metamorpherrat | 2f9b56cbf8d6782be656628b101eb3e7bffb61c950a3d8aa54d9f6350012c55c

General

Target

2f9b56cbf8d6782be656628b101eb3e7bffb61c950a3d8aa54d9f6350012c55cN.exe
Size

78KB
MD5

eb568baaa4fa2ab0f4610b65c9a2e190
SHA1

5b705af15e784dff0f2695a9fa2e52db30c3b104
SHA256

2f9b56cbf8d6782be656628b101eb3e7bffb61c950a3d8aa54d9f6350012c55c
SHA512

65e8dbc5ee399ac49ba000842588c3917b719aa969e82795a6a8fc68459357d553aa537a063d6a75d0cea4a2a55fec0100be13aa07aad5e7bfabffd55692da2a
SSDEEP

1536:BPWV5jS4vZv0kH9gDDtWzYCnJPeoYrGQty6o9/T14w:BPWV5jS4l0Y9MDYrm7w9/H

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2112	tmp3B4C.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2764	2f9b56cbf8d6782be656628b101eb3e7bffb61c950a3d8aa54d9f6350012c55cN.exe
2764	2f9b56cbf8d6782be656628b101eb3e7bffb61c950a3d8aa54d9f6350012c55cN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmp3B4C.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2f9b56cbf8d6782be656628b101eb3e7bffb61c950a3d8aa54d9f6350012c55cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp3B4C.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2764	2f9b56cbf8d6782be656628b101eb3e7bffb61c950a3d8aa54d9f6350012c55cN.exe
Token: SeDebugPrivilege	2112	tmp3B4C.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 1384	2764	2f9b56cbf8d6782be656628b101eb3e7bffb61c950a3d8aa54d9f6350012c55cN.exe	30
PID 2764 wrote to memory of 1384	2764	2f9b56cbf8d6782be656628b101eb3e7bffb61c950a3d8aa54d9f6350012c55cN.exe	30
PID 2764 wrote to memory of 1384	2764	2f9b56cbf8d6782be656628b101eb3e7bffb61c950a3d8aa54d9f6350012c55cN.exe	30
PID 2764 wrote to memory of 1384	2764	2f9b56cbf8d6782be656628b101eb3e7bffb61c950a3d8aa54d9f6350012c55cN.exe	30
PID 1384 wrote to memory of 3008	1384	vbc.exe	32
PID 1384 wrote to memory of 3008	1384	vbc.exe	32
PID 1384 wrote to memory of 3008	1384	vbc.exe	32
PID 1384 wrote to memory of 3008	1384	vbc.exe	32
PID 2764 wrote to memory of 2112	2764	2f9b56cbf8d6782be656628b101eb3e7bffb61c950a3d8aa54d9f6350012c55cN.exe	33
PID 2764 wrote to memory of 2112	2764	2f9b56cbf8d6782be656628b101eb3e7bffb61c950a3d8aa54d9f6350012c55cN.exe	33
PID 2764 wrote to memory of 2112	2764	2f9b56cbf8d6782be656628b101eb3e7bffb61c950a3d8aa54d9f6350012c55cN.exe	33
PID 2764 wrote to memory of 2112	2764	2f9b56cbf8d6782be656628b101eb3e7bffb61c950a3d8aa54d9f6350012c55cN.exe	33

C:\Users\Admin\AppData\Local\Temp\2f9b56cbf8d6782be656628b101eb3e7bffb61c950a3d8aa54d9f6350012c55cN.exe
"C:\Users\Admin\AppData\Local\Temp\2f9b56cbf8d6782be656628b101eb3e7bffb61c950a3d8aa54d9f6350012c55cN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qholaevn.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1384
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3E68.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3E67.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3008
- C:\Users\Admin\AppData\Local\Temp\tmp3B4C.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp3B4C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2f9b56cbf8d6782be656628b101eb3e7bffb61c950a3d8aa54d9f6350012c55cN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES3E68.tmp

Filesize
1KB

MD5
1dda9041b1eacaf022e66ef31f5409a3

SHA1
d2cb60a66560aa1560d18fa4196c0e9e4bda1bde

SHA256
065e470ded792a5e15e1e9ce812599bca6a299712ccd1a4593c3eae52c1aa80c

SHA512
3d4b3bce3630efbfcb142d41b36dc90a5fdac8ceec10636298959163f4d43710115c43b049ea0c71bbbceac4e6a2005181af7e44c248aed0ca5cb16df67ef27f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qholaevn.0.vb

Filesize
14KB

MD5
9bc8720fc811cd9bb3c5af447c38e1ca

SHA1
b74c27298fec20a2a3855ad59c18e42bf05aac38

SHA256
187069b1a905405b231ca9ef5b33fb03e72c93eff349b12b5bbc2aa6874921a2

SHA512
3855debe0ec0954fccb171e11475610ac25abecea0fb9ca29ef995d39832085e5e44b39de17f0a145dbcf0efa502476485031f2d96d18569db3967a4ed59ee48

Download Submit
C:\Users\Admin\AppData\Local\Temp\qholaevn.cmdline

Filesize
266B

MD5
5bddb67b1da50e417ee492ed955bd00f

SHA1
f9bfaaffd87c0f61ba1eb57403cb3824cac25b8e

SHA256
9c586187fe2df1aab91612c75839bf84169f4aa18f65d511b3b6af8da14d1b2e

SHA512
37e626bdffca7cb7f3f500a03f299209cc60f9445cdd1c4cf4d4d502a344c5e111a26d97802d832bc578cd8fe0ecebaf2a493f29377922a69b1cb25c4a54f445

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3B4C.tmp.exe

Filesize
78KB

MD5
ebaa7ee9ae6ada49adb6f0c81de8de79

SHA1
e0a0a4e386e4ae76e72ae3bf7dc17595d588d838

SHA256
dbf7e44038d4c822e8e1f4fccdf0f9ad826b51085cedb820b64149ef17792821

SHA512
a3c3540932cb5071f0638fffe0ac78ee56e9ccedb338576a916a6aedaf8b1d97d53b9fc8714c7d898a875ad500ce5dd1f69f924d4398b0f369eb19ee75e2849d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3E67.tmp

Filesize
660B

MD5
5d052f87adc11b5b9d604e8d124672e0

SHA1
429e26b026106776e27ffbd96c940a11498d7ccd

SHA256
91d5fab711d6dc543db0a50064b6dd6c0c433a0f40ebf806f381fa471eb156ae

SHA512
6db4d9ecf33b0a68f9fcda73cbc35b9587a9a02869891d17784edb99b84f0fa5746570881e32114e1c34756dd7e1b5a5dad2aba559d247ad33de5ae4bafc59e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/1384-8-0x0000000074650000-0x0000000074BFB000-memory.dmp

Filesize
5.7MB

Download
memory/1384-18-0x0000000074650000-0x0000000074BFB000-memory.dmp

Filesize
5.7MB

Download
memory/2764-0-0x0000000074651000-0x0000000074652000-memory.dmp

Filesize
4KB

Download
memory/2764-1-0x0000000074650000-0x0000000074BFB000-memory.dmp

Filesize
5.7MB

Download
memory/2764-2-0x0000000074650000-0x0000000074BFB000-memory.dmp

Filesize
5.7MB

Download
memory/2764-24-0x0000000074650000-0x0000000074BFB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads