metamorpherrat | b3093b934957f4e125ca90dd4d4a39cf267a331d1dc231d77c9e914bc3f4b7ba

General

Target

b3093b934957f4e125ca90dd4d4a39cf267a331d1dc231d77c9e914bc3f4b7ba.exe
Size

78KB
MD5

d0739ef03217e60248fe60c9c0d0cd89
SHA1

6b843af52c1016461e9c897c0f03b79fa5849aae
SHA256

b3093b934957f4e125ca90dd4d4a39cf267a331d1dc231d77c9e914bc3f4b7ba
SHA512

89a84ab026fd465b299bd59813dd11634bb646d5a256a0ad6b0d5955244e3c4441c0b557ae0e64b7006a62ad9b84ff624e88bd256f64dc7774352377e6ca9c96
SSDEEP

1536:KCHHM7t/vZv0kH9gDDtWzYCnJPeoYrGQtqx9/21Gsi:KCHsh/l0Y9MDYrm709/8i

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2268	tmpA5F0.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2384	b3093b934957f4e125ca90dd4d4a39cf267a331d1dc231d77c9e914bc3f4b7ba.exe
2384	b3093b934957f4e125ca90dd4d4a39cf267a331d1dc231d77c9e914bc3f4b7ba.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmpA5F0.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA5F0.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3093b934957f4e125ca90dd4d4a39cf267a331d1dc231d77c9e914bc3f4b7ba.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2384	b3093b934957f4e125ca90dd4d4a39cf267a331d1dc231d77c9e914bc3f4b7ba.exe
Token: SeDebugPrivilege	2268	tmpA5F0.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2092	2384	b3093b934957f4e125ca90dd4d4a39cf267a331d1dc231d77c9e914bc3f4b7ba.exe	30
PID 2384 wrote to memory of 2092	2384	b3093b934957f4e125ca90dd4d4a39cf267a331d1dc231d77c9e914bc3f4b7ba.exe	30
PID 2384 wrote to memory of 2092	2384	b3093b934957f4e125ca90dd4d4a39cf267a331d1dc231d77c9e914bc3f4b7ba.exe	30
PID 2384 wrote to memory of 2092	2384	b3093b934957f4e125ca90dd4d4a39cf267a331d1dc231d77c9e914bc3f4b7ba.exe	30
PID 2092 wrote to memory of 1952	2092	vbc.exe	32
PID 2092 wrote to memory of 1952	2092	vbc.exe	32
PID 2092 wrote to memory of 1952	2092	vbc.exe	32
PID 2092 wrote to memory of 1952	2092	vbc.exe	32
PID 2384 wrote to memory of 2268	2384	b3093b934957f4e125ca90dd4d4a39cf267a331d1dc231d77c9e914bc3f4b7ba.exe	33
PID 2384 wrote to memory of 2268	2384	b3093b934957f4e125ca90dd4d4a39cf267a331d1dc231d77c9e914bc3f4b7ba.exe	33
PID 2384 wrote to memory of 2268	2384	b3093b934957f4e125ca90dd4d4a39cf267a331d1dc231d77c9e914bc3f4b7ba.exe	33
PID 2384 wrote to memory of 2268	2384	b3093b934957f4e125ca90dd4d4a39cf267a331d1dc231d77c9e914bc3f4b7ba.exe	33

C:\Users\Admin\AppData\Local\Temp\b3093b934957f4e125ca90dd4d4a39cf267a331d1dc231d77c9e914bc3f4b7ba.exe
"C:\Users\Admin\AppData\Local\Temp\b3093b934957f4e125ca90dd4d4a39cf267a331d1dc231d77c9e914bc3f4b7ba.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\trdvgrrd.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA67D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA67C.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1952
- C:\Users\Admin\AppData\Local\Temp\tmpA5F0.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA5F0.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b3093b934957f4e125ca90dd4d4a39cf267a331d1dc231d77c9e914bc3f4b7ba.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA67D.tmp

Filesize
1KB

MD5
2b5319fc8d3ef4dd1834e2e99e1f7420

SHA1
305218962eda476948762c6baa041e92530b9f10

SHA256
6a34146b87b29ac661b08c5ea83185b0e93e91f7f95569b028897292375f6627

SHA512
c962c7c5487b1c29390e3bb8451b6f06f43ad153968e57a5779edf08cae42cb15e38c8add733f5555f1a960b653609caa075e92021c203fc202fdaf3015de6fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA5F0.tmp.exe

Filesize
78KB

MD5
a5b1796d2028561f1cfa68620be86df5

SHA1
bce38f859e96344edb2d5746e708dd4b2885fbf4

SHA256
e7866dd2d69a877b5f8210fd73b94125045d12893d92d239e09bdf0401b0ac4b

SHA512
8fcda809369672bd10251e85f26791fbef9fe522fbb93b59879fcc6c3773ec8606157b2f5e5284210b4451aaa1167da03449a4d6aba11de688d354f32c555316

Download Submit
C:\Users\Admin\AppData\Local\Temp\trdvgrrd.0.vb

Filesize
15KB

MD5
2cb46f3ec0a4c0c459661970e60c5f63

SHA1
d83bab5f4618c7e76b22aeaed04a17b2f486932a

SHA256
be137f982b96b89b2c67964ac2809b18b92626315e2aa7bad90d4c0481bc95e8

SHA512
b4410e4355857165545943035d14a7f1212b6fb3460c15e4b204f190f7abeca19dd95aa41e333294c0202268cb222856ee84bffacd0c411d74e8a7eaec341781

Download Submit
C:\Users\Admin\AppData\Local\Temp\trdvgrrd.cmdline

Filesize
266B

MD5
fbce7b6fb77a040c11a84ce9906cc15f

SHA1
e0035b45285781302705b624fdb2b6bb0ae717ce

SHA256
7be12d7bceab07ed2e1c4ae43ed47b3667557bcc2e0b690844937cfa8758cb6d

SHA512
0fc9d86e14db23e9dd014ed1fc0e37ad11c2d11ddafc3075beb736da7d41f452b3f7d3e5c67e8554ff9d9c3ebe560211ca4997db61d2be591ffc19a28f7f324e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA67C.tmp

Filesize
660B

MD5
63bba1497132c073d1d302cffccdf10f

SHA1
8ea49d636f8ce48e764e0871c82be3af7287d5a8

SHA256
9373732d6e877a74e20eb2b76c568cd82b6826edca6a7b0e3225210613848be2

SHA512
d8a5e9a8be1f5ea2ca24663122e11321aad98157a08c87316e8af9a0bd3dc8a4d7920a93546eee0eb89555cc98678616bb9e8ae162d6af920fc4ed8e6d886fb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/2092-8-0x00000000742D0000-0x000000007487B000-memory.dmp

Filesize
5.7MB

Download
memory/2092-18-0x00000000742D0000-0x000000007487B000-memory.dmp

Filesize
5.7MB

Download
memory/2384-0-0x00000000742D1000-0x00000000742D2000-memory.dmp

Filesize
4KB

Download
memory/2384-1-0x00000000742D0000-0x000000007487B000-memory.dmp

Filesize
5.7MB

Download
memory/2384-3-0x00000000742D0000-0x000000007487B000-memory.dmp

Filesize
5.7MB

Download
memory/2384-24-0x00000000742D0000-0x000000007487B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads