metamorpherrat | 3cb3a2c8a232799f1de0d0d111bd80db9d2f83c145ecfa56344f190b3ff6540f

General

Target

3cb3a2c8a232799f1de0d0d111bd80db9d2f83c145ecfa56344f190b3ff6540fN.exe
Size

78KB
MD5

71a07c88199d972fb9b178ad4aed0e60
SHA1

a6de4d4001d7c0ccce42dacc00648ccc49f4121c
SHA256

3cb3a2c8a232799f1de0d0d111bd80db9d2f83c145ecfa56344f190b3ff6540f
SHA512

0efd6b0240eaad66c9c8ccd7a0a1bc3794eff4bcd837fb714df98f58b6e0acf48333f5328a6aa0647db02b02dc8e85d114a3904041c9e7873cf7cbd17229e007
SSDEEP

1536:sj5jS2vZv0kH9gDDtWzYCnJPeoYrGQtN6I9/51z8:45jS2l0Y9MDYrm7b9/c

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2272	tmp954D.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
3052	3cb3a2c8a232799f1de0d0d111bd80db9d2f83c145ecfa56344f190b3ff6540fN.exe
3052	3cb3a2c8a232799f1de0d0d111bd80db9d2f83c145ecfa56344f190b3ff6540fN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmp954D.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp954D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3cb3a2c8a232799f1de0d0d111bd80db9d2f83c145ecfa56344f190b3ff6540fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3052	3cb3a2c8a232799f1de0d0d111bd80db9d2f83c145ecfa56344f190b3ff6540fN.exe
Token: SeDebugPrivilege	2272	tmp954D.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 1748	3052	3cb3a2c8a232799f1de0d0d111bd80db9d2f83c145ecfa56344f190b3ff6540fN.exe	30
PID 3052 wrote to memory of 1748	3052	3cb3a2c8a232799f1de0d0d111bd80db9d2f83c145ecfa56344f190b3ff6540fN.exe	30
PID 3052 wrote to memory of 1748	3052	3cb3a2c8a232799f1de0d0d111bd80db9d2f83c145ecfa56344f190b3ff6540fN.exe	30
PID 3052 wrote to memory of 1748	3052	3cb3a2c8a232799f1de0d0d111bd80db9d2f83c145ecfa56344f190b3ff6540fN.exe	30
PID 1748 wrote to memory of 544	1748	vbc.exe	32
PID 1748 wrote to memory of 544	1748	vbc.exe	32
PID 1748 wrote to memory of 544	1748	vbc.exe	32
PID 1748 wrote to memory of 544	1748	vbc.exe	32
PID 3052 wrote to memory of 2272	3052	3cb3a2c8a232799f1de0d0d111bd80db9d2f83c145ecfa56344f190b3ff6540fN.exe	33
PID 3052 wrote to memory of 2272	3052	3cb3a2c8a232799f1de0d0d111bd80db9d2f83c145ecfa56344f190b3ff6540fN.exe	33
PID 3052 wrote to memory of 2272	3052	3cb3a2c8a232799f1de0d0d111bd80db9d2f83c145ecfa56344f190b3ff6540fN.exe	33
PID 3052 wrote to memory of 2272	3052	3cb3a2c8a232799f1de0d0d111bd80db9d2f83c145ecfa56344f190b3ff6540fN.exe	33

C:\Users\Admin\AppData\Local\Temp\3cb3a2c8a232799f1de0d0d111bd80db9d2f83c145ecfa56344f190b3ff6540fN.exe
"C:\Users\Admin\AppData\Local\Temp\3cb3a2c8a232799f1de0d0d111bd80db9d2f83c145ecfa56344f190b3ff6540fN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dpfsgwbp.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES96E4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc96E3.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:544
- C:\Users\Admin\AppData\Local\Temp\tmp954D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp954D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3cb3a2c8a232799f1de0d0d111bd80db9d2f83c145ecfa56344f190b3ff6540fN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES96E4.tmp

Filesize
1KB

MD5
32dc5ad498b99e72ae91d354c509bd37

SHA1
29f72f828d2417ddc11cec40fa8520c47d70ab05

SHA256
12f43fe6e4447e1b9334186b11da3e1a3a55db3d30941d3b74f76930b3fa018e

SHA512
85d3a9d42ebadf09bc9de48662df2b689f3dbaddbe17f7bf58ca789445c21ce266500007a1b3945bcb83c3cff1b6fd31230ab7fafb0ce342cb7669145bc2394a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dpfsgwbp.0.vb

Filesize
14KB

MD5
6c90bf056a468599e20b9dec80d1a9e2

SHA1
af9d7042d0bc5953214cfd1a0149a8d98ae332f2

SHA256
2e722de2e0f41246833bd4f8d01fd5234e3c90aaeaa54a21fd922258356b4821

SHA512
c87c772cbc93e9151c62af5e994a4a7384270d4a4d32d6bd3bc6b0b575a0d28edba590e1760c9b0a5f61a1d10225dbf7f88eafe370f90a21e7eef850e498fc41

Download Submit
C:\Users\Admin\AppData\Local\Temp\dpfsgwbp.cmdline

Filesize
266B

MD5
498e1cf7ab776f0def2136901146dc71

SHA1
7f261b2ba9d4feb24572e270ecef55213e65601a

SHA256
ce8b8ceac9d40c571de80d4ca1b4bb5b24cf9e630f4f35c42586a297594dbe03

SHA512
55ab5742e604f632318545766b31b7687cc80b7f83c494e0bc5d76d0396a0c4c02361b8f101551a04a3df3728103b8fd191832713bb03429e5b0d5da978f0b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp954D.tmp.exe

Filesize
78KB

MD5
5274d11d82fa2166628dd68c6f08e4da

SHA1
aec4270167025f33a34719a1e55e48b04525a5c6

SHA256
cc0ee5bf45306f74f516172801405642c022b53aae39f30cc66863b1888ba77b

SHA512
587618a0c56116ecb2813a2f5806b472d32d4a91981b3a413cc87cfb4d688a23bf20857c4404e1eb973fedae4ac085350005b311108f3e53304b10ef6290679d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc96E3.tmp

Filesize
660B

MD5
e2b3f9aca4f0d8f91f9f82933907b81d

SHA1
3c86326f572a3d2c9f21a68785899fbe91b4b779

SHA256
7be1aa943b92f1a60f2e922681a41a312fc3120800aa3925f2210374dfe7e7f4

SHA512
8282265a853eab1d51286d86275ef580e8a3f6083bd77e989d0f8b8e9dc3573dcda92ecaba041298db4aaa464b1da5d81975722c9d2bd49ebf0eab7b0949beb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/1748-18-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/1748-8-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/3052-24-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/3052-2-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/3052-1-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/3052-0-0x0000000074DE1000-0x0000000074DE2000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads