metamorpherrat | 046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831

General

Target

046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe
Size

78KB
MD5

c1c088343ee0fa26e039c9990f1a2d20
SHA1

274e70ffb38cffffb1a02e04b5b87124600eb139
SHA256

046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831
SHA512

207037ed07645b5346a8c7e4d49cf1274ad8ba333e048a92906917694a776a63202444e909873ee2efcd7357b126879ef0b34b6523087e1f94dd130e1063a2eb
SSDEEP

1536:cPWtHY6M7t/vZv0kH9gDDtWzYCnJPeoYrGQtD9/I1vl:cPWtHYnh/l0Y9MDYrm7D9/o

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2668	tmpF805.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2980	046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe
2980	046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmpF805.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpF805.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2980	046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe
Token: SeDebugPrivilege	2668	tmpF805.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2656	2980	046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe	30
PID 2980 wrote to memory of 2656	2980	046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe	30
PID 2980 wrote to memory of 2656	2980	046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe	30
PID 2980 wrote to memory of 2656	2980	046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe	30
PID 2656 wrote to memory of 2348	2656	vbc.exe	32
PID 2656 wrote to memory of 2348	2656	vbc.exe	32
PID 2656 wrote to memory of 2348	2656	vbc.exe	32
PID 2656 wrote to memory of 2348	2656	vbc.exe	32
PID 2980 wrote to memory of 2668	2980	046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe	33
PID 2980 wrote to memory of 2668	2980	046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe	33
PID 2980 wrote to memory of 2668	2980	046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe	33
PID 2980 wrote to memory of 2668	2980	046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe	33

C:\Users\Admin\AppData\Local\Temp\046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe
"C:\Users\Admin\AppData\Local\Temp\046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wtfufoeb.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF90F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF90E.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2348
- C:\Users\Admin\AppData\Local\Temp\tmpF805.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpF805.tmp.exe" C:\Users\Admin\AppData\Local\Temp\046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF90F.tmp

Filesize
1KB

MD5
96f8bebf5daf3dd62cb33ffd4cf3bd87

SHA1
8de815448d228a32e35914c3b36ddd9b53141d74

SHA256
fdbc6fb9b68612f31d9e457b3fb84c999851c0aabe710aa86035b2a1589bf831

SHA512
bd2ccfdee5dd4f5d9bcaa2c533eb13387c3583f4ba9ce100af72cfe85d8b1a36c26a84d7d7f51bbf5603cbe36c9933f96ad37cf41cb39dc2aefad9aa82c4710f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF805.tmp.exe

Filesize
78KB

MD5
55eaebe79586a4cbb7bc9164cd1e7fc5

SHA1
9584e9f8cd7b6aa1606a20b17901ba561c2c5db1

SHA256
c44fa0257d2f8090e139f1176291b5ee3a8efac494212434fa3abc84c69247ce

SHA512
c4f633c69890527c5c63677644d91a34db0b5488a3bc571450ab17a3a9d9a1d61184d2b03223379d00df55d55c74c5f565a27e170235cbc9ebca6a0d14afa1e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF90E.tmp

Filesize
660B

MD5
fc19964a03d70ae23179c5d0ad2d7de1

SHA1
9d6b03d8a3e627d8ee821e33c0d7044d385d2e34

SHA256
188a03e77ef13515d6f2dd4ece119dab5e1757f713874cfafc6b838bfa46ea45

SHA512
4bca9ef97d6df377d5003f0c0af5ff1c96b7ab57413b2e8d3977071361240da9233d59c1d07199e60e612220db606f69a1813795203650c3e04fecb14ee82f5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtfufoeb.0.vb

Filesize
15KB

MD5
0cf9237f36988c5f7b3f7e1d3f263ca5

SHA1
213610a6bb3823e97d86eff1681f7b89db676df0

SHA256
5997c18c1bce41b1d69608eb0e6a4266707f4d7f6a2f563b1191502c28cd02bd

SHA512
edac2b79b62ec825dfbf510a913abeca7144730274ccedd7692f4530a6dd6238b51b83f65eb5d926b5eaff59a0042bf73fb365c3fd13bb00426416264c2d77fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtfufoeb.cmdline

Filesize
266B

MD5
06b41e1759d14cb346b7c633590f4e32

SHA1
38c180f4075bdea12cafdca70c21db555e7fec72

SHA256
fb5f9a4ccbd8d0d2d4dbe87ed87d2b6c8cd82de2a4857ba5c6ed5aa09cc5f2a1

SHA512
00214e7960dc464120b8de8796531339087563c19d29d9fdb853d38b60a9c141df13ea395261a8fd67cf15b1927a2b31d48fcd4382bc78f3cbd5ca5ae524e4d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/2656-8-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/2656-18-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/2980-0-0x0000000074051000-0x0000000074052000-memory.dmp

Filesize
4KB

Download
memory/2980-1-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/2980-2-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/2980-24-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads