metamorpherrat | 1917fbf8ed759c61afd816961879b4d924bce61fd33a8cd58a511cdcc9df5230

General

Target

1917fbf8ed759c61afd816961879b4d924bce61fd33a8cd58a511cdcc9df5230N.exe
Size

78KB
MD5

b84d89a0123f7489719b22e498eeef30
SHA1

1c6157ea282a84f5d9712db3280186a938935251
SHA256

1917fbf8ed759c61afd816961879b4d924bce61fd33a8cd58a511cdcc9df5230
SHA512

6d2a78d78482f6aa0d36e92744ce7b635d1a1af854396aa4c66156618712c13262ec102ad1f442616172ef3fc795fb1c7e1fa350469332ff51799fa0c3db1521
SSDEEP

1536:7zV5jS2vZv0kH9gDDtWzYCnJPeoYrGQtC6N9/M1+V:nV5jS2l0Y9MDYrm719/f

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2100	tmpC504.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1048	1917fbf8ed759c61afd816961879b4d924bce61fd33a8cd58a511cdcc9df5230N.exe
1048	1917fbf8ed759c61afd816961879b4d924bce61fd33a8cd58a511cdcc9df5230N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmpC504.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1917fbf8ed759c61afd816961879b4d924bce61fd33a8cd58a511cdcc9df5230N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC504.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1048	1917fbf8ed759c61afd816961879b4d924bce61fd33a8cd58a511cdcc9df5230N.exe
Token: SeDebugPrivilege	2100	tmpC504.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 2260	1048	1917fbf8ed759c61afd816961879b4d924bce61fd33a8cd58a511cdcc9df5230N.exe	29
PID 1048 wrote to memory of 2260	1048	1917fbf8ed759c61afd816961879b4d924bce61fd33a8cd58a511cdcc9df5230N.exe	29
PID 1048 wrote to memory of 2260	1048	1917fbf8ed759c61afd816961879b4d924bce61fd33a8cd58a511cdcc9df5230N.exe	29
PID 1048 wrote to memory of 2260	1048	1917fbf8ed759c61afd816961879b4d924bce61fd33a8cd58a511cdcc9df5230N.exe	29
PID 2260 wrote to memory of 1276	2260	vbc.exe	31
PID 2260 wrote to memory of 1276	2260	vbc.exe	31
PID 2260 wrote to memory of 1276	2260	vbc.exe	31
PID 2260 wrote to memory of 1276	2260	vbc.exe	31
PID 1048 wrote to memory of 2100	1048	1917fbf8ed759c61afd816961879b4d924bce61fd33a8cd58a511cdcc9df5230N.exe	32
PID 1048 wrote to memory of 2100	1048	1917fbf8ed759c61afd816961879b4d924bce61fd33a8cd58a511cdcc9df5230N.exe	32
PID 1048 wrote to memory of 2100	1048	1917fbf8ed759c61afd816961879b4d924bce61fd33a8cd58a511cdcc9df5230N.exe	32
PID 1048 wrote to memory of 2100	1048	1917fbf8ed759c61afd816961879b4d924bce61fd33a8cd58a511cdcc9df5230N.exe	32

C:\Users\Admin\AppData\Local\Temp\1917fbf8ed759c61afd816961879b4d924bce61fd33a8cd58a511cdcc9df5230N.exe
"C:\Users\Admin\AppData\Local\Temp\1917fbf8ed759c61afd816961879b4d924bce61fd33a8cd58a511cdcc9df5230N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\esbuh9un.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC90A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC8FA.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1276
- C:\Users\Admin\AppData\Local\Temp\tmpC504.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpC504.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1917fbf8ed759c61afd816961879b4d924bce61fd33a8cd58a511cdcc9df5230N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC90A.tmp

Filesize
1KB

MD5
5ab84f05579066773ba2766342ed722a

SHA1
38dafa8035f5c450104265709077fb15bb4b36fc

SHA256
6bcaebc5b81811735b6a841b85b581606893a20611384129bd46d5223d8a86ec

SHA512
f7dcb36295938085f45e4eeac6172878527fa140024565556bea5992b4e7293713197c23b8fa1ac5f6ef8be13449768fd787a4f868ad52e8c6a38da3d94c34b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\esbuh9un.0.vb

Filesize
14KB

MD5
4b94c1f53df72ad2ec8b03680f1f640b

SHA1
115bd206f32e1f9859d2ce7be54733aeebf41d64

SHA256
ebcb7bb6f7a5a4eafe6daaa3ffa68c341dfb970874d53fdc8b9affac3d88d79e

SHA512
8f4f6ef25d76f8cc43fb5290cc1c70d2a4c4d31bad234e4bc0346b785b510c5d035f6615f217b73d56691ee02cda48b092bf2e42ec5146de778b114bc0c1a974

Download Submit
C:\Users\Admin\AppData\Local\Temp\esbuh9un.cmdline

Filesize
266B

MD5
7c59c6146f94c9565dab22ecfc17b06e

SHA1
7d9c0cdfcd3df3e1cb43d5aa777bd41f7e23cdfc

SHA256
9dc6eef5f2f77c45b54bb04d8a26bcb336d75c035f49b193c4d13aff6cfb472b

SHA512
af839a4645f180066dec15177e48e80df5eaa6c1e0819c46595c81c70a65c644bb183680647a3e081238e1f7ddc348bcecf8de705e800634eb02f9c01909731c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC504.tmp.exe

Filesize
78KB

MD5
209f8b6dc62ac066496bece1d07d8c76

SHA1
807015c9fa50a797a152d20897dc86b45224047d

SHA256
cd7e24da448eaa56a05a8cb118578e746c4f143a0cd3b7cd50dda079bb856324

SHA512
ddc3f762ef0599b5d74de35a43c768456282bfdbead52f76156bb6a0cc85b92a6817781d837622baa747d6cee2941cf9392551962bbab2c99039955900b59c0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC8FA.tmp

Filesize
660B

MD5
b4255b1bf63e9cd1e3625aae6d3f2e73

SHA1
de453780da9207f715d8567b57bef51d650b5952

SHA256
bb047bf6364e2cc0337e235b8df677d495c832014845b1396a014465e73fc0d6

SHA512
449f9b26ff1755c9b6cb342b8ed0249b5786d4b86250b2b42355796753b8e362fef26cdbb17703c1ccb9c52cfa718e57b3fef9bbcfa12be7a6ed5875ff5d06c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/1048-0-0x0000000074FF1000-0x0000000074FF2000-memory.dmp

Filesize
4KB

Download
memory/1048-1-0x0000000074FF0000-0x000000007559B000-memory.dmp

Filesize
5.7MB

Download
memory/1048-2-0x0000000074FF0000-0x000000007559B000-memory.dmp

Filesize
5.7MB

Download
memory/1048-24-0x0000000074FF0000-0x000000007559B000-memory.dmp

Filesize
5.7MB

Download
memory/2260-8-0x0000000074FF0000-0x000000007559B000-memory.dmp

Filesize
5.7MB

Download
memory/2260-18-0x0000000074FF0000-0x000000007559B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads