metamorpherrat | 3d98b01a737ff423a51d2b4c9569febaaea5071609b7bb732c7e4ba39b132ea2

General

Target

tmp1EF5.tmp.exe
Size

78KB
MD5

218002d4494871551c3fd0f066c24863
SHA1

b795f81b31b18c18ebf64750211ffe62f9ac12a9
SHA256

3d98b01a737ff423a51d2b4c9569febaaea5071609b7bb732c7e4ba39b132ea2
SHA512

05e115dd568b63d3f15802f576853b3e9f557a4dea1d80793fbbaf39270de8b015a01a0fbbbed7de115f8d4ee14f1855eea36839d1433f650a8b1b2a2d79769a
SSDEEP

1536:FsHFo6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtJ9/a1W5:FsHFo53Ln7N041QqhgJ9/l

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2776	tmpE512.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1880	tmp1EF5.tmp.exe
1880	tmp1EF5.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpE512.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE512.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp1EF5.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1880	tmp1EF5.tmp.exe
Token: SeDebugPrivilege	2776	tmpE512.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 2264	1880	tmp1EF5.tmp.exe	31
PID 1880 wrote to memory of 2264	1880	tmp1EF5.tmp.exe	31
PID 1880 wrote to memory of 2264	1880	tmp1EF5.tmp.exe	31
PID 1880 wrote to memory of 2264	1880	tmp1EF5.tmp.exe	31
PID 2264 wrote to memory of 2356	2264	vbc.exe	33
PID 2264 wrote to memory of 2356	2264	vbc.exe	33
PID 2264 wrote to memory of 2356	2264	vbc.exe	33
PID 2264 wrote to memory of 2356	2264	vbc.exe	33
PID 1880 wrote to memory of 2776	1880	tmp1EF5.tmp.exe	34
PID 1880 wrote to memory of 2776	1880	tmp1EF5.tmp.exe	34
PID 1880 wrote to memory of 2776	1880	tmp1EF5.tmp.exe	34
PID 1880 wrote to memory of 2776	1880	tmp1EF5.tmp.exe	34

C:\Users\Admin\AppData\Local\Temp\tmp1EF5.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp1EF5.tmp.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wyq6sjap.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE6A8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE6A7.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2356
- C:\Users\Admin\AppData\Local\Temp\tmpE512.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpE512.tmp.exe" C:\Users\Admin\AppData\Local\Temp\tmp1EF5.tmp.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE6A8.tmp

Filesize
1KB

MD5
980f10971ddb5a5a2e2d0549cf7673f1

SHA1
0305f1aaad8e48cee322c0882f4d3742268a3394

SHA256
92804f2f0c2e31f66feb249abcd584691e61aa87584365b472741a5da57ed3de

SHA512
75984813a101fad6f94d8d9b6c71c80dea934bb140ef904febaf0a95229f07197f28581a82ae2c377491ae01f25ca0f1d6c77fbc8be216c94c2f52e4211883d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE512.tmp.exe

Filesize
78KB

MD5
16c5cb46d3ff524715ac5611225e8584

SHA1
c5112385d67fabda3c105923d90986387f354f4f

SHA256
ebf5df2021680885d8949dd17dcbaf78aa5e84762462f5232ab0403b11fc4667

SHA512
8757740674658dc13ed2609c6b81598a4afc9f39fa8fbf14c124cae9057bcd800e67d9d95033d555c7287b6481d0e04f6589afdf18212389aeeb5c8c51f19b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE6A7.tmp

Filesize
660B

MD5
10939ff001d02e8d07366098a781186d

SHA1
96f7e59645fd3ccb739e6cd094ff23cd741714f0

SHA256
a2115c850914a280804fe8ec47f97a14d95e86dde370077ea417da56e5c4e2cc

SHA512
68e85ccaa4614330b898a9d8499a3a8c3ae8368e28c9b3b9777da4226371d685d91d1fe5eb6ee99359b0c948facf36b235b53ee0056a38e5d36f111b3e3dfe00

Download Submit
C:\Users\Admin\AppData\Local\Temp\wyq6sjap.0.vb

Filesize
15KB

MD5
6b06f11e1a9f7f2af3cd38ca8f5335e4

SHA1
207664c98de6241e9aea91137d90f94038e251e6

SHA256
b8644812a77ee002a17385940ed7316b3372833f6f01d869baf25feaae473595

SHA512
481d4078d0754f82894cbd2d95388867744529be81db12aabcf4fb83c06db0aed655f4c2963596eacb0ebc37a70f1d3745ace2a5f2153fc2e8c6cc3c6706d880

Download Submit
C:\Users\Admin\AppData\Local\Temp\wyq6sjap.cmdline

Filesize
266B

MD5
85616258403e414368447f652ad61fa3

SHA1
5c9c397ec8556695a9967ca190f3a4ba3bbb223e

SHA256
6b8fecfaf4b99091b5066a8ce563a97de3c7745286ce65d56713f91d0ea63e39

SHA512
fd2b1b3047df1fc78e544dc239081d3e87ebc0480ae4f55dd488ba0f9fd58aa075058efdae0d105850e532b43054462cfec63f9d1dbcb9a366910ca0d8ac28fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/1880-0-0x0000000074571000-0x0000000074572000-memory.dmp

Filesize
4KB

Download
memory/1880-1-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/1880-3-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/1880-23-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2264-8-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2264-18-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads