metamorpherrat | 4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275

General

Target

4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe
Size

78KB
MD5

7fcb227cf50a8a6d141a28f5baf6857b
SHA1

bbaeca896472b6a7d1e67a545e9b537ff522fd97
SHA256

4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275
SHA512

70301203754303b20ae3765be57c98cae6c15389e566ed6187df71bb3ce600ea74cb6d015dfbba57caa6e21c2b7a6e2704e42a120fab06ab6cbcdbae90a51328
SSDEEP

1536:iV58MLT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQti6N9/u1L08:iV586E2EwR4uY41HyvYl9/f8

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2840	tmp4F1A.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
3032	4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe
3032	4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmp4F1A.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp4F1A.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3032	4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe
Token: SeDebugPrivilege	2840	tmp4F1A.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2668	3032	4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe	30
PID 3032 wrote to memory of 2668	3032	4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe	30
PID 3032 wrote to memory of 2668	3032	4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe	30
PID 3032 wrote to memory of 2668	3032	4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe	30
PID 2668 wrote to memory of 2680	2668	vbc.exe	32
PID 2668 wrote to memory of 2680	2668	vbc.exe	32
PID 2668 wrote to memory of 2680	2668	vbc.exe	32
PID 2668 wrote to memory of 2680	2668	vbc.exe	32
PID 3032 wrote to memory of 2840	3032	4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe	33
PID 3032 wrote to memory of 2840	3032	4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe	33
PID 3032 wrote to memory of 2840	3032	4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe	33
PID 3032 wrote to memory of 2840	3032	4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe	33

C:\Users\Admin\AppData\Local\Temp\4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe
"C:\Users\Admin\AppData\Local\Temp\4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kpqo3rku.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES517B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc517A.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2680
- C:\Users\Admin\AppData\Local\Temp\tmp4F1A.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4F1A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES517B.tmp

Filesize
1KB

MD5
186e7aee5fd612ac5c767c7c01bf0ddc

SHA1
b77d446624b3ec2f1028ae1b013ec0e524ee9ded

SHA256
e32fc7a1d3b2bd2d9fe6e14bbddafc78571e6e393bc9747c0efc07bfb0ce90be

SHA512
a7a63ac8eb4e398dda5346a3b6d6d3cdb58f927170bab7019bff8a8a152d7f6fd854617b395742818c466e63c36cd1bf16f726232a69e7e320f52dccd2de96fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\kpqo3rku.0.vb

Filesize
14KB

MD5
bc5ea11fed85e9ee6084ddea03494edd

SHA1
836696ddae457b0b4ae2b65370a276de18d17c63

SHA256
be6ba414bc6c797064295e064c542c8b2ec1024dfcd9c18fd0626708ad901f24

SHA512
d8ce9b9dac8e75b722b5430e598df646fc68a71c5fac3e6f162a59f1e72bfff85f8e614676b5043327bbbc56bb7e17b524856e377f9c48c70466086d6776ba48

Download Submit
C:\Users\Admin\AppData\Local\Temp\kpqo3rku.cmdline

Filesize
266B

MD5
12b115d88bfcca6e01421ca87ee42c50

SHA1
8e2ca41981d1b99227594e19a53ef6ce594e6086

SHA256
6a1e3b0478688e4cd5639d12ffe391b915a297f6a6071dded58a2c0d51ad2d13

SHA512
71e96e74ce377091ef67931fee96c52ce00b68e64a33fb798a869b21f2cf04af6230185069851721ff7504b8f70e4a9a1a4bd5fd4b5fc07ff634a752c726902a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4F1A.tmp.exe

Filesize
78KB

MD5
0a13f8f36154f971358eb241cc2df5c4

SHA1
897d91e53f1fe0b6b1b28ea504dc50723c5f4d61

SHA256
715ecb1dc255b44836436bfb7db2a095817ff4ec1e3db2ebbffa164f33248847

SHA512
ceb11bfa82556906a01e8db73786a756013a7690ac57aa5cba3ebe92ea53e334f714864629993c1ff5d03891f316a3c892b97b56a6b6cb2d20ab2be71982b1d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc517A.tmp

Filesize
660B

MD5
1184154e658b623d8890820c2de0701d

SHA1
8424b4cac536eeb684cf202d4c2c185b4a0cbb69

SHA256
4be669fa78d2dd2e9594fdc20b38863714423a1e7466704a27eaf67113194790

SHA512
a09091fe2bef1d543786197d6af2898b6915719979f94b4d36f3f47ab9561a18a38821e2e830d96ae84f52a5c25adcd30e5212cf0f41a13a9de2a82fa15b75ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/2668-8-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/2668-18-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/3032-0-0x00000000747E1000-0x00000000747E2000-memory.dmp

Filesize
4KB

Download
memory/3032-1-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/3032-3-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/3032-24-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads