metamorpherrat | 433f9e08450c865408992f95fc352ecaefdd393e45180860da2013da0d4a92ac

General

Target

433f9e08450c865408992f95fc352ecaefdd393e45180860da2013da0d4a92acN.exe
Size

78KB
MD5

cfe6ac06bb6a68282f85501256dd9f10
SHA1

f12fa1d8fd6ac173c268447d5eecc7a19512d722
SHA256

433f9e08450c865408992f95fc352ecaefdd393e45180860da2013da0d4a92ac
SHA512

192f6d12ab6eed250be89914706fbee692a853c74dd6c3ed17dbe6091178d37aa2729ef01f68f2ceca3b09dc3ba7716f39518bd4bd4500836d080d7e0273bed4
SSDEEP

1536:UPCHFo6M7t/vZv0kH9gDDtWzYCnJPeoYrGQt49/Ix15F:UPCHFonh/l0Y9MDYrm749/I3

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Deletes itself 1 IoCs

pid	Process
536	tmpBC2E.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
536	tmpBC2E.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
3000	433f9e08450c865408992f95fc352ecaefdd393e45180860da2013da0d4a92acN.exe
3000	433f9e08450c865408992f95fc352ecaefdd393e45180860da2013da0d4a92acN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmpBC2E.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	433f9e08450c865408992f95fc352ecaefdd393e45180860da2013da0d4a92acN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBC2E.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3000	433f9e08450c865408992f95fc352ecaefdd393e45180860da2013da0d4a92acN.exe
Token: SeDebugPrivilege	536	tmpBC2E.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 2372	3000	433f9e08450c865408992f95fc352ecaefdd393e45180860da2013da0d4a92acN.exe	30
PID 3000 wrote to memory of 2372	3000	433f9e08450c865408992f95fc352ecaefdd393e45180860da2013da0d4a92acN.exe	30
PID 3000 wrote to memory of 2372	3000	433f9e08450c865408992f95fc352ecaefdd393e45180860da2013da0d4a92acN.exe	30
PID 3000 wrote to memory of 2372	3000	433f9e08450c865408992f95fc352ecaefdd393e45180860da2013da0d4a92acN.exe	30
PID 2372 wrote to memory of 2392	2372	vbc.exe	32
PID 2372 wrote to memory of 2392	2372	vbc.exe	32
PID 2372 wrote to memory of 2392	2372	vbc.exe	32
PID 2372 wrote to memory of 2392	2372	vbc.exe	32
PID 3000 wrote to memory of 536	3000	433f9e08450c865408992f95fc352ecaefdd393e45180860da2013da0d4a92acN.exe	33
PID 3000 wrote to memory of 536	3000	433f9e08450c865408992f95fc352ecaefdd393e45180860da2013da0d4a92acN.exe	33
PID 3000 wrote to memory of 536	3000	433f9e08450c865408992f95fc352ecaefdd393e45180860da2013da0d4a92acN.exe	33
PID 3000 wrote to memory of 536	3000	433f9e08450c865408992f95fc352ecaefdd393e45180860da2013da0d4a92acN.exe	33

C:\Users\Admin\AppData\Local\Temp\433f9e08450c865408992f95fc352ecaefdd393e45180860da2013da0d4a92acN.exe
"C:\Users\Admin\AppData\Local\Temp\433f9e08450c865408992f95fc352ecaefdd393e45180860da2013da0d4a92acN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\68pig6p0.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD67.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBD66.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2392
- C:\Users\Admin\AppData\Local\Temp\tmpBC2E.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpBC2E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\433f9e08450c865408992f95fc352ecaefdd393e45180860da2013da0d4a92acN.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\68pig6p0.0.vb

Filesize
15KB

MD5
b002ff6245c8a99add9294d5e6fbdab9

SHA1
7b8a4ae08af5f5a88a33a0204f429a872035667e

SHA256
5a2558fcb402bb653e50ecf17e6c42002e09cd68600ffd91514d6379c186807b

SHA512
283835d67484776daed149441877e2d0a3149373037c7ed2acd5ddf32ebd1d42cdc7558135b318658993bec8585e12f479f33fd50f7f3dd155a02e98b3e935dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\68pig6p0.cmdline

Filesize
266B

MD5
67a0ed6bb5030ce64e6d87743846deca

SHA1
bcd69b191950a31272cce79a1e32dd2a6420cdd6

SHA256
bdb7cbb066d20bf4d46e1354ddcde303a4ac390fb684eac22fb49a57e214e8f7

SHA512
9c5224a0d268274e21ab1a1bb676a4f872f5b7ba44c95117e7a760b1d5d0b7e0c6946f5ff2f859bfa4ca47004ef6884975a1b8a7a877afdf5ec7818960570180

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBD67.tmp

Filesize
1KB

MD5
cf65026380e45c001d4da2933211ec4c

SHA1
eb90abda1db0f5f5029631fe55852e00cd3aad3c

SHA256
b912521dda48f716a2d87e6fe25ee30245e5bbfbae6af7d98523ef3cd368ac8f

SHA512
a9caf83a2d306082e787ae848a9a0ec6229903f7e1d022d9cc5e7f362c86d5d28cb137dc60687c3cb0418c2c4f046c013b3d7b9ce544b85012bc57c96ff1d1f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBC2E.tmp.exe

Filesize
78KB

MD5
3fa2cb08a371674fcd5a308df7d1efef

SHA1
f9252cc1f246f40ec89a90ce4ab1537c546adf70

SHA256
1852a96a65843e858bc024c227fe65d66c7da42742bf011be280341220993a9a

SHA512
5ff247c9795c08f80173cfe1c402ebc20971630ac01da37d3ec20c3b0e7f6a0ead18ef3ce9bf1f0d25cf09d62aa402bc82c501150e27310ff86d5da58e4a7fb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBD66.tmp

Filesize
660B

MD5
6bbe9a8b3f8ba85bfad38541aa9a6306

SHA1
f66c466d97a8c218d35624665f89b873e8588e6b

SHA256
64086f0e191b21f94de4530bdc376b938c58e6e995393a02ee1be508bafc3b8e

SHA512
eab1d771b77d8ccd0647ff8d32a7176eb63b2fe4a7a4eb430e422fb67b351ed5f273db7232d4b9a719f5b23e71dc990bb2335c83d5d7afcdfe75174e9793bb44

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/2372-9-0x0000000074E80000-0x000000007542B000-memory.dmp

Filesize
5.7MB

Download
memory/2372-18-0x0000000074E80000-0x000000007542B000-memory.dmp

Filesize
5.7MB

Download
memory/3000-0-0x0000000074E81000-0x0000000074E82000-memory.dmp

Filesize
4KB

Download
memory/3000-1-0x0000000074E80000-0x000000007542B000-memory.dmp

Filesize
5.7MB

Download
memory/3000-2-0x0000000074E80000-0x000000007542B000-memory.dmp

Filesize
5.7MB

Download
memory/3000-24-0x0000000074E80000-0x000000007542B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads