5d49dc407052472a2772d895e29808e3df666a095b578109694a0.exe
Size

78KB
MD5

1380c72dc706ed1f41d03a0dd1c40aa5
SHA1

e4bbfb17dcc60f052ed667d6c8d64d397a8d4df2
SHA256

0652036defd5d49dc407052472a2772d895e29808e3df666a095b578109694a0
SHA512

a55f682089c36e38579b4d4599de17773503164ac99d1b9f7efb736cde5dfd08b66384b554a525ebf9976af92fec4c61549913431b1297489384a34518191748
SSDEEP

1536:Ny5Xdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6j9/N01tl:Ny52n7N041Qqhg79/4

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2744	tmpCE85.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2060	0652036defd5d49dc407052472a2772d895e29808e3df666a095b578109694a0.exe
2060	0652036defd5d49dc407052472a2772d895e29808e3df666a095b578109694a0.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpCE85.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpCE85.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0652036defd5d49dc407052472a2772d895e29808e3df666a095b578109694a0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2060	0652036defd5d49dc407052472a2772d895e29808e3df666a095b578109694a0.exe
Token: SeDebugPrivilege	2744	tmpCE85.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2124	2060	0652036defd5d49dc407052472a2772d895e29808e3df666a095b578109694a0.exe	31
PID 2060 wrote to memory of 2124	2060	0652036defd5d49dc407052472a2772d895e29808e3df666a095b578109694a0.exe	31
PID 2060 wrote to memory of 2124	2060	0652036defd5d49dc407052472a2772d895e29808e3df666a095b578109694a0.exe	31
PID 2060 wrote to memory of 2124	2060	0652036defd5d49dc407052472a2772d895e29808e3df666a095b578109694a0.exe	31
PID 2124 wrote to memory of 2204	2124	vbc.exe	33
PID 2124 wrote to memory of 2204	2124	vbc.exe	33
PID 2124 wrote to memory of 2204	2124	vbc.exe	33
PID 2124 wrote to memory of 2204	2124	vbc.exe	33
PID 2060 wrote to memory of 2744	2060	0652036defd5d49dc407052472a2772d895e29808e3df666a095b578109694a0.exe	34
PID 2060 wrote to memory of 2744	2060	0652036defd5d49dc407052472a2772d895e29808e3df666a095b578109694a0.exe	34
PID 2060 wrote to memory of 2744	2060	0652036defd5d49dc407052472a2772d895e29808e3df666a095b578109694a0.exe	34
PID 2060 wrote to memory of 2744	2060	0652036defd5d49dc407052472a2772d895e29808e3df666a095b578109694a0.exe	34

C:\Users\Admin\AppData\Local\Temp\0652036defd5d49dc407052472a2772d895e29808e3df666a095b578109694a0.exe
"C:\Users\Admin\AppData\Local\Temp\0652036defd5d49dc407052472a2772d895e29808e3df666a095b578109694a0.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kbgaphkh.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF61.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCF60.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2204
- C:\Users\Admin\AppData\Local\Temp\tmpCE85.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpCE85.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0652036defd5d49dc407052472a2772d895e29808e3df666a095b578109694a0.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESCF61.tmp

Filesize
1KB

MD5
a70c877696639bf2e4160db0190c75d9

SHA1
66e7f8773dde3e8b15bf55e29a87af5558a34258

SHA256
246df8f08c5839de091246bc32f702d333aaafdc7c9161c3eb770c7a11528149

SHA512
9efeaf92d76e0b917032d216683b26b6a10c8d44243f9a600aa0db4890a76056c30d10897b3cad9fe1c7c95c9539e9614f9f9a3276a38e7e1bac336e4a83e551

Download Submit
C:\Users\Admin\AppData\Local\Temp\kbgaphkh.0.vb

Filesize
14KB

MD5
b98218ceeaf02c5458b34537ac26b432

SHA1
fd48c605b0b2eaeaa6c4c2636235dfaf0049f193

SHA256
913b6276586b9f576ab2f13a7d4e4fbf7031fc6d15e8808ac943e80de1c228fc

SHA512
7055a2196c11e0adfe954df5b25a79c8b95d4acdb2bad3dd4e116e8700131ce9771334d9b7ac7ebed2d0d2309f01f88f882cc0eb08ac0c429bb80545133c3d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\kbgaphkh.cmdline

Filesize
266B

MD5
e250e0208fe1ee93880c8cb72784ff13

SHA1
8911e8a4198fbbabd3b03b64c6096087204a782e

SHA256
3963c5ed09836207725f9347c69aa687b491f80b7574ed56d0ba160baf76ba65

SHA512
c7817dd3032e6384a45fab9edd76ff5f400048690eb3c62e3c13e9d6ce46e4e76d3019218f47e111bd3277bf0d80e5915042708ab0bb4126b3871dadcccc2d12

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCE85.tmp.exe

Filesize
78KB

MD5
a7d28076126e3529c996baeb7f2546dc

SHA1
95a7dfd467766e637a08562d2137fabe4839a373

SHA256
322d274858a1ce7bd404cfb938abb04a400e30f36a55e85f7e8e94103d15887d

SHA512
1c30a91fc3487368fb2fe78e2b75ec146b46654bc7cdc437023830073e133aea4bbf06346f5d4f2f6396bd6f12ee91a16aece37b4113b02559b8bde73ba96ce0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCF60.tmp

Filesize
660B

MD5
cc6815006fc7789b374776ff7e30af3b

SHA1
5151f11071ddfc39d2e97e92a34aacbe62f05dd2

SHA256
ea0a8d9e715f29021f3adeccd58f2fc790d6c59c20745536ce3c82fdd82f8334

SHA512
ea98fcbbffa37369770cb0591002020cf6a2f4ed34433137f3e770c3f5e3349f6965754e0ccaf3093b972ca6afd164db309b0e690c46578a346479998befaf7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2060-0-0x00000000744A1000-0x00000000744A2000-memory.dmp

Filesize
4KB

Download
memory/2060-1-0x00000000744A0000-0x0000000074A4B000-memory.dmp

Filesize
5.7MB

Download
memory/2060-2-0x00000000744A0000-0x0000000074A4B000-memory.dmp

Filesize
5.7MB

Download
memory/2060-24-0x00000000744A0000-0x0000000074A4B000-memory.dmp

Filesize
5.7MB

Download
memory/2124-8-0x00000000744A0000-0x0000000074A4B000-memory.dmp

Filesize
5.7MB

Download
memory/2124-18-0x00000000744A0000-0x0000000074A4B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads