metamorpherrat | 38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17

General

Target

38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17.exe
Size

78KB
MD5

197c0bad190134f5a490c9c2a8693ae5
SHA1

51772c9dbc86bdb98944649dda3731d0a4e62156
SHA256

38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17
SHA512

493ef8a5ba7166c0fd906b99bdc0ec87c58ba29ae027c437feafcaf05c3ca6d846a5fb5bb0c4fa147f5950311d52429e984b8a320dc47c93684f0f0368a1c6ae
SSDEEP

1536:UPy5jS6vZv0kH9gDDtWzYCnJPeoYrGQt96g9/qT1y+g:UPy5jS6l0Y9MDYrm7f9/qXg

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2820	tmpBEEC.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2536	38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17.exe
2536	38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmpBEEC.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBEEC.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2536	38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17.exe
Token: SeDebugPrivilege	2820	tmpBEEC.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2056	2536	38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17.exe	30
PID 2536 wrote to memory of 2056	2536	38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17.exe	30
PID 2536 wrote to memory of 2056	2536	38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17.exe	30
PID 2536 wrote to memory of 2056	2536	38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17.exe	30
PID 2056 wrote to memory of 1536	2056	vbc.exe	32
PID 2056 wrote to memory of 1536	2056	vbc.exe	32
PID 2056 wrote to memory of 1536	2056	vbc.exe	32
PID 2056 wrote to memory of 1536	2056	vbc.exe	32
PID 2536 wrote to memory of 2820	2536	38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17.exe	33
PID 2536 wrote to memory of 2820	2536	38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17.exe	33
PID 2536 wrote to memory of 2820	2536	38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17.exe	33
PID 2536 wrote to memory of 2820	2536	38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17.exe	33

C:\Users\Admin\AppData\Local\Temp\38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17.exe
"C:\Users\Admin\AppData\Local\Temp\38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wemcgqmg.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBFF6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBFF5.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1536
- C:\Users\Admin\AppData\Local\Temp\tmpBEEC.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpBEEC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBFF6.tmp

Filesize
1KB

MD5
95f92116c83a6e1aa6bc41f20531b85e

SHA1
7310a76c3ce6f4bf1f44160842338207040a974a

SHA256
059bb6cd6f55449b467b5c74aed10492faacea44343f0aef748d98e1f233f661

SHA512
38e8a391919b2d7f1ba73859ad131e3f640c7e5e4f208b598d16e0e7c300eee63939d0fae2370772c445632dc96b1f34409ab76d78dcd725f1e8e4ead7d5ccca

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBEEC.tmp.exe

Filesize
78KB

MD5
a2406cf3fbc10f618620d2d7bb8c196e

SHA1
f5b36c062c0565c649a0d35665ee7b73cdc270e6

SHA256
d16fb7514984046eb6c30f1487f794eab2d0e86a33d5d66f1985e98b1f98b9c2

SHA512
a627838fd081c9f64576b7f82b1b42f294ee02acf6e044ea9661e8aa6dd84989d00a94d5b9865461fa6bf8215f0a2418ce56ae810de4bb469cdb27bc38dd96a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBFF5.tmp

Filesize
660B

MD5
512984383e736b579af244318038f0bf

SHA1
c83cd166b38d972656591ce99728ea5eeacf66b9

SHA256
e4ab8e49c2b60384ed6ddedf661a080096f533f05a607ff904c7332f200e8fc8

SHA512
3aac6f230e8bd70bf20e353afc68a5b9ae3eb60a797cc37cc365cf59f4669818456aaa5eef1ca4e8be51c01fa3e6b63081691b07b3de2aa626e1f734d7344920

Download Submit
C:\Users\Admin\AppData\Local\Temp\wemcgqmg.0.vb

Filesize
14KB

MD5
857a103be0ffbf01942965128f2dc27a

SHA1
4653837431a1bcccde5b57ffe0a31b59e4efc699

SHA256
25da07f6d18e28eba797f0152ead32aa3e839b7bf9d269d167c8e9a8d90cf2bd

SHA512
79239246f32cb95c8bc03b45c5273dee284adb007a99cc5072aa499cd73689644d665482c88872236890929103bcae29dd2a90b559eeac42b8427b2e6cd6bf02

Download Submit
C:\Users\Admin\AppData\Local\Temp\wemcgqmg.cmdline

Filesize
266B

MD5
f4f94d83c41e14c89f363b65582b166d

SHA1
21f920e2e127dfc1d937d344d127801350b5e798

SHA256
9b1f7d3a16b98a71842bd08308740c7b52affc2d2744e8abc400792196037d67

SHA512
a267cb5b4cb2937e81be8ee51f30a8a1cbd0dbc41b49b7b08bf85361fdc3fccfe2c90e86167aae2744e1bf80bfcbb468c862584ceab5117b614369198075c254

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/2056-9-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/2056-18-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/2536-0-0x00000000742E1000-0x00000000742E2000-memory.dmp

Filesize
4KB

Download
memory/2536-1-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/2536-2-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/2536-24-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads