metamorpherrat | 9f29c275889b5735a3d8bc09b04354ac6abe57545ecfc23d389ced8f854c0998

General

Target

9f29c275889b5735a3d8bc09b04354ac6abe57545ecfc23d389ced8f854c0998.exe
Size

78KB
MD5

d07e16c653397a6d7afc1071c8f83ec4
SHA1

61af8fd022c3653b84e221afcce624e7758b3d95
SHA256

9f29c275889b5735a3d8bc09b04354ac6abe57545ecfc23d389ced8f854c0998
SHA512

77da0d2d3463b3433e546e38792d22b9eaac7904bf14a3e6c1d6285f56151641a2811fcd56805c3cebacefa5e40953f49058b6ef1b15f38fdeb72a50b8c2f978
SSDEEP

1536:oOPWV5jSbvZv0kH9gDDtWzYCnJPeoYrGQtC6N9/ju11P:DPWV5jSbl0Y9MDYrm7l9/jm

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2096	tmpE512.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2244	9f29c275889b5735a3d8bc09b04354ac6abe57545ecfc23d389ced8f854c0998.exe
2244	9f29c275889b5735a3d8bc09b04354ac6abe57545ecfc23d389ced8f854c0998.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmpE512.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE512.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9f29c275889b5735a3d8bc09b04354ac6abe57545ecfc23d389ced8f854c0998.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2244	9f29c275889b5735a3d8bc09b04354ac6abe57545ecfc23d389ced8f854c0998.exe
Token: SeDebugPrivilege	2096	tmpE512.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2896	2244	9f29c275889b5735a3d8bc09b04354ac6abe57545ecfc23d389ced8f854c0998.exe	30
PID 2244 wrote to memory of 2896	2244	9f29c275889b5735a3d8bc09b04354ac6abe57545ecfc23d389ced8f854c0998.exe	30
PID 2244 wrote to memory of 2896	2244	9f29c275889b5735a3d8bc09b04354ac6abe57545ecfc23d389ced8f854c0998.exe	30
PID 2244 wrote to memory of 2896	2244	9f29c275889b5735a3d8bc09b04354ac6abe57545ecfc23d389ced8f854c0998.exe	30
PID 2896 wrote to memory of 2888	2896	vbc.exe	32
PID 2896 wrote to memory of 2888	2896	vbc.exe	32
PID 2896 wrote to memory of 2888	2896	vbc.exe	32
PID 2896 wrote to memory of 2888	2896	vbc.exe	32
PID 2244 wrote to memory of 2096	2244	9f29c275889b5735a3d8bc09b04354ac6abe57545ecfc23d389ced8f854c0998.exe	33
PID 2244 wrote to memory of 2096	2244	9f29c275889b5735a3d8bc09b04354ac6abe57545ecfc23d389ced8f854c0998.exe	33
PID 2244 wrote to memory of 2096	2244	9f29c275889b5735a3d8bc09b04354ac6abe57545ecfc23d389ced8f854c0998.exe	33
PID 2244 wrote to memory of 2096	2244	9f29c275889b5735a3d8bc09b04354ac6abe57545ecfc23d389ced8f854c0998.exe	33

C:\Users\Admin\AppData\Local\Temp\9f29c275889b5735a3d8bc09b04354ac6abe57545ecfc23d389ced8f854c0998.exe
"C:\Users\Admin\AppData\Local\Temp\9f29c275889b5735a3d8bc09b04354ac6abe57545ecfc23d389ced8f854c0998.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vgwuq5gk.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE85D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE84C.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2888
- C:\Users\Admin\AppData\Local\Temp\tmpE512.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpE512.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9f29c275889b5735a3d8bc09b04354ac6abe57545ecfc23d389ced8f854c0998.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE85D.tmp

Filesize
1KB

MD5
28baa9141ca0d69be857de1f16071cbd

SHA1
7185f01c91c803771d260937b74c1899abb1ff1d

SHA256
80f05df7d992b719b1c5ff7715c1a134d772f29b1b3efa72fb103be1d1428136

SHA512
23fd04a7143201f2cb964ae332170795e923126349e1d6358ab40401131b8dd3ae25b42a6f0191db3e473136f83891907a6553a27f38db496b2e5836289e923a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE512.tmp.exe

Filesize
78KB

MD5
c7ea04b6794aca40334a90a633d011d5

SHA1
64828fadc376ce9ffc79d42135cc248fd4e4050e

SHA256
db1f5b5946429b90735a1aac6cc7ffc3fe778c2dd2b6d28eda4d08de67e1342c

SHA512
5b4a49a74b387cb6466034619576e55471a11aabcfa58e5630578e945bf7ced7e3c4bb2850ed2edbc07097eeb030810100a27723888ef5200af22968784d0493

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE84C.tmp

Filesize
660B

MD5
10939ff001d02e8d07366098a781186d

SHA1
96f7e59645fd3ccb739e6cd094ff23cd741714f0

SHA256
a2115c850914a280804fe8ec47f97a14d95e86dde370077ea417da56e5c4e2cc

SHA512
68e85ccaa4614330b898a9d8499a3a8c3ae8368e28c9b3b9777da4226371d685d91d1fe5eb6ee99359b0c948facf36b235b53ee0056a38e5d36f111b3e3dfe00

Download Submit
C:\Users\Admin\AppData\Local\Temp\vgwuq5gk.0.vb

Filesize
14KB

MD5
c1d1dab320f61edf90665f54672a2be2

SHA1
b96a901b5f6d0a0cf6bd7b6e448d40072ab4fcac

SHA256
e48230fd83bbe046416285e5a79aacf5e9bf0f1d91494a35b5b8be45b6303994

SHA512
a5a35893889b0c7831c3be0760a880e61c89c9d73dd2b3ccef85bed4837e3b66571ef8a059140feca44a26710c74146d7a1d8c493299c288a2acbc0f5b84500d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vgwuq5gk.cmdline

Filesize
266B

MD5
9b0d10da88a4f5cca52dab978a9b3016

SHA1
a013b92c7283a694a4d85d0afd1f5502737a7a9f

SHA256
98e0a28dd85a1d674e3cf06cc675df4949e089f1714b575dd520e417546ec36b

SHA512
9c22c7c27cb4aced00be50e396ccf439ae35c654cf5eb122bc9080b7ed32b046514a606e2b706d83cc3df57c9c355febd771d3f6da28a87ade11b18d67cdd1c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/2244-0-0x0000000074611000-0x0000000074612000-memory.dmp

Filesize
4KB

Download
memory/2244-1-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/2244-2-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/2244-24-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/2896-8-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/2896-18-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads