metamorpherrat | cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267

General

Target

cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267.exe
Size

78KB
MD5

0a2ce31e8654f4c3ba6d81bf7ac51e00
SHA1

a0844a42d36b88b78074e967f3f946761b48ad28
SHA256

cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267
SHA512

f8d20f0e97e3bc01c4480682f961378338a8d26f16a4b071eb572033ee0028920d006d5b78887c572b29eccdc2e491ee3dd87dc86ebf139dded1b9330ae0fe7c
SSDEEP

1536:OHFo6rdELT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtLQ9/hg1Kz:OHFo8dSE2EwR4uY41HyvYLQ9//

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2796	tmp7465.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2516	cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267.exe
2516	cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmp7465.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7465.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2516	cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267.exe
Token: SeDebugPrivilege	2796	tmp7465.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 2740	2516	cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267.exe	30
PID 2516 wrote to memory of 2740	2516	cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267.exe	30
PID 2516 wrote to memory of 2740	2516	cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267.exe	30
PID 2516 wrote to memory of 2740	2516	cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267.exe	30
PID 2740 wrote to memory of 2836	2740	vbc.exe	32
PID 2740 wrote to memory of 2836	2740	vbc.exe	32
PID 2740 wrote to memory of 2836	2740	vbc.exe	32
PID 2740 wrote to memory of 2836	2740	vbc.exe	32
PID 2516 wrote to memory of 2796	2516	cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267.exe	33
PID 2516 wrote to memory of 2796	2516	cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267.exe	33
PID 2516 wrote to memory of 2796	2516	cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267.exe	33
PID 2516 wrote to memory of 2796	2516	cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267.exe	33

C:\Users\Admin\AppData\Local\Temp\cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267.exe
"C:\Users\Admin\AppData\Local\Temp\cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\30vrjf5z.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES75AE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc75AD.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2836
- C:\Users\Admin\AppData\Local\Temp\tmp7465.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7465.tmp.exe" C:\Users\Admin\AppData\Local\Temp\cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\30vrjf5z.0.vb

Filesize
15KB

MD5
66e21c600e6a2e3d006a1fb521690a12

SHA1
daa10b0794c2528b92635e7a04760d2ec091b698

SHA256
9adbb9848589c4a4ef49793c3cc5938a35ea204222997ad8cfe590a6d9fefcf0

SHA512
208193c507d2cc04c104383b306cdabeef25fcd83323143f8741443dcab9b0977acf2bd55bc1d8ec062771312ae0b9284599b456731846f3d4013704fca8ad31

Download Submit
C:\Users\Admin\AppData\Local\Temp\30vrjf5z.cmdline

Filesize
266B

MD5
bc60abca81614a5411c147e79744a593

SHA1
3c2bf00081ff1d01a7e34be5f1c335eacc7a7251

SHA256
f094e3ffe4ae7c70a390c80c43c60a178827346e3fd6d603bc1ef153999bdc35

SHA512
d55d8b8374b9af90f04ee8119e82f6beac7995da90aa25d9429ff6aafd7af396a961a50b0b543794363d3b1bb2b03763358b4350338b2e1707c6fb55ab95dc40

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES75AE.tmp

Filesize
1KB

MD5
2a8a358356727bc76c9fd0b96c8882c3

SHA1
8ab5b1c2838648477a499f0560732de62ce56c43

SHA256
2ba870c549a8e6617d347e95a097b3e387fd152835a1bb7041cadfbacae011cc

SHA512
b47f374b04b7d5e9de114331bed94e35aac52ea88b4fa6505857d4725b674f31c356fd229f737360b1da2bb2269c91dcfa763d8c9e6f889ac2a4d8c5b0c5c864

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7465.tmp.exe

Filesize
78KB

MD5
e17e86896fa3f380a43d6aec769b803e

SHA1
63417b24379bc503e2ad366b34138ed3ca57b116

SHA256
039ac4ce29c8f8d19fb9885ee411e3976e8bcaeb4d6b2838d14376a82d6066b3

SHA512
089f8282f23751bd0dbc5479de8a7e0409e6b2db588a3a85fae8384ac11c39ae3fdf6c8663a3179ed75890ccb699668ce0fa5aa4b09f1145ca698f127019aa17

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc75AD.tmp

Filesize
660B

MD5
05f325aa01470000e8ddf182d0822d9c

SHA1
a2db5378771be261258fa61266d96ec94676b0b5

SHA256
919de92cbaf6049aea8771ddb1fc1055ffe208a71285c72318d3eddf4b3c0b6c

SHA512
43f78b108f65aaee16d5f140319e5e1060e26fcd4305df1df6985d97e4636c35cab932846d04e39298d82ff4e5f182a5c8bdeff10dbe87b096144dbfd5aa936d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/2516-0-0x0000000074D91000-0x0000000074D92000-memory.dmp

Filesize
4KB

Download
memory/2516-1-0x0000000074D90000-0x000000007533B000-memory.dmp

Filesize
5.7MB

Download
memory/2516-2-0x0000000074D90000-0x000000007533B000-memory.dmp

Filesize
5.7MB

Download
memory/2516-24-0x0000000074D90000-0x000000007533B000-memory.dmp

Filesize
5.7MB

Download
memory/2740-8-0x0000000074D90000-0x000000007533B000-memory.dmp

Filesize
5.7MB

Download
memory/2740-18-0x0000000074D90000-0x000000007533B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads