metamorpherrat | f3fe6e01083a00152bc918e3ba195b902e9efbd08b04b2402284c7bd026cd6ee

General

Target

f3fe6e01083a00152bc918e3ba195b902e9efbd08b04b2402284c7bd026cd6ee.exe
Size

78KB
MD5

5442090d4a6270929333c4b92a907925
SHA1

514f4c4c499e8fb027aa781ec252ebdeb2c55894
SHA256

f3fe6e01083a00152bc918e3ba195b902e9efbd08b04b2402284c7bd026cd6ee
SHA512

aed16d6e1a60c6e3b85313263f46c03795f9f6f7a5152843e685d05a8f0f1b2cbb7fa83aaed853cfa277d8354a47445c8f612af5b933aeec3933be3fb6d7070e
SSDEEP

1536:/Oe5jovZv0kH9gDDtWzYCnJPeoYrGQtC6j9/M1xW:me5jol0Y9MDYrm7r9/R

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2076	tmpD845.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
584	f3fe6e01083a00152bc918e3ba195b902e9efbd08b04b2402284c7bd026cd6ee.exe
584	f3fe6e01083a00152bc918e3ba195b902e9efbd08b04b2402284c7bd026cd6ee.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmpD845.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3fe6e01083a00152bc918e3ba195b902e9efbd08b04b2402284c7bd026cd6ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD845.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	584	f3fe6e01083a00152bc918e3ba195b902e9efbd08b04b2402284c7bd026cd6ee.exe
Token: SeDebugPrivilege	2076	tmpD845.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 584 wrote to memory of 1800	584	f3fe6e01083a00152bc918e3ba195b902e9efbd08b04b2402284c7bd026cd6ee.exe	31
PID 584 wrote to memory of 1800	584	f3fe6e01083a00152bc918e3ba195b902e9efbd08b04b2402284c7bd026cd6ee.exe	31
PID 584 wrote to memory of 1800	584	f3fe6e01083a00152bc918e3ba195b902e9efbd08b04b2402284c7bd026cd6ee.exe	31
PID 584 wrote to memory of 1800	584	f3fe6e01083a00152bc918e3ba195b902e9efbd08b04b2402284c7bd026cd6ee.exe	31
PID 1800 wrote to memory of 540	1800	vbc.exe	33
PID 1800 wrote to memory of 540	1800	vbc.exe	33
PID 1800 wrote to memory of 540	1800	vbc.exe	33
PID 1800 wrote to memory of 540	1800	vbc.exe	33
PID 584 wrote to memory of 2076	584	f3fe6e01083a00152bc918e3ba195b902e9efbd08b04b2402284c7bd026cd6ee.exe	34
PID 584 wrote to memory of 2076	584	f3fe6e01083a00152bc918e3ba195b902e9efbd08b04b2402284c7bd026cd6ee.exe	34
PID 584 wrote to memory of 2076	584	f3fe6e01083a00152bc918e3ba195b902e9efbd08b04b2402284c7bd026cd6ee.exe	34
PID 584 wrote to memory of 2076	584	f3fe6e01083a00152bc918e3ba195b902e9efbd08b04b2402284c7bd026cd6ee.exe	34

C:\Users\Admin\AppData\Local\Temp\f3fe6e01083a00152bc918e3ba195b902e9efbd08b04b2402284c7bd026cd6ee.exe
"C:\Users\Admin\AppData\Local\Temp\f3fe6e01083a00152bc918e3ba195b902e9efbd08b04b2402284c7bd026cd6ee.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:584
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ng7eionj.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD8D3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD8D2.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:540
- C:\Users\Admin\AppData\Local\Temp\tmpD845.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpD845.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f3fe6e01083a00152bc918e3ba195b902e9efbd08b04b2402284c7bd026cd6ee.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD8D3.tmp

Filesize
1KB

MD5
b4bdbc6a2749c3669037e545f11b5f5d

SHA1
b83979f621b4f87b421d205250cd0b920f7264e4

SHA256
745d1a743c6bab3cc76fef7d53d6befa2f5df794248e7c8a6d0941897b0817fe

SHA512
c41aa23a5d835d6bf36af1de36e7c15996569ca8f9bed09be26634d3e4a2495eb92d857643b411cf9ece5cac80cf298e6dbf95885abb4ca6bb82e9d2c421d8eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ng7eionj.0.vb

Filesize
14KB

MD5
6fc12e62af6bc44b123894cb96a05962

SHA1
3e6a7478917bfc0ae8b355f4f913599e5d9e7858

SHA256
ead52df09589932e9c27c8eee4d3e2ac1f7e8950fab6e92c5489811d60ba11da

SHA512
02a85dba4eccff6c2f1005f5a636dece30aca6984de418b8a37922c2ad64b3bfcb348acea44fa47ccce46bbb8460d7e9d8c99515423ea54889a38b843a031640

Download Submit
C:\Users\Admin\AppData\Local\Temp\ng7eionj.cmdline

Filesize
266B

MD5
d57c67c731dc00b13be50de29b1bfa42

SHA1
ab406c1dfacb3061c80fd28f961fb7df835d23a2

SHA256
68ee73a634df309e99df378ba2a8983350356ea0826c86f41743a4182794ad36

SHA512
41cdd739ab5d7975b7bd1e3eef0e5343cf8bed3a00007ce623298b6322988bade00bc62b7357bb07799ae51c76a631cb79f690795ed4570344a9ff5b785b9d76

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD845.tmp.exe

Filesize
78KB

MD5
f5a663a50e6ad51d0079d355b7c4b84f

SHA1
28f50d00ddf08c7e682b8f48ca4795fb7dfe953c

SHA256
054b8d173579af7ee7e4ee157abebcc42f7095abcfca27fca21a8f9e59236e9f

SHA512
4df07a55da2a6b7afc4f206858837290e9e3ed5ce3e0097fd471bbb77685896369ba36918c841f3d410bd6b2ee86472b172a262ac996056de8dea588f21b0598

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD8D2.tmp

Filesize
660B

MD5
490214149c7dcb0b26d73e7ebae76b6b

SHA1
a6c6acadb2ee37c8df69c437caf91bf2c5bd4d05

SHA256
5fef5565c69d5bae63defc015515cd13eb0dbbdc7a6bb61f7c51b6a315fc96dd

SHA512
6edec27af0d514abf15a271c7616c4e182d4f93e43b4e826a54f06d31fe2b298321d3d0a0de0b70c802b7ecc6ad23a67780805f240bf87c10a545deb7fa0ac31

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/584-0-0x0000000074191000-0x0000000074192000-memory.dmp

Filesize
4KB

Download
memory/584-1-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download
memory/584-2-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download
memory/584-24-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download
memory/1800-8-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download
memory/1800-18-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads