metamorpherrat | 433f9e08450c865408992f95fc352ecaefdd393e45180860da2013da0d4a92ac

General

Target

433f9e08450c865408992f95fc352ecaefdd393e45180860da2013da0d4a92acN.exe
Size

78KB
MD5

cfe6ac06bb6a68282f85501256dd9f10
SHA1

f12fa1d8fd6ac173c268447d5eecc7a19512d722
SHA256

433f9e08450c865408992f95fc352ecaefdd393e45180860da2013da0d4a92ac
SHA512

192f6d12ab6eed250be89914706fbee692a853c74dd6c3ed17dbe6091178d37aa2729ef01f68f2ceca3b09dc3ba7716f39518bd4bd4500836d080d7e0273bed4
SSDEEP

1536:UPCHFo6M7t/vZv0kH9gDDtWzYCnJPeoYrGQt49/Ix15F:UPCHFonh/l0Y9MDYrm749/I3

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2800	tmpA44B.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2544	433f9e08450c865408992f95fc352ecaefdd393e45180860da2013da0d4a92acN.exe
2544	433f9e08450c865408992f95fc352ecaefdd393e45180860da2013da0d4a92acN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmpA44B.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	433f9e08450c865408992f95fc352ecaefdd393e45180860da2013da0d4a92acN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA44B.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2544	433f9e08450c865408992f95fc352ecaefdd393e45180860da2013da0d4a92acN.exe
Token: SeDebugPrivilege	2800	tmpA44B.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 1720	2544	433f9e08450c865408992f95fc352ecaefdd393e45180860da2013da0d4a92acN.exe	30
PID 2544 wrote to memory of 1720	2544	433f9e08450c865408992f95fc352ecaefdd393e45180860da2013da0d4a92acN.exe	30
PID 2544 wrote to memory of 1720	2544	433f9e08450c865408992f95fc352ecaefdd393e45180860da2013da0d4a92acN.exe	30
PID 2544 wrote to memory of 1720	2544	433f9e08450c865408992f95fc352ecaefdd393e45180860da2013da0d4a92acN.exe	30
PID 1720 wrote to memory of 1744	1720	vbc.exe	32
PID 1720 wrote to memory of 1744	1720	vbc.exe	32
PID 1720 wrote to memory of 1744	1720	vbc.exe	32
PID 1720 wrote to memory of 1744	1720	vbc.exe	32
PID 2544 wrote to memory of 2800	2544	433f9e08450c865408992f95fc352ecaefdd393e45180860da2013da0d4a92acN.exe	33
PID 2544 wrote to memory of 2800	2544	433f9e08450c865408992f95fc352ecaefdd393e45180860da2013da0d4a92acN.exe	33
PID 2544 wrote to memory of 2800	2544	433f9e08450c865408992f95fc352ecaefdd393e45180860da2013da0d4a92acN.exe	33
PID 2544 wrote to memory of 2800	2544	433f9e08450c865408992f95fc352ecaefdd393e45180860da2013da0d4a92acN.exe	33

C:\Users\Admin\AppData\Local\Temp\433f9e08450c865408992f95fc352ecaefdd393e45180860da2013da0d4a92acN.exe
"C:\Users\Admin\AppData\Local\Temp\433f9e08450c865408992f95fc352ecaefdd393e45180860da2013da0d4a92acN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bt9axk8z.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA536.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA535.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1744
- C:\Users\Admin\AppData\Local\Temp\tmpA44B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA44B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\433f9e08450c865408992f95fc352ecaefdd393e45180860da2013da0d4a92acN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA536.tmp

Filesize
1KB

MD5
18e76ca263e4cdf68f3dc1a61aba4fea

SHA1
1161a6331b4508f03a13a0a2816b663772441284

SHA256
ef66d50c1d43abcb6b076fedcc2c9c7082b6085cc0cbbd6540c2ca0ab2e416ec

SHA512
879065f723ce652fc043e3bdaecc7e940e5f79a93f01c6a3b3726d6e9abb648e9f93210ea8d0d6d9623be8d3ac24235ebc711cf172ab331edb6645515adab72b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bt9axk8z.0.vb

Filesize
15KB

MD5
66287e093c59198bc2f099be7c686e54

SHA1
c138538cda6662f00bbb4c12ade95ae523a0afec

SHA256
9cacca4f8cb04ba729de76ac35552cbc71c8a4c699cf1060ef21e469ffc60449

SHA512
01b612f86719f2d00afc2a75397928217ae40b21b5251f8c63e91d1509482d6106848ecdc722676666932b1718d8e9ebb6b0fff043f8a63df9e4d4c102dde3fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\bt9axk8z.cmdline

Filesize
266B

MD5
58033fb47f69af764a5f6e699fd657d3

SHA1
e5dfd708eeb9bddd5bc880b48af037fc2401d1ee

SHA256
b419f7c3c58ae73938660ed17f8ea646818e7470efa76e58e928892290d57cc0

SHA512
d8217fbdcf88f9365d06c7de8ac9ca8ea7b263aa179d6d2ff8cadb5689e00a76ffe3de9f9faeddc3f4331eafda2199d26fb44364d7e032a4d3daa3fe1adfb6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA44B.tmp.exe

Filesize
78KB

MD5
a9aa3707b68b440344298e28a0eaee66

SHA1
9ce921e5530962f7e12a93d98e972220ef55d367

SHA256
da3ab7ea3adb3daa820947d157bea9ac0691a56858cf28f2675d3ca1ac3b0a34

SHA512
226b7dab8f4ba1834f06a5d0ce53b133d1f88e545365fd9c0e3a1f3a31c524d0081a543a1f91a02258a380ba4010184f6d3bb982719af9bbdaf94bdfb3c5d850

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA535.tmp

Filesize
660B

MD5
d7e21339413fb658bba126a57dc3de5d

SHA1
2aad5f88c34583b5c989509987e5e85fc7d6d548

SHA256
d60d49d27ea5e35a9153c25bc413f302b91c580fd16b4cf89da8834cfee9a0c4

SHA512
574c7ceead815c26ba62f18c388bb39c225f6fc7eac6f1a94ebe9aac965b6624f4033f41f1952b754368f6c58169c4d5b56c6bab144a74e32887a8e962c6e7ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/1720-8-0x0000000074650000-0x0000000074BFB000-memory.dmp

Filesize
5.7MB

Download
memory/1720-18-0x0000000074650000-0x0000000074BFB000-memory.dmp

Filesize
5.7MB

Download
memory/2544-0-0x0000000074651000-0x0000000074652000-memory.dmp

Filesize
4KB

Download
memory/2544-1-0x0000000074650000-0x0000000074BFB000-memory.dmp

Filesize
5.7MB

Download
memory/2544-2-0x0000000074650000-0x0000000074BFB000-memory.dmp

Filesize
5.7MB

Download
memory/2544-24-0x0000000074650000-0x0000000074BFB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads