metamorpherrat | 29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94

General

Target

29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe
Size

78KB
MD5

2b6d788a913418a66f8ae8deb56a9332
SHA1

433fc427bda528c88641780307764dce8564ecb3
SHA256

29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94
SHA512

cf77d1c36cd7fbe00d33917a0c924bf6b7ba1b604730198b37fffe1e6139cbd8c4946a1124334228d80e1936ac941a370a8d6703058c6899ce97ce5cc13ba740
SSDEEP

1536:ECHF3M7t/vZv0kH9gDDtWzYCnJPeoYrGQt1p9/K1LiQ:ECHF8h/l0Y9MDYrm71p9/1Q

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
3044	tmp3830.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2492	29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe
2492	29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmp3830.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp3830.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2492	29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe
Token: SeDebugPrivilege	3044	tmp3830.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 2180	2492	29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe	30
PID 2492 wrote to memory of 2180	2492	29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe	30
PID 2492 wrote to memory of 2180	2492	29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe	30
PID 2492 wrote to memory of 2180	2492	29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe	30
PID 2180 wrote to memory of 2456	2180	vbc.exe	32
PID 2180 wrote to memory of 2456	2180	vbc.exe	32
PID 2180 wrote to memory of 2456	2180	vbc.exe	32
PID 2180 wrote to memory of 2456	2180	vbc.exe	32
PID 2492 wrote to memory of 3044	2492	29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe	33
PID 2492 wrote to memory of 3044	2492	29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe	33
PID 2492 wrote to memory of 3044	2492	29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe	33
PID 2492 wrote to memory of 3044	2492	29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe	33

C:\Users\Admin\AppData\Local\Temp\29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe
"C:\Users\Admin\AppData\Local\Temp\29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4mss3g5a.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3AEF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3AEE.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2456
- C:\Users\Admin\AppData\Local\Temp\tmp3830.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp3830.tmp.exe" C:\Users\Admin\AppData\Local\Temp\29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4mss3g5a.0.vb

Filesize
15KB

MD5
38c481bdc30be878567d895861a73aba

SHA1
95fbdfa5207482a9a1a5297aab8a62a8a23bf834

SHA256
eff2fda7ca2fb4c47bccbdf222e7aa26131142a2114ffbfe067ea7afba4b94e5

SHA512
fc10ba5d943c2fe890e6d55d9dd2e82a4469316c253d92abd45767e65ea82f43b1d9a02a4b0232041e9801842dd745e3d59df950da2280bd8f9fd2f131b52bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\4mss3g5a.cmdline

Filesize
266B

MD5
8ab48d3e951fbcb98b8672818b258504

SHA1
88275ce3b7718d06bfb2f75a2aa42b94b4688df9

SHA256
1f1ebaaa8e305ca08c4dcde38f3dcdcfafe87a2ee764c90e54ba03ab005cff20

SHA512
b68d94108687485ca54413bf126721773bfc4ce181cc17b1860e0ac5e1d41e719df71666315b80abac67d1efa53ee42ba61a6a82d455c87c04a62ac266c0bded

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3AEF.tmp

Filesize
1KB

MD5
06c6fb01187dfd6f4a2833adba2ef8c0

SHA1
7a662f33eff59bd034da9075938759e735bcb550

SHA256
5bcdfa5f06f62d957808a467364564d4e6d88ed455dca1b836d27567e1a32787

SHA512
b80c33ea1875cd15c7b7a3d3da63eba0a681342e11de49bab314ad46195fb1f4d350b2df50a7efc2d4630ccc88a0b29183e1b2d794900d4bc5fac3dc1cbfd581

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3830.tmp.exe

Filesize
78KB

MD5
5e2c76b14ab56dcc7d9e06d5f95493e2

SHA1
198447e4cd0d0bcabc506e960ff97e60fa571b75

SHA256
65692e6bfecdd47721bea4f69d5575bb4e517ec65fcf69cc1f5870040bc30da1

SHA512
9e989ed9f521790a9b73ea0723baf8b3d3ce3e3782817c01c3ea55cedb9c253c3978dab6225ae8ebc693de0921208d61ee2ab64db7aeb7b4c95da5c1307eb673

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3AEE.tmp

Filesize
660B

MD5
27f09b269676a8ead0e6be5a913b8e0f

SHA1
e598d387cc7f16b95358547f75fd91506ea6b19a

SHA256
32ad988fb73360a38e51629caa6908c8f4079229144f6ea3ad6974fdc3202e31

SHA512
291a3cb977a277c825d2eaa8058837aa4004bf1f53239f56f08e9046fcaa1bb7323188111c528da45b58cb10304a2b97a28ae67ba1b9dc05ce4fe6615f2903e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/2180-8-0x0000000074DA0000-0x000000007534B000-memory.dmp

Filesize
5.7MB

Download
memory/2180-18-0x0000000074DA0000-0x000000007534B000-memory.dmp

Filesize
5.7MB

Download
memory/2492-0-0x0000000074DA1000-0x0000000074DA2000-memory.dmp

Filesize
4KB

Download
memory/2492-1-0x0000000074DA0000-0x000000007534B000-memory.dmp

Filesize
5.7MB

Download
memory/2492-2-0x0000000074DA0000-0x000000007534B000-memory.dmp

Filesize
5.7MB

Download
memory/2492-24-0x0000000074DA0000-0x000000007534B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads