metamorpherrat | 1e70f7f27e0bd9561eba3865ef79ab285b428d5ee11897e71b1c0fb8321cdfe4

General

Target

1e70f7f27e0bd9561eba3865ef79ab285b428d5ee11897e71b1c0fb8321cdfe4.exe
Size

78KB
MD5

2a21da074f16697437f40b59fc876ecc
SHA1

865380c43639748c3ae8cb7fd6ccca277a5cc7bc
SHA256

1e70f7f27e0bd9561eba3865ef79ab285b428d5ee11897e71b1c0fb8321cdfe4
SHA512

e2a42afca1764b1b1d08a7596d92024b8c5abdebbac186bfd9a039825ecd087a022a7ab7276d7622da1a36dae2d384cdcfbb0849873e6bf3d4ad62b89588c9eb
SSDEEP

1536:Uy5Ndy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6z9/Pp1kP:Uy5Yn7N041Qqhg79/W

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2872	tmp55CE.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2156	1e70f7f27e0bd9561eba3865ef79ab285b428d5ee11897e71b1c0fb8321cdfe4.exe
2156	1e70f7f27e0bd9561eba3865ef79ab285b428d5ee11897e71b1c0fb8321cdfe4.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp55CE.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp55CE.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e70f7f27e0bd9561eba3865ef79ab285b428d5ee11897e71b1c0fb8321cdfe4.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2156	1e70f7f27e0bd9561eba3865ef79ab285b428d5ee11897e71b1c0fb8321cdfe4.exe
Token: SeDebugPrivilege	2872	tmp55CE.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2716	2156	1e70f7f27e0bd9561eba3865ef79ab285b428d5ee11897e71b1c0fb8321cdfe4.exe	30
PID 2156 wrote to memory of 2716	2156	1e70f7f27e0bd9561eba3865ef79ab285b428d5ee11897e71b1c0fb8321cdfe4.exe	30
PID 2156 wrote to memory of 2716	2156	1e70f7f27e0bd9561eba3865ef79ab285b428d5ee11897e71b1c0fb8321cdfe4.exe	30
PID 2156 wrote to memory of 2716	2156	1e70f7f27e0bd9561eba3865ef79ab285b428d5ee11897e71b1c0fb8321cdfe4.exe	30
PID 2716 wrote to memory of 2928	2716	vbc.exe	32
PID 2716 wrote to memory of 2928	2716	vbc.exe	32
PID 2716 wrote to memory of 2928	2716	vbc.exe	32
PID 2716 wrote to memory of 2928	2716	vbc.exe	32
PID 2156 wrote to memory of 2872	2156	1e70f7f27e0bd9561eba3865ef79ab285b428d5ee11897e71b1c0fb8321cdfe4.exe	33
PID 2156 wrote to memory of 2872	2156	1e70f7f27e0bd9561eba3865ef79ab285b428d5ee11897e71b1c0fb8321cdfe4.exe	33
PID 2156 wrote to memory of 2872	2156	1e70f7f27e0bd9561eba3865ef79ab285b428d5ee11897e71b1c0fb8321cdfe4.exe	33
PID 2156 wrote to memory of 2872	2156	1e70f7f27e0bd9561eba3865ef79ab285b428d5ee11897e71b1c0fb8321cdfe4.exe	33

C:\Users\Admin\AppData\Local\Temp\1e70f7f27e0bd9561eba3865ef79ab285b428d5ee11897e71b1c0fb8321cdfe4.exe
"C:\Users\Admin\AppData\Local\Temp\1e70f7f27e0bd9561eba3865ef79ab285b428d5ee11897e71b1c0fb8321cdfe4.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\irb7ovfw.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5707.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc56F6.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2928
- C:\Users\Admin\AppData\Local\Temp\tmp55CE.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp55CE.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1e70f7f27e0bd9561eba3865ef79ab285b428d5ee11897e71b1c0fb8321cdfe4.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5707.tmp

Filesize
1KB

MD5
324edf612b6c7889f70cefb3a1539ffe

SHA1
4bf85f12ba75c2c98409875f7d0801f92f24907e

SHA256
496667c5f8651572494b3c3ababe1226d186702e2f6ad8a5e2b7b46507c1a93f

SHA512
27d965a8e09c3ed51042d049034243fbc059285ab850015601554c602374339801c612b93a0f353069fdde6f6d9836f92153f5f3961d0051d6541ae82e5ceddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\irb7ovfw.0.vb

Filesize
14KB

MD5
d13711cce59648ec8da8bdde5668e6f0

SHA1
fa06a9fb929f8769a0c2677dc3e99e969053fc35

SHA256
5de12277131d0c20e80d00986e92a87cda113d63120f19f2fa5dac0317f1de93

SHA512
9b2955288b12d27019c1c1b15ab830adf2d97b22c4e88e9c25bd3eacf91bf644af0df05c66dcf29ab424c8ea85d51ac2d40b2248153c8013f070f06f9830cfec

Download Submit
C:\Users\Admin\AppData\Local\Temp\irb7ovfw.cmdline

Filesize
266B

MD5
3a8c108c407e6339e9e867fa4c8f16a0

SHA1
8c90ea3cd6786d9c2b7055814388360c10a21fe3

SHA256
d58e787334ec61b51617937bf6cf52f0bdb16727f16cb84ce4e04337f04571d3

SHA512
831449f21dd46a0c6d15a5c0ccc61db6128e23253546fc16274bda28169886f2b04cbaa3e0bb0f3e0aaa2e1550e777fd71f43d0f0963822a4fb765fdb35aca97

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp55CE.tmp.exe

Filesize
78KB

MD5
ab2a98c6d0283ef590f97c423307f283

SHA1
9331b7fbe45fefdeb8700b4aa8f37611cfbb7c91

SHA256
2fd193fe5367429caf8732daf29335b0ae4720ef2c0e573d05f6bef67b2483ab

SHA512
de6d475dd3d75279bf03388428f404f441dd27a3516cde946fcdab412a75134ef70e63683d3ac6f81d13e495fc748736ed6cd90d5296b353b932d6420cba1619

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc56F6.tmp

Filesize
660B

MD5
71d01448e3aeb36cbc250420f6db005b

SHA1
a626923c13b37c9a93d070c9e0d77a1485bb0f47

SHA256
3effcd17df19f0509c09d15b726450ddfb28a0f7b4fc4c801c23b94d62fb0f25

SHA512
c945ba8a6ad031baf4af6a6f0e5c2e0d533054670510545c07840d9c3e8b25a2d151cc8ec6f9b9e201c2e8f7eff3a7dd7dc065456e38ba579097a8bde7fcf175

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2156-0-0x0000000074891000-0x0000000074892000-memory.dmp

Filesize
4KB

Download
memory/2156-1-0x0000000074890000-0x0000000074E3B000-memory.dmp

Filesize
5.7MB

Download
memory/2156-2-0x0000000074890000-0x0000000074E3B000-memory.dmp

Filesize
5.7MB

Download
memory/2156-24-0x0000000074890000-0x0000000074E3B000-memory.dmp

Filesize
5.7MB

Download
memory/2716-8-0x0000000074890000-0x0000000074E3B000-memory.dmp

Filesize
5.7MB

Download
memory/2716-18-0x0000000074890000-0x0000000074E3B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads