metamorpherrat | 38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17

General

Target

38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17.exe
Size

78KB
MD5

197c0bad190134f5a490c9c2a8693ae5
SHA1

51772c9dbc86bdb98944649dda3731d0a4e62156
SHA256

38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17
SHA512

493ef8a5ba7166c0fd906b99bdc0ec87c58ba29ae027c437feafcaf05c3ca6d846a5fb5bb0c4fa147f5950311d52429e984b8a320dc47c93684f0f0368a1c6ae
SSDEEP

1536:UPy5jS6vZv0kH9gDDtWzYCnJPeoYrGQt96g9/qT1y+g:UPy5jS6l0Y9MDYrm7f9/qXg

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2940	tmpD088.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1820	38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17.exe
1820	38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmpD088.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD088.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1820	38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17.exe
Token: SeDebugPrivilege	2940	tmpD088.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 2252	1820	38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17.exe	30
PID 1820 wrote to memory of 2252	1820	38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17.exe	30
PID 1820 wrote to memory of 2252	1820	38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17.exe	30
PID 1820 wrote to memory of 2252	1820	38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17.exe	30
PID 2252 wrote to memory of 2964	2252	vbc.exe	32
PID 2252 wrote to memory of 2964	2252	vbc.exe	32
PID 2252 wrote to memory of 2964	2252	vbc.exe	32
PID 2252 wrote to memory of 2964	2252	vbc.exe	32
PID 1820 wrote to memory of 2940	1820	38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17.exe	33
PID 1820 wrote to memory of 2940	1820	38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17.exe	33
PID 1820 wrote to memory of 2940	1820	38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17.exe	33
PID 1820 wrote to memory of 2940	1820	38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17.exe	33

C:\Users\Admin\AppData\Local\Temp\38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17.exe
"C:\Users\Admin\AppData\Local\Temp\38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8chhczn5.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD50C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD4FB.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2964
- C:\Users\Admin\AppData\Local\Temp\tmpD088.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpD088.tmp.exe" C:\Users\Admin\AppData\Local\Temp\38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8chhczn5.0.vb

Filesize
14KB

MD5
7a788831eef61eaf05f1dd9513713ebd

SHA1
7b833e875f52cb058053d63517f5d9995785b943

SHA256
0a250b0ff6434850e926567a0b1412392e01ad359e203b031443a137cfeb94bf

SHA512
17f8901a818907b77175ab64eba2ef731699afd2216b9eb08a709e3ba138e714a1626881e72faa4f6ec3cd974b7189e774705c54aa7549a9c7c3b935e9852ea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\8chhczn5.cmdline

Filesize
266B

MD5
3e55b6410e5f704eb013b453a80234c2

SHA1
0ce907fbc944a9cdc084ab6fa8eae3ffbc488a04

SHA256
ad33db2e5fc5969c96112bbd934ca2f194988beb700f28e037b6f0d9d6b9e891

SHA512
c403adfc3e9a198967c80cd9734afb7f848a86689f74da8912f47a23fd458d5c0eea0f39b2c16d9d30c0b566152109a938481673160e0af54ecbdd4ca0b20b4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD50C.tmp

Filesize
1KB

MD5
f7c10d2e1cfa99eaa38a6ff9fca3d968

SHA1
6da8da9b0bcfedc864e64d3c99b140e259fd06a1

SHA256
ff36cf72e31465e99cd8108305bc351d66c5957b34ca5897fd48725806912dab

SHA512
741d168db7057e0cda3c9264aa0c34651c3eaf3153f6e544289ed07144981b45e478bb2ab87aa74d05a9aa7155e22e5c9bae5ff9df1cb123708c005cb61c11e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD088.tmp.exe

Filesize
78KB

MD5
4f64f3b445e415f2ade82290106b26b4

SHA1
417b1de2e4f628d7570e9b84a65c0f4bf792b1ec

SHA256
32e5d55c16715a9878a80d5b45160d03d77192ab1cd7ca45c58567466d43c32a

SHA512
fa950ddb9baedaedeffb8f4d351766e3d86c2268bbfce8b1da9c415fceaa2e1d085a6014c32ae730009565f504d5ca4746934946e73ca729b1084db4fa298915

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD4FB.tmp

Filesize
660B

MD5
7494fadfa3b92316829b4bf60a568de8

SHA1
01f7dca60a7350ad41098336ea563256ab041c47

SHA256
fecda4adeb2aa02755b2e132de5c4794c327ed5c63555e3706282b2dcbd1201a

SHA512
724c939d8224eaaf101dd8b5bcb5c1c2511ac920ffe0e5d53f5e22ce7f6b0d457e342be099b4d49e616c1469019d8b59841439265b2546cd691f1d923c28572c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/1820-0-0x0000000074E81000-0x0000000074E82000-memory.dmp

Filesize
4KB

Download
memory/1820-1-0x0000000074E80000-0x000000007542B000-memory.dmp

Filesize
5.7MB

Download
memory/1820-2-0x0000000074E80000-0x000000007542B000-memory.dmp

Filesize
5.7MB

Download
memory/1820-24-0x0000000074E80000-0x000000007542B000-memory.dmp

Filesize
5.7MB

Download
memory/2252-8-0x0000000074E80000-0x000000007542B000-memory.dmp

Filesize
5.7MB

Download
memory/2252-18-0x0000000074E80000-0x000000007542B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads