metamorpherrat | 88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201

General

Target

88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe
Size

78KB
MD5

54238da5a72ed01d7db296cf40b3340e
SHA1

fc6b5244a5d5dcdde315e875a85a905aacf07d32
SHA256

88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201
SHA512

243750bc65586b57dc0c5fba7111f407f0ecbad4192539f6b800e1f396f9eacde398a9c5c2aa73ba1291cfb604de74deb4e16405eeedacb88be613d490cb3dbd
SSDEEP

1536:aCHF3M7t/vZv0kH9gDDtWzYCnJPeoYrGQtG9/cc1o3x:aCHF8h/l0Y9MDYrm7G9/sx

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2760	tmpDE1F.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2036	88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe
2036	88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmpDE1F.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpDE1F.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2036	88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe
Token: SeDebugPrivilege	2760	tmpDE1F.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 2456	2036	88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe	31
PID 2036 wrote to memory of 2456	2036	88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe	31
PID 2036 wrote to memory of 2456	2036	88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe	31
PID 2036 wrote to memory of 2456	2036	88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe	31
PID 2456 wrote to memory of 2088	2456	vbc.exe	33
PID 2456 wrote to memory of 2088	2456	vbc.exe	33
PID 2456 wrote to memory of 2088	2456	vbc.exe	33
PID 2456 wrote to memory of 2088	2456	vbc.exe	33
PID 2036 wrote to memory of 2760	2036	88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe	34
PID 2036 wrote to memory of 2760	2036	88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe	34
PID 2036 wrote to memory of 2760	2036	88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe	34
PID 2036 wrote to memory of 2760	2036	88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe	34

C:\Users\Admin\AppData\Local\Temp\88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe
"C:\Users\Admin\AppData\Local\Temp\88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fpfgxfoh.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE071.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE070.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2088
- C:\Users\Admin\AppData\Local\Temp\tmpDE1F.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpDE1F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE071.tmp

Filesize
1KB

MD5
92e4ab0fc32fc8348275e92c3276c190

SHA1
9a08f76e7aaa4bc7138e2b5e0963da5d001d564d

SHA256
4b254510ba87c0bfcbfd69d506eabb76ad647fa6fec3cc13e22f0c97218c2149

SHA512
ea768c97e17d4e6db6a9d78e8edb5543b8a612a55240ba4d852c3c3fc4c363181630562a39a1bdfeb3f3a8ffe9e17e213671d06179d51eff69bdcaa032d64c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\fpfgxfoh.0.vb

Filesize
15KB

MD5
4299097fe352396b09267a7267e31262

SHA1
ee295a1cf8236aa9924f427eed7e713f646f1147

SHA256
9c3de34bf1e4f2335333ba8db92ef7c0350b8599ad07c8a667a356199d229d9d

SHA512
d5e8a4f679460abebce45be3ccbeef737381498cce31eff560aaadef01fd3d9d882d0f6e6cda147aa0ed5eb0326f07497617c2a20d757e7838a5b627ff0718f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\fpfgxfoh.cmdline

Filesize
266B

MD5
ce77eacf6780482835e2a0735a9a8ae4

SHA1
a353a3234e93afa0a21434d2a1baaff03458d656

SHA256
55921e831195b6855b348301b59633b24c546298dbb9c9ed32f6585bd065621d

SHA512
76fb994294fc7ba66d8f404cb7af85f9a3fbe7208709a996786030a5b21470f293d0dfb2644fa8499eae373a5f171d9c7bd8387a63b11f0cf90270572e1283c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDE1F.tmp.exe

Filesize
78KB

MD5
62a439631f060c1355e5004887e28974

SHA1
513ae95612097964ac0044a97c754b667399cc2b

SHA256
6fe86ec68668d1115a220f11907fad51fc57d715d282197ec2d73afde2f06aec

SHA512
96134208371f73fa433a79a53337266a28c4a95a6b335a6d8b3e9929f52026ee8865af11c52dd339dac6c58283f544d71d6a97b0c9779bbc9e018545a04c3749

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE070.tmp

Filesize
660B

MD5
8dfdf969c5432865bbb597241c546c5d

SHA1
fd5b53c06c09adef98df19f6f58384966c03a53d

SHA256
4fe89da05ee9c75a231ead41daa7eaaec0f1816a400ffca832eb985d868d0547

SHA512
2ceced7b112719707b334ce83b46b6667aa183e039695d1cc55799a08ab58180422318c49ae2cd2b39d7575ba6146745d79b221ea7cd375e304122aa601a0d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/2036-0-0x0000000074221000-0x0000000074222000-memory.dmp

Filesize
4KB

Download
memory/2036-1-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/2036-2-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/2036-24-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/2456-8-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/2456-18-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads