metamorpherrat | 30049b078e062b1968c8a613b0f9187552950b231131bb763ffd6bc7348517c8

General

Target

30049b078e062b1968c8a613b0f9187552950b231131bb763ffd6bc7348517c8N.exe
Size

78KB
MD5

a48ccd22dd6942fc13e3dcf775542cb0
SHA1

f5e8deeb44d2f03b026344f55dee40458227fca9
SHA256

30049b078e062b1968c8a613b0f9187552950b231131bb763ffd6bc7348517c8
SHA512

c62a77b7408f643533c3173132d2f0981fef80ccf572a2434f7cbfc826d6ca5a51d55f14fa5c7c33f75514b4767f727cb8bab98787a617e38063dfcfc0cbe769
SSDEEP

1536:UPy5jS6vZv0kH9gDDtWzYCnJPeoYrGQt96g9/qT1y+:UPy5jS6l0Y9MDYrm7f9/qX

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2264	tmpC88D.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2392	30049b078e062b1968c8a613b0f9187552950b231131bb763ffd6bc7348517c8N.exe
2392	30049b078e062b1968c8a613b0f9187552950b231131bb763ffd6bc7348517c8N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmpC88D.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC88D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30049b078e062b1968c8a613b0f9187552950b231131bb763ffd6bc7348517c8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2392	30049b078e062b1968c8a613b0f9187552950b231131bb763ffd6bc7348517c8N.exe
Token: SeDebugPrivilege	2264	tmpC88D.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 2152	2392	30049b078e062b1968c8a613b0f9187552950b231131bb763ffd6bc7348517c8N.exe	30
PID 2392 wrote to memory of 2152	2392	30049b078e062b1968c8a613b0f9187552950b231131bb763ffd6bc7348517c8N.exe	30
PID 2392 wrote to memory of 2152	2392	30049b078e062b1968c8a613b0f9187552950b231131bb763ffd6bc7348517c8N.exe	30
PID 2392 wrote to memory of 2152	2392	30049b078e062b1968c8a613b0f9187552950b231131bb763ffd6bc7348517c8N.exe	30
PID 2152 wrote to memory of 1328	2152	vbc.exe	32
PID 2152 wrote to memory of 1328	2152	vbc.exe	32
PID 2152 wrote to memory of 1328	2152	vbc.exe	32
PID 2152 wrote to memory of 1328	2152	vbc.exe	32
PID 2392 wrote to memory of 2264	2392	30049b078e062b1968c8a613b0f9187552950b231131bb763ffd6bc7348517c8N.exe	33
PID 2392 wrote to memory of 2264	2392	30049b078e062b1968c8a613b0f9187552950b231131bb763ffd6bc7348517c8N.exe	33
PID 2392 wrote to memory of 2264	2392	30049b078e062b1968c8a613b0f9187552950b231131bb763ffd6bc7348517c8N.exe	33
PID 2392 wrote to memory of 2264	2392	30049b078e062b1968c8a613b0f9187552950b231131bb763ffd6bc7348517c8N.exe	33

C:\Users\Admin\AppData\Local\Temp\30049b078e062b1968c8a613b0f9187552950b231131bb763ffd6bc7348517c8N.exe
"C:\Users\Admin\AppData\Local\Temp\30049b078e062b1968c8a613b0f9187552950b231131bb763ffd6bc7348517c8N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0zwfkl5l.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCA52.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCA41.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1328
- C:\Users\Admin\AppData\Local\Temp\tmpC88D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpC88D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\30049b078e062b1968c8a613b0f9187552950b231131bb763ffd6bc7348517c8N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0zwfkl5l.0.vb

Filesize
14KB

MD5
2101e909b7e60dda30e8b8fda7ede25a

SHA1
c154ff392211708ac2ccec015fdbf20736cb6d43

SHA256
5961513e40c60dedb219a1bb55062b00ef69fcb6dca7be20da0f459f54e498a6

SHA512
afc387b8770e9cf7d42bead3b85d3929e4c5969242b43896a515eb890f76c5aef83fbda6ce49017e088b6dca69d6ad3fcb4022871d82e3924e7adf296272402b

Download Submit
C:\Users\Admin\AppData\Local\Temp\0zwfkl5l.cmdline

Filesize
266B

MD5
4940e026fa8c969c85cbbd3869f36fe4

SHA1
3c912e1fa8107a5b0f6fe82d04cdecac43450caa

SHA256
9dd77d709a0f08bf1148f84e7961cc3aa38449451bd1d8c3005f77d0d7d9826f

SHA512
f0454cc1599d73d778c26714a83ec6c25a650b383be859d1442ff8a1c69f608dc8d014f035690ef1a72de64f2c337dbb78296c156468d0fba76cd7fcc1b0714e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCA52.tmp

Filesize
1KB

MD5
1798dc030dd9c68726b29352271c806f

SHA1
42c1692c90de016eef6de667cf2f4351c0aecc2d

SHA256
46d43577106880a924bd712533b2ee54500b60646228229d75cf56fc6d872991

SHA512
9c8a726eafa0a46ed24cd67ccb4981a1a3ba48aa883e76b4cf2d873335d503eea76b327359e16d377c59e33f330b473aa0fd924be0bd61e23ca02873067c380d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC88D.tmp.exe

Filesize
78KB

MD5
ba4fe247e0e93be433c3649995181e0e

SHA1
1e3f48c77b96f8bbf9bbd7260ce5d999a8061226

SHA256
2a74bf0ad3294445d2b6a0331f251d4e85988aa5483df94abe81ecc0e4e19987

SHA512
dd02be356cddc9b43720ef68aea4b86981e06815d25e061e354723aa6af157ece096b82fced20b238a932eb0d6bb42f0218474ffb7b0ca4b0b8adaddeac7e035

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCA41.tmp

Filesize
660B

MD5
d88fdc5426a4ad2331bdb33847f736f3

SHA1
8be2f9c4377f710df647669f300908a142eecf79

SHA256
f730ee2fadb96f291aa339c923220c7b81234bccdc6058ab7f0d61e555e2fd82

SHA512
fe91909adac716b372d0288a243081e54b480c221ce2b85bcbb954531c1ff3d753b19ec0fd74b3176f5734ede486271cdf9760232a33a1e352ffbf409c326a92

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/2152-8-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/2152-18-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/2392-0-0x00000000747D1000-0x00000000747D2000-memory.dmp

Filesize
4KB

Download
memory/2392-1-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/2392-2-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/2392-24-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads