metamorpherrat | 03850c1d0a4e0d09499518cf4fae758f36d5e9d332d10fba30bbad4e33e733f9

General

Target

03850c1d0a4e0d09499518cf4fae758f36d5e9d332d10fba30bbad4e33e733f9.exe
Size

78KB
MD5

9dd252b29f60325b6fa3fcfc69d72429
SHA1

5f195c2f698a873fbe7d8cb5363f36c61afe3f8a
SHA256

03850c1d0a4e0d09499518cf4fae758f36d5e9d332d10fba30bbad4e33e733f9
SHA512

5bd30e780522db824e1e6508a5f752930c090a0deb013f3d698216e0cb11d7f8eff0573808f7a3e0412e6c3d77a3225d7737344f0245a8585b7a38c9dacca409
SSDEEP

1536:8HY6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtp9/z1nx:8HY53Ln7N041Qqhgp9/v

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2768	tmpB155.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1600	03850c1d0a4e0d09499518cf4fae758f36d5e9d332d10fba30bbad4e33e733f9.exe
1600	03850c1d0a4e0d09499518cf4fae758f36d5e9d332d10fba30bbad4e33e733f9.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpB155.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	03850c1d0a4e0d09499518cf4fae758f36d5e9d332d10fba30bbad4e33e733f9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB155.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1600	03850c1d0a4e0d09499518cf4fae758f36d5e9d332d10fba30bbad4e33e733f9.exe
Token: SeDebugPrivilege	2768	tmpB155.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 2756	1600	03850c1d0a4e0d09499518cf4fae758f36d5e9d332d10fba30bbad4e33e733f9.exe	30
PID 1600 wrote to memory of 2756	1600	03850c1d0a4e0d09499518cf4fae758f36d5e9d332d10fba30bbad4e33e733f9.exe	30
PID 1600 wrote to memory of 2756	1600	03850c1d0a4e0d09499518cf4fae758f36d5e9d332d10fba30bbad4e33e733f9.exe	30
PID 1600 wrote to memory of 2756	1600	03850c1d0a4e0d09499518cf4fae758f36d5e9d332d10fba30bbad4e33e733f9.exe	30
PID 2756 wrote to memory of 1436	2756	vbc.exe	32
PID 2756 wrote to memory of 1436	2756	vbc.exe	32
PID 2756 wrote to memory of 1436	2756	vbc.exe	32
PID 2756 wrote to memory of 1436	2756	vbc.exe	32
PID 1600 wrote to memory of 2768	1600	03850c1d0a4e0d09499518cf4fae758f36d5e9d332d10fba30bbad4e33e733f9.exe	33
PID 1600 wrote to memory of 2768	1600	03850c1d0a4e0d09499518cf4fae758f36d5e9d332d10fba30bbad4e33e733f9.exe	33
PID 1600 wrote to memory of 2768	1600	03850c1d0a4e0d09499518cf4fae758f36d5e9d332d10fba30bbad4e33e733f9.exe	33
PID 1600 wrote to memory of 2768	1600	03850c1d0a4e0d09499518cf4fae758f36d5e9d332d10fba30bbad4e33e733f9.exe	33

C:\Users\Admin\AppData\Local\Temp\03850c1d0a4e0d09499518cf4fae758f36d5e9d332d10fba30bbad4e33e733f9.exe
"C:\Users\Admin\AppData\Local\Temp\03850c1d0a4e0d09499518cf4fae758f36d5e9d332d10fba30bbad4e33e733f9.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4rdtfobo.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB3C6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB3B5.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1436
- C:\Users\Admin\AppData\Local\Temp\tmpB155.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB155.tmp.exe" C:\Users\Admin\AppData\Local\Temp\03850c1d0a4e0d09499518cf4fae758f36d5e9d332d10fba30bbad4e33e733f9.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4rdtfobo.0.vb

Filesize
15KB

MD5
3e1b6c0ccc674bd6690037713412156c

SHA1
7ce8b373fc3e0dc578b6b9e64797c546e21ec566

SHA256
bf54b719e5fe9dd5c85b876e53d8e1820696ab0d6f87587e90c3af7597fd1a23

SHA512
5f86a8ad8d9632a40009743caf803ae38e14b79c9eb62e0f837ca8bafb2ebe9eaf84ca7f4f61ef69faae4c69bcd9111efb2dd15a63d2100226f30bde9d5b686d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4rdtfobo.cmdline

Filesize
266B

MD5
3785fb688035c71cb82fad1dab7e615a

SHA1
413dfa750dabbb0c20741a93f767f97548cd882b

SHA256
6a9ae8e68fe020e7025632b794068b6199b9c260dd445a967a132837b1521a53

SHA512
138ca09287c9f1c064d60445a7c1175f63283225f84167e65bd623479bd21546c64904bb7b7643df3e4a4deac75e6a10f36bedef1827390a4093d8b2197725ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB3C6.tmp

Filesize
1KB

MD5
e4440a26e26317c7c3c709fc3dd1e230

SHA1
f69d8386bad91ae9dfa7f0dcb4126a5ee4fb6fb6

SHA256
4dde275adbdc908ad7b23520f1037ef3a58589ef2bff5072b5acf25759a2cac7

SHA512
5018bd76eedc9933e3a72d44a7ee2fff0b3142d6679ec53db6eeb46293c38ee5666eff1ff2060b3cdb7ff490cb49e202522b30a1a9250b4e787af163864bdad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB155.tmp.exe

Filesize
78KB

MD5
b2839c61b76c6ef7905ea3a249c67830

SHA1
640fdd631b53751bb66d886a4e9375be4bf2bfcf

SHA256
20e66e0019154f49a01f6beb5fa00ddd7b51aa526396b1d9169118e8ec8d09f4

SHA512
2f7762ec7b43a159d1e304c674c89c5ed65e5b7e15913944a062f69be9dd67f6d3324ae86adf166bc7096ab6a2966c5d0c50b405e8fb2119ef663214a7e1a7c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB3B5.tmp

Filesize
660B

MD5
b6e607facc2075166645f7e589fc7f7c

SHA1
b9e4964899f458c22accbf925c860efa68d69da9

SHA256
6e4b6920f04d362ce693d9b04008b14289953d74aa485ca7cd5fd6a773c985be

SHA512
15d0f9a62be98e5e7f2d99bc9ab7db48b9e999007608f9e761db4083365099a0ce4f1cf8523b1df0410894990a197b9daebdb429d3a6506625dd30429fb5d698

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/1600-0-0x0000000074A61000-0x0000000074A62000-memory.dmp

Filesize
4KB

Download
memory/1600-1-0x0000000074A60000-0x000000007500B000-memory.dmp

Filesize
5.7MB

Download
memory/1600-6-0x0000000074A60000-0x000000007500B000-memory.dmp

Filesize
5.7MB

Download
memory/1600-24-0x0000000074A60000-0x000000007500B000-memory.dmp

Filesize
5.7MB

Download
memory/2756-8-0x0000000074A60000-0x000000007500B000-memory.dmp

Filesize
5.7MB

Download
memory/2756-18-0x0000000074A60000-0x000000007500B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads