metamorpherrat | 28e1aab094fedfae24008315310247a1a9775e06f49b682b3bd19d0a6a037d25

General

Target

28e1aab094fedfae24008315310247a1a9775e06f49b682b3bd19d0a6a037d25N.exe
Size

78KB
MD5

0c302be2c485ac1248ae94f54e3f5310
SHA1

96405b5ed2f2d055e3f4416f99aa4209bab415fc
SHA256

28e1aab094fedfae24008315310247a1a9775e06f49b682b3bd19d0a6a037d25
SHA512

2bdf429f0d955cb7b1e023769bf90d202b764a8b07aae00032aefdd4ad63f38dcc4325eee08cad2fca672188afe670de15bbf1b941cc2c4ad54e5694032912a2
SSDEEP

1536:hCHFo6M7t/vZv0kH9gDDtWzYCnJPeoYrGQt89/vd1t/:hCHFonh/l0Y9MDYrm789/vl

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2172	tmpE012.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
868	28e1aab094fedfae24008315310247a1a9775e06f49b682b3bd19d0a6a037d25N.exe
868	28e1aab094fedfae24008315310247a1a9775e06f49b682b3bd19d0a6a037d25N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmpE012.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	28e1aab094fedfae24008315310247a1a9775e06f49b682b3bd19d0a6a037d25N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE012.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	868	28e1aab094fedfae24008315310247a1a9775e06f49b682b3bd19d0a6a037d25N.exe
Token: SeDebugPrivilege	2172	tmpE012.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 868 wrote to memory of 2320	868	28e1aab094fedfae24008315310247a1a9775e06f49b682b3bd19d0a6a037d25N.exe	31
PID 868 wrote to memory of 2320	868	28e1aab094fedfae24008315310247a1a9775e06f49b682b3bd19d0a6a037d25N.exe	31
PID 868 wrote to memory of 2320	868	28e1aab094fedfae24008315310247a1a9775e06f49b682b3bd19d0a6a037d25N.exe	31
PID 868 wrote to memory of 2320	868	28e1aab094fedfae24008315310247a1a9775e06f49b682b3bd19d0a6a037d25N.exe	31
PID 2320 wrote to memory of 1684	2320	vbc.exe	33
PID 2320 wrote to memory of 1684	2320	vbc.exe	33
PID 2320 wrote to memory of 1684	2320	vbc.exe	33
PID 2320 wrote to memory of 1684	2320	vbc.exe	33
PID 868 wrote to memory of 2172	868	28e1aab094fedfae24008315310247a1a9775e06f49b682b3bd19d0a6a037d25N.exe	34
PID 868 wrote to memory of 2172	868	28e1aab094fedfae24008315310247a1a9775e06f49b682b3bd19d0a6a037d25N.exe	34
PID 868 wrote to memory of 2172	868	28e1aab094fedfae24008315310247a1a9775e06f49b682b3bd19d0a6a037d25N.exe	34
PID 868 wrote to memory of 2172	868	28e1aab094fedfae24008315310247a1a9775e06f49b682b3bd19d0a6a037d25N.exe	34

C:\Users\Admin\AppData\Local\Temp\28e1aab094fedfae24008315310247a1a9775e06f49b682b3bd19d0a6a037d25N.exe
"C:\Users\Admin\AppData\Local\Temp\28e1aab094fedfae24008315310247a1a9775e06f49b682b3bd19d0a6a037d25N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:868
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iuvpt0qf.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE10D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE10C.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1684
- C:\Users\Admin\AppData\Local\Temp\tmpE012.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpE012.tmp.exe" C:\Users\Admin\AppData\Local\Temp\28e1aab094fedfae24008315310247a1a9775e06f49b682b3bd19d0a6a037d25N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE10D.tmp

Filesize
1KB

MD5
0beb8b792defcadd91d87adc202ca6ea

SHA1
7aac8877395104510f20d3422abb9b60ff03d036

SHA256
e3894eb17497487dc0d6dcf719e79dbbbe227753ff179382c27112067d786a0a

SHA512
3eed11363f8821cb267d353fe588f47dfec0854053b84ea13da174001841cdae9240874ec8e5b7cb47308cb6cb987e83bbd1b2df15b637a4532c14b64d5fcf84

Download Submit
C:\Users\Admin\AppData\Local\Temp\iuvpt0qf.0.vb

Filesize
15KB

MD5
be9f6fdf3116b39adb18a9d29ccd1029

SHA1
a20fe94334e1546792a294b93fa04d8fc8c4c2e9

SHA256
784f28e0efddfa2c5a612bc64f24a56038740b54cf417b7bd925644e8adb7078

SHA512
1ad033896555cc90deec1a78ff73cf6a02009f8edff6e97a6b143784da87cd794a4c5dfa12fa3b47e100019bb90e9f5115fc6668389ec371614c0993c45c9a23

Download Submit
C:\Users\Admin\AppData\Local\Temp\iuvpt0qf.cmdline

Filesize
266B

MD5
fac5f7a847a373c67295ebe32a78480f

SHA1
fac5e73a89418d3751018d7b285b7b39de90e0b7

SHA256
73e1395c068a6427adaaa4b8a92b23c0a771d401e70ad1fb27dbaa2f602bcf88

SHA512
3992efc1328fbfa36e58c5fb9acaa17a1204f3ea6cfa766ee930858b8df934dacd5ff19d40f5c0ba5bf1d2731f437631848dab249dac4922af481851ebe5793b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE012.tmp.exe

Filesize
78KB

MD5
8d540bec600d0871a3139c1b36b6eeca

SHA1
2b22016086012d24d990fcf3f50c71bda69dbcd8

SHA256
81af64f1b8ba364983bd0563c36289d19680827a327d77fb36257e4299eea392

SHA512
6a47230787b0983f06fe1a82df1bdb8a1b0f0523ef5821ff012177457b6f531559edbdd4a010a7be3fbd5c1408fcc67a37c0258c68396b30ed28451d35a40cdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE10C.tmp

Filesize
660B

MD5
9fa162731cbfb37c1e123188b33ec69c

SHA1
87eae740f0594bc1de06ca3e5870701cc3fae592

SHA256
d5f935e8c7bc98ef69ea925ac467c9e14204afe3f40ee6bac4aa171ac3175bf4

SHA512
bc42757f3dbe7da01003274983cdeaaa84ce024f061337b3a7c3261883e405b78e5560453bef69371ceda0e34c925b4284af825692ff03dec0232be4f537fd8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/868-0-0x00000000749D1000-0x00000000749D2000-memory.dmp

Filesize
4KB

Download
memory/868-1-0x00000000749D0000-0x0000000074F7B000-memory.dmp

Filesize
5.7MB

Download
memory/868-2-0x00000000749D0000-0x0000000074F7B000-memory.dmp

Filesize
5.7MB

Download
memory/868-24-0x00000000749D0000-0x0000000074F7B000-memory.dmp

Filesize
5.7MB

Download
memory/2320-8-0x00000000749D0000-0x0000000074F7B000-memory.dmp

Filesize
5.7MB

Download
memory/2320-18-0x00000000749D0000-0x0000000074F7B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads