metamorpherrat | 4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a

General

Target

4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9aN.exe
Size

78KB
MD5

01658283871862263343db8c80526e20
SHA1

7304d9cf47d70ccd9a54892e53205ce8ed86d33e
SHA256

4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a
SHA512

3b62bd87ffd3910484728d3e21f2c7d759b823b0575ff9773ab33010581617e38646d3ce1733d4f7be80a26d7c72483720e86961803431364ad97a53f2693e66
SSDEEP

1536:UPy5jS6vZv0kH9gDDtWzYCnJPeoYrGQt96g9/qT1y+A:UPy5jS6l0Y9MDYrm7f9/qXA

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2748	tmp93C7.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2376	4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9aN.exe
2376	4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9aN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmp93C7.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp93C7.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2376	4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9aN.exe
Token: SeDebugPrivilege	2748	tmp93C7.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 3024	2376	4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9aN.exe	31
PID 2376 wrote to memory of 3024	2376	4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9aN.exe	31
PID 2376 wrote to memory of 3024	2376	4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9aN.exe	31
PID 2376 wrote to memory of 3024	2376	4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9aN.exe	31
PID 3024 wrote to memory of 2964	3024	vbc.exe	33
PID 3024 wrote to memory of 2964	3024	vbc.exe	33
PID 3024 wrote to memory of 2964	3024	vbc.exe	33
PID 3024 wrote to memory of 2964	3024	vbc.exe	33
PID 2376 wrote to memory of 2748	2376	4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9aN.exe	34
PID 2376 wrote to memory of 2748	2376	4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9aN.exe	34
PID 2376 wrote to memory of 2748	2376	4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9aN.exe	34
PID 2376 wrote to memory of 2748	2376	4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9aN.exe	34

C:\Users\Admin\AppData\Local\Temp\4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9aN.exe
"C:\Users\Admin\AppData\Local\Temp\4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9aN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qzwhbxkb.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES954E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc954D.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2964
- C:\Users\Admin\AppData\Local\Temp\tmp93C7.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp93C7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9aN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES954E.tmp

Filesize
1KB

MD5
f0d85a7e111e69bd2f248e723c5ff9ef

SHA1
c178a8abaf986c111f6474dabc114fe17d25753c

SHA256
a6a8ee38103f1f5477f25b3775febe45cb19cd53e04d8f2318df7ece34a80d84

SHA512
08c2a4e453c037288dd4d625fade031faf1721040f2f3f90567ade17e20d3bce5e75c1345ec4d27e0ce7acb27e335c29cf9252af34edff46bc8521572d62f1b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\qzwhbxkb.0.vb

Filesize
14KB

MD5
8aac1ee4b7132a9e08d476be9d5e8135

SHA1
3ca31d86c386b81b1a9cb02e4aadd9f6738b312f

SHA256
7771acb59fe64644c244c6ff3f5c170771561dae81c4fbb60f51ee35f3294298

SHA512
a1584f4860f05e7760bc2ec8b644c6308c0cd048e007dbbd4164b78ba2377c10fa180964406ad41b59b4d7fd373d906a9d2bb766343ba669047e8bc39f5bd640

Download Submit
C:\Users\Admin\AppData\Local\Temp\qzwhbxkb.cmdline

Filesize
266B

MD5
9f44e819bce35871376167a916d35935

SHA1
701b04ab6d8a7f295d58dd6a8df3939b21a717bd

SHA256
70054b85ea946dfaa04b3f12cac0a50b0ad107c7fd83825a9271bede72f8a402

SHA512
a128fb7724ede0f96ea02d4a43750d2decfa0b20f2c9d0245f6cf3946c58683e6fc890affc75bd02fcf33eab4515d1f7efa224f2abaddd4d5f099621941ea2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp93C7.tmp.exe

Filesize
78KB

MD5
fc3c244436857918935f9080b5841927

SHA1
e929cbd6ccf8c9e1cc9a378e7491f4fd4f4a7a1f

SHA256
513ad5e8d1cd000dce2479d4409bf5b1b2e1011d08fa9e05a664a59953eb6b32

SHA512
4fa510639aacce01abb1fc257b1ef4474abfb5663222771c1c7c06ecbb96c16291a0a5e085b4a51b1cb1e3b402c0be0b4796e26f30ce196e4dfd8b8e4f603c08

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc954D.tmp

Filesize
660B

MD5
aa42ea05187dc09d4f794fafb17769e1

SHA1
5acf8a84387aff27cb7308b44642f5b25df5e9b5

SHA256
bd615c4231d5f73e201a73a86562a817f80c77d8f13f60da3a97946fb609fd24

SHA512
a0f080718c67b9795ac05be5af4e3a293d0d3c77e1b64e06873de127fd4a0bfff76df4894290366c8d648364c96c4b700fc3971c09bf1da26c793e4e1128b139

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/2376-0-0x0000000074891000-0x0000000074892000-memory.dmp

Filesize
4KB

Download
memory/2376-1-0x0000000074890000-0x0000000074E3B000-memory.dmp

Filesize
5.7MB

Download
memory/2376-2-0x0000000074890000-0x0000000074E3B000-memory.dmp

Filesize
5.7MB

Download
memory/2376-24-0x0000000074890000-0x0000000074E3B000-memory.dmp

Filesize
5.7MB

Download
memory/3024-8-0x0000000074890000-0x0000000074E3B000-memory.dmp

Filesize
5.7MB

Download
memory/3024-18-0x0000000074890000-0x0000000074E3B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads