metamorpherrat | 291a66e27483689a67006bbb9a09a205dbdb4a32ecda10f5f0054c99a0d44f27

General

Target

291a66e27483689a67006bbb9a09a205dbdb4a32ecda10f5f0054c99a0d44f27N.exe
Size

78KB
MD5

beb551f1dd2f8e61907eb863dee0bcd0
SHA1

72ba1a972c00a8ef1e4206f4f5e6bbd2ab95d7e8
SHA256

291a66e27483689a67006bbb9a09a205dbdb4a32ecda10f5f0054c99a0d44f27
SHA512

a59fb0e6df943013565d9bae0144d2a30bf700c748b81145654a7c3606db84c94c082bdef0936a9de442f5cde57636d847864463d81320c0142d5ce4602a211d
SSDEEP

1536:lRCHY6M7t/vZv0kH9gDDtWzYCnJPeoYrGQteA9/y1AD:lRCHYnh/l0Y9MDYrm7eA9/p

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2680	tmpD375.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2496	291a66e27483689a67006bbb9a09a205dbdb4a32ecda10f5f0054c99a0d44f27N.exe
2496	291a66e27483689a67006bbb9a09a205dbdb4a32ecda10f5f0054c99a0d44f27N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmpD375.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD375.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	291a66e27483689a67006bbb9a09a205dbdb4a32ecda10f5f0054c99a0d44f27N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2496	291a66e27483689a67006bbb9a09a205dbdb4a32ecda10f5f0054c99a0d44f27N.exe
Token: SeDebugPrivilege	2680	tmpD375.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2332	2496	291a66e27483689a67006bbb9a09a205dbdb4a32ecda10f5f0054c99a0d44f27N.exe	31
PID 2496 wrote to memory of 2332	2496	291a66e27483689a67006bbb9a09a205dbdb4a32ecda10f5f0054c99a0d44f27N.exe	31
PID 2496 wrote to memory of 2332	2496	291a66e27483689a67006bbb9a09a205dbdb4a32ecda10f5f0054c99a0d44f27N.exe	31
PID 2496 wrote to memory of 2332	2496	291a66e27483689a67006bbb9a09a205dbdb4a32ecda10f5f0054c99a0d44f27N.exe	31
PID 2332 wrote to memory of 936	2332	vbc.exe	33
PID 2332 wrote to memory of 936	2332	vbc.exe	33
PID 2332 wrote to memory of 936	2332	vbc.exe	33
PID 2332 wrote to memory of 936	2332	vbc.exe	33
PID 2496 wrote to memory of 2680	2496	291a66e27483689a67006bbb9a09a205dbdb4a32ecda10f5f0054c99a0d44f27N.exe	34
PID 2496 wrote to memory of 2680	2496	291a66e27483689a67006bbb9a09a205dbdb4a32ecda10f5f0054c99a0d44f27N.exe	34
PID 2496 wrote to memory of 2680	2496	291a66e27483689a67006bbb9a09a205dbdb4a32ecda10f5f0054c99a0d44f27N.exe	34
PID 2496 wrote to memory of 2680	2496	291a66e27483689a67006bbb9a09a205dbdb4a32ecda10f5f0054c99a0d44f27N.exe	34

C:\Users\Admin\AppData\Local\Temp\291a66e27483689a67006bbb9a09a205dbdb4a32ecda10f5f0054c99a0d44f27N.exe
"C:\Users\Admin\AppData\Local\Temp\291a66e27483689a67006bbb9a09a205dbdb4a32ecda10f5f0054c99a0d44f27N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iffatsua.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD450.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD44F.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:936
- C:\Users\Admin\AppData\Local\Temp\tmpD375.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpD375.tmp.exe" C:\Users\Admin\AppData\Local\Temp\291a66e27483689a67006bbb9a09a205dbdb4a32ecda10f5f0054c99a0d44f27N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD450.tmp

Filesize
1KB

MD5
4d035776781b6bc26041ea99ca426a57

SHA1
c4cefd287fcb2b03a4a8376b4501388f492ff394

SHA256
208655db1b0fb644bbaa97b11b80755b2d739d9b516edbecaf6c4502b63689f9

SHA512
717a7b2b50a8af7ebdf192b1ba685cea300d72ff74d10eeaf9743425195b8df8af6c948518d6ab4328bda3c103c05facecd7707821d05b78fbbb6d04fbc95d44

Download Submit
C:\Users\Admin\AppData\Local\Temp\iffatsua.0.vb

Filesize
15KB

MD5
1a424858b43fea7e58ac9b4a5b0f8187

SHA1
e8a05093de11033df9d5168321a248caf93272d6

SHA256
4aa9868820f334272374f4e0d92743ca18ad16cf1c721d1703436b540155886c

SHA512
570653a26bd19b604592fc6607fa109a71b890e63bbfbea4caeef1643db839b6b236f05528d0e59054a49fdabba90023af3ad3013216f405ae78cb70b4759131

Download Submit
C:\Users\Admin\AppData\Local\Temp\iffatsua.cmdline

Filesize
266B

MD5
5381d77db53e1b571871b2d8186bd043

SHA1
dd8970640eca5b831c19fcd51a6d05a102fbec7d

SHA256
665ad8e8d6b3d7879f3fbb49fd8f54b83d951b47440ac7581fd833aee881561c

SHA512
90860ad448fc0342f20c40e7007fc390c3e07a867569092ac0dc0fae63d276950c56d900f112b386cb435416101f7607b40b31af4afedaabe0dbb0d3c822497d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD375.tmp.exe

Filesize
78KB

MD5
7d68256f604b21c36a874a3e4346214d

SHA1
baac4b690b8e57ce4b1c30ad0d56f831efb282dd

SHA256
36612237449fceb91551bcede3559e42bcb53512c323e7ddf958d8ddaf0d0dd3

SHA512
0dc126a85245dbe0a8dc34117913a751e40d70b378ed3cd9e651a3c989575d6176b0f977daa92941bbee13054a27556790358ce56392a872c2961b08543e5a5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD44F.tmp

Filesize
660B

MD5
9c004fcfd88894c7cfa1e7861ed3ccaf

SHA1
e2234944acd2cbd61de2661b5b59e5a872bd4c17

SHA256
a9bd97c7da9ac7767337e83ee5bb5f571c2bbfa4879c42b98aad9f0b52e52d19

SHA512
27ebc105e20c16c04dbe0be202dd530e671681f581932e1dc2356041bbcae236e0c866ff499dd94cab49e317ab54eb94875b381c403f8d9f42ce94ca78858a6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/2332-9-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2332-18-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2496-0-0x00000000747C1000-0x00000000747C2000-memory.dmp

Filesize
4KB

Download
memory/2496-1-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2496-2-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2496-24-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads