metamorpherrat | 4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a

General

Target

4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe
Size

78KB
MD5

01658283871862263343db8c80526e20
SHA1

7304d9cf47d70ccd9a54892e53205ce8ed86d33e
SHA256

4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a
SHA512

3b62bd87ffd3910484728d3e21f2c7d759b823b0575ff9773ab33010581617e38646d3ce1733d4f7be80a26d7c72483720e86961803431364ad97a53f2693e66
SSDEEP

1536:UPy5jS6vZv0kH9gDDtWzYCnJPeoYrGQt96g9/qT1y+A:UPy5jS6l0Y9MDYrm7f9/qXA

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Deletes itself 1 IoCs

pid	Process
2732	tmp61A0.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2732	tmp61A0.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2708	4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe
2708	4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmp61A0.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp61A0.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2708	4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe
Token: SeDebugPrivilege	2732	tmp61A0.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2712	2708	4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe	30
PID 2708 wrote to memory of 2712	2708	4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe	30
PID 2708 wrote to memory of 2712	2708	4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe	30
PID 2708 wrote to memory of 2712	2708	4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe	30
PID 2712 wrote to memory of 2312	2712	vbc.exe	32
PID 2712 wrote to memory of 2312	2712	vbc.exe	32
PID 2712 wrote to memory of 2312	2712	vbc.exe	32
PID 2712 wrote to memory of 2312	2712	vbc.exe	32
PID 2708 wrote to memory of 2732	2708	4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe	33
PID 2708 wrote to memory of 2732	2708	4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe	33
PID 2708 wrote to memory of 2732	2708	4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe	33
PID 2708 wrote to memory of 2732	2708	4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe	33

C:\Users\Admin\AppData\Local\Temp\4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe
"C:\Users\Admin\AppData\Local\Temp\4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jhdqe4om.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6337.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6336.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2312
- C:\Users\Admin\AppData\Local\Temp\tmp61A0.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp61A0.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6337.tmp

Filesize
1KB

MD5
c35e10edc5f59e34ad482dda11e7ecbc

SHA1
895cc866fd11c76eff1d40b4f94a98863a4e3c9e

SHA256
1b6208ae823a49c610f6d59b7a0a4f75a6f634efb5335d7012c38bfe2a6db57d

SHA512
6afbc1cac0e2bfc4a0c3061f176dd95ef5d5f79dca5da2ae355715f5fa09c81d8a867f2a5e058bad708b7e0723fbbd83d42c8cfab503b9f604881139a892bacd

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhdqe4om.0.vb

Filesize
14KB

MD5
36a023a4c51b93396950992af60faf5f

SHA1
e01e73ff3a9c6a439e31487c1d5b966c413f4c7d

SHA256
cdaeb455a8071188bed4f1492bc3d4ad66d7a0486b83733cba6b6e8f011fb3c8

SHA512
57779eb7e0f438da39e836e13cf9136b96076a0142b237acadd796ad5e00b1fda03e8307e77adabbe79fb7fe1c19223c07568891d91815935bafa86df6687a43

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhdqe4om.cmdline

Filesize
266B

MD5
1baf5fd8f9c7e3d68c8236ffd15464fc

SHA1
1af71ffef80e954d94e70bcfb7365462d594f1e2

SHA256
a27563448546e2e4df0a293fee5dd863231592e47e86c6bafd9510595cd10a7d

SHA512
1ec7dfd9f274227730efe829134319b9023eb633bca60c828a804bb600b4c65e5933beda72a6e4d24dc76d08549f21a869d7457f302044f2d9d66f6bbdd9c8fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp61A0.tmp.exe

Filesize
78KB

MD5
324c4cbd685bbe1484ce6efb07c97b14

SHA1
766678f3f981a637a4217c6870ca7fe5829b3ad0

SHA256
78d514de8d4d44dba043344aa1d902a4e2fe28bc2a3c2848de645ad766e0c98e

SHA512
b42e4baee691452308beb7ec2887e2fa8634b8484818acdeb5ae8b2fcba9d131e31b27045bf351351600799148d105e300cafe8f78026c1322731decfe7ba0a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6336.tmp

Filesize
660B

MD5
9df4b494a0deab6786b2e8f81759634b

SHA1
4c2f4a4a7c90da7e6d5ae3428f877beb60b9c93d

SHA256
d225676163b08dd74b7c4a6e35da8d3a4648274ac2f51b787ced730e570b088d

SHA512
a79dc55738463698cfe415ec4ec7ccfa60f46534747b9dca98d4bff77a5a3416b7c84a2fb58dc665356c9b8bcd1b951e7911bb9eb773fe90f6a4a374b6739e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/2708-0-0x0000000074891000-0x0000000074892000-memory.dmp

Filesize
4KB

Download
memory/2708-1-0x0000000074890000-0x0000000074E3B000-memory.dmp

Filesize
5.7MB

Download
memory/2708-2-0x0000000074890000-0x0000000074E3B000-memory.dmp

Filesize
5.7MB

Download
memory/2708-23-0x0000000074890000-0x0000000074E3B000-memory.dmp

Filesize
5.7MB

Download
memory/2712-8-0x0000000074890000-0x0000000074E3B000-memory.dmp

Filesize
5.7MB

Download
memory/2712-18-0x0000000074890000-0x0000000074E3B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads