metamorpherrat | 2e1168dae7669807b8905799e3734c7a49e683db6c5fce6230a92508cf98f1ee

General

Target

dea981aaf4a2cce10bdc02ad863a0c00N.exe
Size

78KB
MD5

dea981aaf4a2cce10bdc02ad863a0c00
SHA1

5dba73213a7d5e5dbd93c78b40580d9974a4c43f
SHA256

2e1168dae7669807b8905799e3734c7a49e683db6c5fce6230a92508cf98f1ee
SHA512

1af91f3fcef41ef3eb03ae71054d0a6c2a9b3c2641f2fe0ecd2bb313b22321c409336cc5b0d654f55712acb754c900ed272355a3da1c1a14352412f31b77620d
SSDEEP

1536:WPWtHHM7t/vZv0kH9gDDtWzYCnJPeoYrGQtt9/d1U6:WPWtHsh/l0Y9MDYrm7t9/n

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2748	tmp821B.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1704	dea981aaf4a2cce10bdc02ad863a0c00N.exe
1704	dea981aaf4a2cce10bdc02ad863a0c00N.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmp821B.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dea981aaf4a2cce10bdc02ad863a0c00N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp821B.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1704	dea981aaf4a2cce10bdc02ad863a0c00N.exe
Token: SeDebugPrivilege	2748	tmp821B.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2076	1704	dea981aaf4a2cce10bdc02ad863a0c00N.exe	30
PID 1704 wrote to memory of 2076	1704	dea981aaf4a2cce10bdc02ad863a0c00N.exe	30
PID 1704 wrote to memory of 2076	1704	dea981aaf4a2cce10bdc02ad863a0c00N.exe	30
PID 1704 wrote to memory of 2076	1704	dea981aaf4a2cce10bdc02ad863a0c00N.exe	30
PID 2076 wrote to memory of 2060	2076	vbc.exe	32
PID 2076 wrote to memory of 2060	2076	vbc.exe	32
PID 2076 wrote to memory of 2060	2076	vbc.exe	32
PID 2076 wrote to memory of 2060	2076	vbc.exe	32
PID 1704 wrote to memory of 2748	1704	dea981aaf4a2cce10bdc02ad863a0c00N.exe	33
PID 1704 wrote to memory of 2748	1704	dea981aaf4a2cce10bdc02ad863a0c00N.exe	33
PID 1704 wrote to memory of 2748	1704	dea981aaf4a2cce10bdc02ad863a0c00N.exe	33
PID 1704 wrote to memory of 2748	1704	dea981aaf4a2cce10bdc02ad863a0c00N.exe	33

C:\Users\Admin\AppData\Local\Temp\dea981aaf4a2cce10bdc02ad863a0c00N.exe
"C:\Users\Admin\AppData\Local\Temp\dea981aaf4a2cce10bdc02ad863a0c00N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gdo7want.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8325.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8324.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2060
- C:\Users\Admin\AppData\Local\Temp\tmp821B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp821B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\dea981aaf4a2cce10bdc02ad863a0c00N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8325.tmp

Filesize
1KB

MD5
0b78dc0adcc046bd4403fa02dca37df4

SHA1
7226ec99f046e6673583b49b02f2ba5b050fb75a

SHA256
2c3c33f5bc5a2b85572dda7ec7d1ea82a543373b6e9f7824bd48c4d61916f4ef

SHA512
3698c10d78409e50b2736b09ef5a760b4d44ce61627366a96f455d3a162fcfd3d48af616a9277e43f32025d341e891a95948d82991cd3f7c3255abf42eecc8b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\gdo7want.0.vb

Filesize
15KB

MD5
018505a0cf98de410e91011c59292c4b

SHA1
afe0e382e25345945dd93efa3773d0143861cb73

SHA256
775becad6029e062d6c429e684a3f25a935c3c4dd208e9b2c5382da00e98ded1

SHA512
4f77a489050032157faecdd4328ca3154679766d938fb04fb4b2070e363bffe6ae39bedac3281f596e9317769e5dce4707507660abee5ce543ff9647d9a95b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\gdo7want.cmdline

Filesize
266B

MD5
8b87f042e4f17c68069071fc8b89734f

SHA1
f945aed8f671e241a563f524d49c8fadc04de064

SHA256
5d3129f86acba9815c9490a8177bd51a5e9f212950d82beda152e5c3314d361d

SHA512
e554a84e8cc1054f6133bc5060627a41cecfb2f0e4f917d4e0ef1c143480be44dbdf99387709d445c7368b71be6059a33435aa62e96b78083fa9880bb42e78c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp821B.tmp.exe

Filesize
78KB

MD5
aa5f49ca70ede3c3bfa003f2ff338806

SHA1
694170de7377145fb69ff576191c8e0f6afb02b1

SHA256
ebe5b222f0866438f80ed8a75ec7132b81b4c4ca0065419adfb8537a576b0043

SHA512
de10fe257260d7db46785bcd58363a69c8d5a2e09d3107a8f2c9d79b3d8fce442f0b1516f2397395730628b929a3c747f931999aeb81cb2765d948b6fb267670

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8324.tmp

Filesize
660B

MD5
0ec98709f092c081b287edaa6ba119f8

SHA1
8feaf909d89dac953a1bf6d6a89261d4612dd12a

SHA256
d8cd613077f2e97b29ded3f874b098e13941d5a70812e12aaf63313dc4fdacdc

SHA512
7abbc98066b5d306594fe9a834448576727d2c6bb976c398ae96b058eeadab1c25b24a90f2dc79b51e24e8326299955efabeee024352232f0984704c4719f9ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/1704-0-0x00000000749F1000-0x00000000749F2000-memory.dmp

Filesize
4KB

Download
memory/1704-1-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/1704-2-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/1704-24-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2076-8-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2076-18-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads