metamorpherrat | 4f46bea84881f0a2a900afb1a86742bfd3bb531c0e0ef5c69567518a5966d4b2

General

Target

4f46bea84881f0a2a900afb1a86742bfd3bb531c0e0ef5c69567518a5966d4b2.exe
Size

78KB
MD5

0e8e21864547ecde60c6d1747016c0a9
SHA1

087492c141051e9ef01b5617f62af826aa800e0f
SHA256

4f46bea84881f0a2a900afb1a86742bfd3bb531c0e0ef5c69567518a5966d4b2
SHA512

6fba64291a2b76d3eeb5d63e9aec9097ec9b7f6c1835976dd3d29aa9ea9b202c8361954a0f8ac8b9969db4e09e626662e72974600630c8b2d2119e1381e975b1
SSDEEP

1536:BWtHY6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQter9/G1Xf:BWtHY53Ln7N041Qqhger9/c

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
1488	tmp8B01.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2500	4f46bea84881f0a2a900afb1a86742bfd3bb531c0e0ef5c69567518a5966d4b2.exe
2500	4f46bea84881f0a2a900afb1a86742bfd3bb531c0e0ef5c69567518a5966d4b2.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp8B01.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4f46bea84881f0a2a900afb1a86742bfd3bb531c0e0ef5c69567518a5966d4b2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8B01.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2500	4f46bea84881f0a2a900afb1a86742bfd3bb531c0e0ef5c69567518a5966d4b2.exe
Token: SeDebugPrivilege	1488	tmp8B01.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 2956	2500	4f46bea84881f0a2a900afb1a86742bfd3bb531c0e0ef5c69567518a5966d4b2.exe	30
PID 2500 wrote to memory of 2956	2500	4f46bea84881f0a2a900afb1a86742bfd3bb531c0e0ef5c69567518a5966d4b2.exe	30
PID 2500 wrote to memory of 2956	2500	4f46bea84881f0a2a900afb1a86742bfd3bb531c0e0ef5c69567518a5966d4b2.exe	30
PID 2500 wrote to memory of 2956	2500	4f46bea84881f0a2a900afb1a86742bfd3bb531c0e0ef5c69567518a5966d4b2.exe	30
PID 2956 wrote to memory of 2756	2956	vbc.exe	32
PID 2956 wrote to memory of 2756	2956	vbc.exe	32
PID 2956 wrote to memory of 2756	2956	vbc.exe	32
PID 2956 wrote to memory of 2756	2956	vbc.exe	32
PID 2500 wrote to memory of 1488	2500	4f46bea84881f0a2a900afb1a86742bfd3bb531c0e0ef5c69567518a5966d4b2.exe	33
PID 2500 wrote to memory of 1488	2500	4f46bea84881f0a2a900afb1a86742bfd3bb531c0e0ef5c69567518a5966d4b2.exe	33
PID 2500 wrote to memory of 1488	2500	4f46bea84881f0a2a900afb1a86742bfd3bb531c0e0ef5c69567518a5966d4b2.exe	33
PID 2500 wrote to memory of 1488	2500	4f46bea84881f0a2a900afb1a86742bfd3bb531c0e0ef5c69567518a5966d4b2.exe	33

C:\Users\Admin\AppData\Local\Temp\4f46bea84881f0a2a900afb1a86742bfd3bb531c0e0ef5c69567518a5966d4b2.exe
"C:\Users\Admin\AppData\Local\Temp\4f46bea84881f0a2a900afb1a86742bfd3bb531c0e0ef5c69567518a5966d4b2.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7dh4rwx0.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8C3A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8C39.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2756
- C:\Users\Admin\AppData\Local\Temp\tmp8B01.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8B01.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4f46bea84881f0a2a900afb1a86742bfd3bb531c0e0ef5c69567518a5966d4b2.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7dh4rwx0.0.vb

Filesize
15KB

MD5
24bec46252e2cbe08037ab1c60e52bb6

SHA1
0825e8dd62ebf730a4c58c12152796f1fca4b490

SHA256
1eec25295396971db14631b7dce16cf3bd82e687be443afe86d584a1b9769901

SHA512
694a656a6bf8ec15577fad7a244e3b7f9056dc20dff95fd3a4872c623a0dbc3856cd9b3dd1527eb85686afb10a3b0d2a98664bbfefb8fa2bf9023fffa5c9b60a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7dh4rwx0.cmdline

Filesize
266B

MD5
8cd55a0640dec42caeaad2c06d9c4aa3

SHA1
a3c110576400ae5fd6fabdd9d7030de37eb85faf

SHA256
4399dbaba7f543b7a00cc962be173899c0fbc2e60bba0198e4ca68e18355f7c3

SHA512
cb9ddfe66f1d721d80f373cf13634b90bcd5bb3b3acce04115115d022c9578fac2d1edb040a42bc00fac0928005db765b1bb4ba630efb744ffb43d709b6c7f66

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8C3A.tmp

Filesize
1KB

MD5
07e48cd78719e2589f6b98be03b65d1e

SHA1
56025da605d5281275598b8dc440712f0aa069e3

SHA256
4b16c7549326b5e84e61c755f1eb5088befbbfe4e608da1147ab24b44639a650

SHA512
7ec7026fc3b2c612646c4b8d044dd9e6170d0e8bb8159e3f15339776b86a56f9bd0512dfee060ea838c4d08817b3f4730cb9809d245470c68ddcf72001ae1533

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8B01.tmp.exe

Filesize
78KB

MD5
2030aba79e61fdd694d9cc81c27f8980

SHA1
1b073c251c19768f4dd863287bf4ecb62b8027ad

SHA256
1f81821ec56f82c583500332dbe40e7fb43baae7874444e5bc6798a7efc60d0a

SHA512
538b5f1a211a27e5887d5cde62ff939b321f5ea49d7647018f307c938f8e04b54fb54dbfa495e5680bb1caf19751c32850a83b84c345afa4bb3e1d97197c9911

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8C39.tmp

Filesize
660B

MD5
7878efc59b336bd10552910838ac254b

SHA1
3c292f734f9bfc86ab33b089e14bdffdd9d0ad41

SHA256
2d87ed8d6310497596091aa40f99f1c8fc1b74de950e36589d93a74ebc643112

SHA512
50e91927422a1dd1381c6a4a66661d0940f46a55fed02c4c5b42f252376f9d2d959ab48c425631f15fae8153bc89b193b819af8e979b082760b96b082f0a91c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2500-0-0x0000000074411000-0x0000000074412000-memory.dmp

Filesize
4KB

Download
memory/2500-1-0x0000000074410000-0x00000000749BB000-memory.dmp

Filesize
5.7MB

Download
memory/2500-2-0x0000000074410000-0x00000000749BB000-memory.dmp

Filesize
5.7MB

Download
memory/2500-24-0x0000000074410000-0x00000000749BB000-memory.dmp

Filesize
5.7MB

Download
memory/2956-8-0x0000000074410000-0x00000000749BB000-memory.dmp

Filesize
5.7MB

Download
memory/2956-18-0x0000000074410000-0x00000000749BB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads