metamorpherrat | 239d023880dacc44de7170bf2dc167a562d7e974248a0b93e030ae856dff379c

General

Target

239d023880dacc44de7170bf2dc167a562d7e974248a0b93e030ae856dff379cN.exe
Size

78KB
MD5

5e9a25e1710d46324674a1450175e000
SHA1

a4514222b7bd809dbad6d113f7581762b52b144a
SHA256

239d023880dacc44de7170bf2dc167a562d7e974248a0b93e030ae856dff379c
SHA512

1f3268e0c6938930fc990d852013be013dfbf1e2bb30cc9d49020555edb5726b05ffa8ff9ac877dd78d0c49737a08ac52fdc67f73a23bd85a68d3d9a72c55314
SSDEEP

1536:64V58wvZv0kH9gDDtWzYCnJPeoYrGQty6M9/h1wt:64V58wl0Y9MDYrm7U9/w

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2316	tmp9F99.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2420	239d023880dacc44de7170bf2dc167a562d7e974248a0b93e030ae856dff379cN.exe
2420	239d023880dacc44de7170bf2dc167a562d7e974248a0b93e030ae856dff379cN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmp9F99.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	239d023880dacc44de7170bf2dc167a562d7e974248a0b93e030ae856dff379cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9F99.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2420	239d023880dacc44de7170bf2dc167a562d7e974248a0b93e030ae856dff379cN.exe
Token: SeDebugPrivilege	2316	tmp9F99.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2396	2420	239d023880dacc44de7170bf2dc167a562d7e974248a0b93e030ae856dff379cN.exe	30
PID 2420 wrote to memory of 2396	2420	239d023880dacc44de7170bf2dc167a562d7e974248a0b93e030ae856dff379cN.exe	30
PID 2420 wrote to memory of 2396	2420	239d023880dacc44de7170bf2dc167a562d7e974248a0b93e030ae856dff379cN.exe	30
PID 2420 wrote to memory of 2396	2420	239d023880dacc44de7170bf2dc167a562d7e974248a0b93e030ae856dff379cN.exe	30
PID 2396 wrote to memory of 2964	2396	vbc.exe	32
PID 2396 wrote to memory of 2964	2396	vbc.exe	32
PID 2396 wrote to memory of 2964	2396	vbc.exe	32
PID 2396 wrote to memory of 2964	2396	vbc.exe	32
PID 2420 wrote to memory of 2316	2420	239d023880dacc44de7170bf2dc167a562d7e974248a0b93e030ae856dff379cN.exe	33
PID 2420 wrote to memory of 2316	2420	239d023880dacc44de7170bf2dc167a562d7e974248a0b93e030ae856dff379cN.exe	33
PID 2420 wrote to memory of 2316	2420	239d023880dacc44de7170bf2dc167a562d7e974248a0b93e030ae856dff379cN.exe	33
PID 2420 wrote to memory of 2316	2420	239d023880dacc44de7170bf2dc167a562d7e974248a0b93e030ae856dff379cN.exe	33

C:\Users\Admin\AppData\Local\Temp\239d023880dacc44de7170bf2dc167a562d7e974248a0b93e030ae856dff379cN.exe
"C:\Users\Admin\AppData\Local\Temp\239d023880dacc44de7170bf2dc167a562d7e974248a0b93e030ae856dff379cN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mn0h1j2o.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA0F2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA0F1.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2964
- C:\Users\Admin\AppData\Local\Temp\tmp9F99.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9F99.tmp.exe" C:\Users\Admin\AppData\Local\Temp\239d023880dacc44de7170bf2dc167a562d7e974248a0b93e030ae856dff379cN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA0F2.tmp

Filesize
1KB

MD5
edf950b7a20e1d75158c7448cb2b1652

SHA1
c7a0c9f0eb667b88dcaa2fac2e3b53e899955b88

SHA256
4e1e3f1cc18adb3fd6331a4a4cd9a8bcedc781bbdb30c28badda26ecc8566ffd

SHA512
d22df700aa8d26402ce904ece0feaffdf0e424b129f0aedc7f54025b1ffa95d60ff9b3f4044e24099a5326601284a5c2fdd71bdeef87d6cdfbfe6990bb904c16

Download Submit
C:\Users\Admin\AppData\Local\Temp\mn0h1j2o.0.vb

Filesize
14KB

MD5
58069b80c5d137afa5be14d7a1666e6d

SHA1
6a09a2c6e0ac72c16864e4c436cacb107a0b839e

SHA256
90c44f0acdb2ca780c4092c29170f74257d030b515d742e12bd1f5a13d8c63a6

SHA512
5e054f5987223098a9596db43adaa7659afe49132d75eb5f9f6ecc723694cf35d4fdd36d9814a1e35c7d74df851949ef7ae557e7df3c3da04ea8dd9a4aba02f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\mn0h1j2o.cmdline

Filesize
266B

MD5
9a79304c01fe13dffe998e823aaae186

SHA1
63eb4ec92e723483114d91d30173586903eb0c07

SHA256
efd05c048a464bbca95fb38e785b568727a0845baac23644105eb86f2cb8528c

SHA512
a586d827f55c937f425de6496cc1ce439ec096ac418238576db67018b3fcf670387ac900bcd17b259971098fcd63cea10b91250e75eb46b50df86bd111ff569c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9F99.tmp.exe

Filesize
78KB

MD5
a70b16675e6492d92159a0cc0b1b3b3c

SHA1
61eac1e56a5ad177b2c7228d127c199342533210

SHA256
c89febad35f8d560c621ed60f6f001d4879bccbe81b95531be176383d49b923f

SHA512
3f6e9b640ae261e5f5b9cba6b863ee83477a9db80ca56dcb59d33d5c4af9401c370299a38a70af6ce889a33b872fc767282ca8e13820fd583eb6e1ae1e61b8f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA0F1.tmp

Filesize
660B

MD5
112c3da27ba33b6689cf4e9da8afe30e

SHA1
197cb1f17d01d505256b07666e711d8d4496f113

SHA256
9a0a6b0f2a9ffe0fdc57b70dfd8e188e74cae19515c6295c3b3086beb5692c42

SHA512
b9810e8f9f1e5aeec393e31795094cfda44737c8773fcb9b06de31e61b9ea7bd823d0a959889067f6f55101d248c0b053137f2fa85c1352f6ea3347f3a3bf6dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/2396-8-0x0000000074C60000-0x000000007520B000-memory.dmp

Filesize
5.7MB

Download
memory/2396-18-0x0000000074C60000-0x000000007520B000-memory.dmp

Filesize
5.7MB

Download
memory/2420-0-0x0000000074C61000-0x0000000074C62000-memory.dmp

Filesize
4KB

Download
memory/2420-1-0x0000000074C60000-0x000000007520B000-memory.dmp

Filesize
5.7MB

Download
memory/2420-6-0x0000000074C60000-0x000000007520B000-memory.dmp

Filesize
5.7MB

Download
memory/2420-24-0x0000000074C60000-0x000000007520B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads