metamorpherrat | 4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a

General

Target

4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe
Size

78KB
MD5

01658283871862263343db8c80526e20
SHA1

7304d9cf47d70ccd9a54892e53205ce8ed86d33e
SHA256

4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a
SHA512

3b62bd87ffd3910484728d3e21f2c7d759b823b0575ff9773ab33010581617e38646d3ce1733d4f7be80a26d7c72483720e86961803431364ad97a53f2693e66
SSDEEP

1536:UPy5jS6vZv0kH9gDDtWzYCnJPeoYrGQt96g9/qT1y+A:UPy5jS6l0Y9MDYrm7f9/qXA

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2744	tmpE32E.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1720	4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe
1720	4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmpE32E.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE32E.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1720	4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe
Token: SeDebugPrivilege	2744	tmpE32E.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2288	1720	4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe	31
PID 1720 wrote to memory of 2288	1720	4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe	31
PID 1720 wrote to memory of 2288	1720	4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe	31
PID 1720 wrote to memory of 2288	1720	4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe	31
PID 2288 wrote to memory of 2432	2288	vbc.exe	33
PID 2288 wrote to memory of 2432	2288	vbc.exe	33
PID 2288 wrote to memory of 2432	2288	vbc.exe	33
PID 2288 wrote to memory of 2432	2288	vbc.exe	33
PID 1720 wrote to memory of 2744	1720	4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe	34
PID 1720 wrote to memory of 2744	1720	4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe	34
PID 1720 wrote to memory of 2744	1720	4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe	34
PID 1720 wrote to memory of 2744	1720	4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe	34

C:\Users\Admin\AppData\Local\Temp\4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe
"C:\Users\Admin\AppData\Local\Temp\4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_vh32jnc.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE4A5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE4A4.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2432
- C:\Users\Admin\AppData\Local\Temp\tmpE32E.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpE32E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE4A5.tmp

Filesize
1KB

MD5
518c8081596dee1069239969e39cc012

SHA1
8e612bbabdf1932e712a5b84e6d64cb98c937e0d

SHA256
b7e1b87f347dce2d04488f895fc8091b9b9caac8defcbcbfb25b8687499e890b

SHA512
3e04419d18b97c1457c0b42567a34f5efb97c4e69295614b6a48bf3ea6c9f4aa8e43c25544d568b49b676ea5444e055772554681746acb18a3c5abbdf5e5302a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vh32jnc.0.vb

Filesize
14KB

MD5
ce85b0cbc99cf52fcc19c2586effcfd6

SHA1
778c5b13aa7e887a8c9476a0c1a8f7e439416f32

SHA256
056f73160bb6b6077374248b78faedf5040555507330d9822ede52a134c98277

SHA512
ee8da67732396d45e58362a30d01ba3527eea3d7facc9d30c0f6792ab0920a014b813612105ae370b13cbca13c9a8250a6653c8ab3a4f2761812123b5b8fb3ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vh32jnc.cmdline

Filesize
266B

MD5
0abc3536f26e1127943691e431b41c9a

SHA1
a8efa6ead7b5c693774c4c8ea5f930c3213a75f0

SHA256
4affe920cb651929d4f3ef1f64ded4c3a7fc2e9377c3c57f72d053d79cbfcb5e

SHA512
0c5af9c619db791fdbefcd4388a3bc026f2f77dee857950230d1946dcad095242ca741ccc1235cac8e4a736bce13b4778cdbffd66ab246786ea1cbcd3a917030

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE32E.tmp.exe

Filesize
78KB

MD5
9d5dfed8a5552ec7d4de806755190e16

SHA1
cb4c6f4a5db7b486f6833943d6c9d83841e4a3b1

SHA256
565ac8cac776d2f9932053d4d0133c5e748b38d5a056b8026a1ea1544bdfd2d4

SHA512
e6eb9f3195bface9921ca0c7d29a9ae204633269429e9808c2d671814545d747477d1f3804ce68c6844d4e3194f50f17d42f06b354297c9f64a5915cba9666c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE4A4.tmp

Filesize
660B

MD5
dae8d8006a08569babc234e11b5d1e59

SHA1
371b9330d1bc03d87fde522b4c73e60aabe2d9fd

SHA256
2c02bef5904c77941c2b155bf495a96d4abcd6262b1f607fc3cda8aff188e145

SHA512
4da10fffb31448ddc3fbdedc5236571271b7eabee10d2504244efd9860867d6a64bb3bae0fe3a2fe048617fe24f666973f0136fd879c023bf69142a07b0a3a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/1720-0-0x0000000074D91000-0x0000000074D92000-memory.dmp

Filesize
4KB

Download
memory/1720-1-0x0000000074D90000-0x000000007533B000-memory.dmp

Filesize
5.7MB

Download
memory/1720-2-0x0000000074D90000-0x000000007533B000-memory.dmp

Filesize
5.7MB

Download
memory/1720-24-0x0000000074D90000-0x000000007533B000-memory.dmp

Filesize
5.7MB

Download
memory/2288-8-0x0000000074D90000-0x000000007533B000-memory.dmp

Filesize
5.7MB

Download
memory/2288-18-0x0000000074D90000-0x000000007533B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads