metamorpherrat | 0475cbfbd69fbc14a9e9bc895b8afbc1569a01427a92a4b3ce80eb68231647ae

General

Target

38aefafe444a34c9974398a96bb0e100N.exe
Size

78KB
MD5

38aefafe444a34c9974398a96bb0e100
SHA1

e5ba22e6cf4c54a400a777faf09b06da4db6d4d0
SHA256

0475cbfbd69fbc14a9e9bc895b8afbc1569a01427a92a4b3ce80eb68231647ae
SHA512

f7095694da8cf6ad0c1142ae654087f2429844e06c2b3f65e7481f4a98241220dc253e067f37a5444a1d86d847a9c4a94091763dc691a8392be1a9834c61aba6
SSDEEP

1536:imy5gvZv0kH9gDDtWzYCnJPeoYrGQtC6B9/31dO:Ny5gl0Y9MDYrm7J9/C

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmpE32E.tmp.exe

pid process

1796 tmpE32E.tmp.exe
Loads dropped DLL 2 IoCs

Processes:

38aefafe444a34c9974398a96bb0e100N.exe

pid process

1036 38aefafe444a34c9974398a96bb0e100N.exe
1036 38aefafe444a34c9974398a96bb0e100N.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1796	tmpE32E.tmp.exe

pid	process
1036	38aefafe444a34c9974398a96bb0e100N.exe
1036	38aefafe444a34c9974398a96bb0e100N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpE32E.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmpE32E.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

38aefafe444a34c9974398a96bb0e100N.exevbc.execvtres.exetmpE32E.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	38aefafe444a34c9974398a96bb0e100N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE32E.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

38aefafe444a34c9974398a96bb0e100N.exetmpE32E.tmp.exe

description pid process

Token: SeDebugPrivilege 1036 38aefafe444a34c9974398a96bb0e100N.exe
Token: SeDebugPrivilege 1796 tmpE32E.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1036	38aefafe444a34c9974398a96bb0e100N.exe
Token: SeDebugPrivilege	1796	tmpE32E.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

38aefafe444a34c9974398a96bb0e100N.exevbc.exe

description	pid	process	target process
PID 1036 wrote to memory of 2336	1036	38aefafe444a34c9974398a96bb0e100N.exe	vbc.exe
PID 1036 wrote to memory of 2336	1036	38aefafe444a34c9974398a96bb0e100N.exe	vbc.exe
PID 1036 wrote to memory of 2336	1036	38aefafe444a34c9974398a96bb0e100N.exe	vbc.exe
PID 1036 wrote to memory of 2336	1036	38aefafe444a34c9974398a96bb0e100N.exe	vbc.exe
PID 2336 wrote to memory of 2912	2336	vbc.exe	cvtres.exe
PID 2336 wrote to memory of 2912	2336	vbc.exe	cvtres.exe
PID 2336 wrote to memory of 2912	2336	vbc.exe	cvtres.exe
PID 2336 wrote to memory of 2912	2336	vbc.exe	cvtres.exe
PID 1036 wrote to memory of 1796	1036	38aefafe444a34c9974398a96bb0e100N.exe	tmpE32E.tmp.exe
PID 1036 wrote to memory of 1796	1036	38aefafe444a34c9974398a96bb0e100N.exe	tmpE32E.tmp.exe
PID 1036 wrote to memory of 1796	1036	38aefafe444a34c9974398a96bb0e100N.exe	tmpE32E.tmp.exe
PID 1036 wrote to memory of 1796	1036	38aefafe444a34c9974398a96bb0e100N.exe	tmpE32E.tmp.exe

C:\Users\Admin\AppData\Local\Temp\38aefafe444a34c9974398a96bb0e100N.exe
"C:\Users\Admin\AppData\Local\Temp\38aefafe444a34c9974398a96bb0e100N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1036

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ucw6nifd.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE4C5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE4C4.tmp"
3⤵
- System Location Discovery: System Language Discovery
PID:2912

C:\Users\Admin\AppData\Local\Temp\tmpE32E.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpE32E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\38aefafe444a34c9974398a96bb0e100N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1796

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE4C5.tmp
Filesize
1KB

MD5
e8c60deb1c469c65f85ce471c87cf20b

SHA1
ed92d263328dbc2f6b427a492f8c83b36c27120d

SHA256
2835f8c3252d43d5fc868dfd798aa70333209ab0351b4b1bd39107c185bb27db

SHA512
0b19976b2365f830a62cf6108c51623b68e4c404cf6c2b7218e55ce70bc4595844feb503997dd39768a0d9bf35cdbcb6e59dfa0f18427c838c934f6ee4634109

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE32E.tmp.exe
Filesize
78KB

MD5
403ff7e6402b789632f06227b58076cd

SHA1
e3a85eaf65351dfb8905e87799c9e155fbe948c1

SHA256
7af999b6e38591fb62341dbd3f2a1598f05fe888d78f6db4ae750432a905c20b

SHA512
70c771a1b78e0e4c1760d52d47396d40ca3123cecd1d1a1d5fa8fcdebd3e5aa46ec4a939d3572f0fdffb32bf7e84f9af9ddb45f6a69dbc8858cf0e36ae9ff0b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucw6nifd.0.vb
Filesize
14KB

MD5
49035f747be97e1abed6e9016c96c61d

SHA1
6fc3b0a8272ba92d45428b58334cf6c76fd5ec4e

SHA256
28f97c23dbb4bb3f877e61c056ee0eb3a3d5be1929a6796757037c8093168d53

SHA512
faa80669473872fec89533a2e4ff8ab757084ff6e07c7f722a982782ddef1e6522a7d535933dc9d2b63db36b1eeaaa3ee7446cf73dc9f2225235e356a4662916

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucw6nifd.cmdline
Filesize
266B

MD5
e730269dcd98bbc16d87b916b093bc59

SHA1
253e309a94c1d6e268a8ea3f952d1dcadd2ac2c0

SHA256
ef7cf3279fb3e64ab444f6a71666e89bac9d63eddce5299adb2b05496224ba80

SHA512
4998e8e6dc1ca56e64e370d723ac9730807282e58d230ef2973bcbb8753d855668d1e12951751848eca93ef30df7515e9791425225d400b7fda986f380b45d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE4C4.tmp
Filesize
660B

MD5
dae8d8006a08569babc234e11b5d1e59

SHA1
371b9330d1bc03d87fde522b4c73e60aabe2d9fd

SHA256
2c02bef5904c77941c2b155bf495a96d4abcd6262b1f607fc3cda8aff188e145

SHA512
4da10fffb31448ddc3fbdedc5236571271b7eabee10d2504244efd9860867d6a64bb3bae0fe3a2fe048617fe24f666973f0136fd879c023bf69142a07b0a3a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/1036-0-0x0000000074D01000-0x0000000074D02000-memory.dmp

Filesize
4KB

Download
memory/1036-1-0x0000000074D00000-0x00000000752AB000-memory.dmp

Filesize
5.7MB

Download
memory/1036-2-0x0000000074D00000-0x00000000752AB000-memory.dmp

Filesize
5.7MB

Download
memory/1036-24-0x0000000074D00000-0x00000000752AB000-memory.dmp

Filesize
5.7MB

Download
memory/2336-8-0x0000000074D00000-0x00000000752AB000-memory.dmp

Filesize
5.7MB

Download
memory/2336-18-0x0000000074D00000-0x00000000752AB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads