metamorpherrat | 2727b2e1e5b6a3bc865fa11debdd95b07c661f4335c3465a82478fcab12062d2

General

Target

2727b2e1e5b6a3bc865fa11debdd95b07c661f4335c3465a82478fcab12062d2.exe
Size

78KB
MD5

79fab37f08fc1e4cc0aeb2263a7bd6c2
SHA1

317efa5c6e28443a6bd79521cd2f433f1eab2666
SHA256

2727b2e1e5b6a3bc865fa11debdd95b07c661f4335c3465a82478fcab12062d2
SHA512

2f613351a2ca49e615fd1cf7837fb8fbefe4f371d2858f02e3ade853b01e19e293a47f9c95081574afd2311b5af4d2f2358e480ba01d8f927a4e460e4af97aa5
SSDEEP

1536:KmWV5jPvZv0kH9gDDtWzYCnJPeoYrGQtC67F9/W1BDZ:FWV5jPl0Y9MDYrm7jF9/WZ

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
1136	tmpF077.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2008	2727b2e1e5b6a3bc865fa11debdd95b07c661f4335c3465a82478fcab12062d2.exe
2008	2727b2e1e5b6a3bc865fa11debdd95b07c661f4335c3465a82478fcab12062d2.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmpF077.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2727b2e1e5b6a3bc865fa11debdd95b07c661f4335c3465a82478fcab12062d2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpF077.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2008	2727b2e1e5b6a3bc865fa11debdd95b07c661f4335c3465a82478fcab12062d2.exe
Token: SeDebugPrivilege	1136	tmpF077.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 2764	2008	2727b2e1e5b6a3bc865fa11debdd95b07c661f4335c3465a82478fcab12062d2.exe	30
PID 2008 wrote to memory of 2764	2008	2727b2e1e5b6a3bc865fa11debdd95b07c661f4335c3465a82478fcab12062d2.exe	30
PID 2008 wrote to memory of 2764	2008	2727b2e1e5b6a3bc865fa11debdd95b07c661f4335c3465a82478fcab12062d2.exe	30
PID 2008 wrote to memory of 2764	2008	2727b2e1e5b6a3bc865fa11debdd95b07c661f4335c3465a82478fcab12062d2.exe	30
PID 2764 wrote to memory of 2784	2764	vbc.exe	32
PID 2764 wrote to memory of 2784	2764	vbc.exe	32
PID 2764 wrote to memory of 2784	2764	vbc.exe	32
PID 2764 wrote to memory of 2784	2764	vbc.exe	32
PID 2008 wrote to memory of 1136	2008	2727b2e1e5b6a3bc865fa11debdd95b07c661f4335c3465a82478fcab12062d2.exe	33
PID 2008 wrote to memory of 1136	2008	2727b2e1e5b6a3bc865fa11debdd95b07c661f4335c3465a82478fcab12062d2.exe	33
PID 2008 wrote to memory of 1136	2008	2727b2e1e5b6a3bc865fa11debdd95b07c661f4335c3465a82478fcab12062d2.exe	33
PID 2008 wrote to memory of 1136	2008	2727b2e1e5b6a3bc865fa11debdd95b07c661f4335c3465a82478fcab12062d2.exe	33

C:\Users\Admin\AppData\Local\Temp\2727b2e1e5b6a3bc865fa11debdd95b07c661f4335c3465a82478fcab12062d2.exe
"C:\Users\Admin\AppData\Local\Temp\2727b2e1e5b6a3bc865fa11debdd95b07c661f4335c3465a82478fcab12062d2.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ycmvkq91.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF2E8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF2E7.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2784
- C:\Users\Admin\AppData\Local\Temp\tmpF077.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpF077.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2727b2e1e5b6a3bc865fa11debdd95b07c661f4335c3465a82478fcab12062d2.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF2E8.tmp

Filesize
1KB

MD5
614c895e34d1ce77fe4aea217baa3094

SHA1
78328dd774522a0265bec0e676798677776daa20

SHA256
e2f4289555b0ed1ceb4945cc6b324b4d506e8b9ed54387421ed43cd6caf29ae4

SHA512
84a20513f0fcb53aade0903f6d79363f420301d1ff1ff3eb22d92a8e5fb2be4900bab278bdc52465adb6dea0f67a10329b87d376d665a6d20291f4f48729e1a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF077.tmp.exe

Filesize
78KB

MD5
865ea30be8133a93d53735043fdfcdd4

SHA1
e1c560d3a9374bf369b5cc4efbb77fc18742bdd8

SHA256
d4cc753e6b08a26ab3d0360b941558f85a8e3e24b6ebc87ecfdde56de5f43230

SHA512
793aa774d385682acf2006b9589a8608e6feeaf6c419cf71c30cc0b6616d630097f14c348879acb3bf48ab3eb488be54592e4c09deb3f7606b8a31bcb5f0139c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF2E7.tmp

Filesize
660B

MD5
6aac596b666f19902e0c9dffde9839da

SHA1
85e3fd1e221c52dc76f44ce21608af5729f27ceb

SHA256
001a2c3fc31ebdbb96347eefbdcd8da5f776b794a09fb3ba3a3dff2c4bdb62a9

SHA512
9e2bc5f8f7a2d75a28ab6eb6077ed556e8b5f1300d314219c488d0b1811178d7c12d0e6fabb377612944fff40ad08d7a720ccfbefd88b1a75eaa555d41262121

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycmvkq91.0.vb

Filesize
14KB

MD5
740d9c6c5f9d54240805a1921c907fd6

SHA1
0b59171d0c799f97d32851e87bc16d775ea551a3

SHA256
d0795bb159dc42886d41e208ccc1bf2eed2f8024209fa3fc9f38f1b81914140b

SHA512
5d5b1c44024c726bd9d47e05e055a54b7b5b50d8d8611e8c37fe37cd71741a8361b10f874a6e74b388cfa53ac7d30940a08bc540236b9554f6b966a647919736

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycmvkq91.cmdline

Filesize
266B

MD5
73ea308b57fcb4acc5a685781a8560d7

SHA1
1f9f8528894a1cc8bc6037c92cb831b8aae7fdc1

SHA256
6fa3fa3e7254866aa1ee4d07f2ed81a340b8e2c179ff032d065ff72b5fe103ed

SHA512
4c9829f2a78af63303dd757093a91c6ffa7127816b13f9f0a78d4610d056aa98a210523112c1299e2ffaa061f9e81c2f906a390c5fec46c290f91d63a6aa576a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/2008-0-0x0000000074A41000-0x0000000074A42000-memory.dmp

Filesize
4KB

Download
memory/2008-1-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2008-3-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2008-23-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2764-8-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2764-18-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads