metamorpherrat | 83f11f506adc459ebfd8a62192534f1f715c9ea57d55c93862c8d616050237c0

General

Target

83f11f506adc459ebfd8a62192534f1f715c9ea57d55c93862c8d616050237c0.exe
Size

78KB
MD5

5a796d7b24648dbdc222397fd0652e9b
SHA1

e61f76d4be3a988508565e1d7d012fd3978d998a
SHA256

83f11f506adc459ebfd8a62192534f1f715c9ea57d55c93862c8d616050237c0
SHA512

60818a41df65b37323263fe052830e115251fc218d87533568dd730496c3b9c1b5fdb18811a2ee36750c032ba23a5bff02e04daa0a7c15772336d5b05fbd71a4
SSDEEP

1536:8StHHM7t/vZv0kH9gDDtWzYCnJPeoYrGQte79/x1qwS:8StHsh/l0Y9MDYrm7e79/DS

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
1620	tmp94D0.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
3060	83f11f506adc459ebfd8a62192534f1f715c9ea57d55c93862c8d616050237c0.exe
3060	83f11f506adc459ebfd8a62192534f1f715c9ea57d55c93862c8d616050237c0.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmp94D0.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	83f11f506adc459ebfd8a62192534f1f715c9ea57d55c93862c8d616050237c0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp94D0.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3060	83f11f506adc459ebfd8a62192534f1f715c9ea57d55c93862c8d616050237c0.exe
Token: SeDebugPrivilege	1620	tmp94D0.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 1136	3060	83f11f506adc459ebfd8a62192534f1f715c9ea57d55c93862c8d616050237c0.exe	30
PID 3060 wrote to memory of 1136	3060	83f11f506adc459ebfd8a62192534f1f715c9ea57d55c93862c8d616050237c0.exe	30
PID 3060 wrote to memory of 1136	3060	83f11f506adc459ebfd8a62192534f1f715c9ea57d55c93862c8d616050237c0.exe	30
PID 3060 wrote to memory of 1136	3060	83f11f506adc459ebfd8a62192534f1f715c9ea57d55c93862c8d616050237c0.exe	30
PID 1136 wrote to memory of 1656	1136	vbc.exe	32
PID 1136 wrote to memory of 1656	1136	vbc.exe	32
PID 1136 wrote to memory of 1656	1136	vbc.exe	32
PID 1136 wrote to memory of 1656	1136	vbc.exe	32
PID 3060 wrote to memory of 1620	3060	83f11f506adc459ebfd8a62192534f1f715c9ea57d55c93862c8d616050237c0.exe	33
PID 3060 wrote to memory of 1620	3060	83f11f506adc459ebfd8a62192534f1f715c9ea57d55c93862c8d616050237c0.exe	33
PID 3060 wrote to memory of 1620	3060	83f11f506adc459ebfd8a62192534f1f715c9ea57d55c93862c8d616050237c0.exe	33
PID 3060 wrote to memory of 1620	3060	83f11f506adc459ebfd8a62192534f1f715c9ea57d55c93862c8d616050237c0.exe	33

C:\Users\Admin\AppData\Local\Temp\83f11f506adc459ebfd8a62192534f1f715c9ea57d55c93862c8d616050237c0.exe
"C:\Users\Admin\AppData\Local\Temp\83f11f506adc459ebfd8a62192534f1f715c9ea57d55c93862c8d616050237c0.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xm4953yz.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1136
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES96E4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc96E3.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1656
- C:\Users\Admin\AppData\Local\Temp\tmp94D0.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp94D0.tmp.exe" C:\Users\Admin\AppData\Local\Temp\83f11f506adc459ebfd8a62192534f1f715c9ea57d55c93862c8d616050237c0.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES96E4.tmp

Filesize
1KB

MD5
f9eacc25f8fae253f0929be6de6a6dda

SHA1
cfddf1508cf9d02916cf41b2782369cf23f4c796

SHA256
7870c3f7c843a5d801eaeb9d2f0af6a3a14b0a55bbb07bdc987654479ae8b583

SHA512
28db2b93aca8381211442171f963d66b8c9433492f98ef1a21a9bfb72fd08a1a9b7fabe0c764354985296a4ff5ac4b005a3d84845b6acb4a52119087cb793341

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp94D0.tmp.exe

Filesize
78KB

MD5
799208671c9b47fcec79a0059808b86c

SHA1
962dfb0a32f7bab0b523a2a304c9ee5ec5d35ca8

SHA256
0423d9ca942740800201640e9536f2017d50adc0dbf455138a825840569f1c63

SHA512
c7199ec9a6232c0ca570d63d5573b5c78043bb7c91392b8d4d479cacfdc0b5fd12367ae7e3d39dcab100219ab8db70b48fc5f780d81866e3e87aa1d68b965a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc96E3.tmp

Filesize
660B

MD5
3e213147ac1f7c820887c6c6a10d6942

SHA1
57228b06fe9486d462e17d5227d08ee48cf77fff

SHA256
b8c5d37461f7be49deb85bf261f9550382e39249ded7cd4e75cebc3990c7a003

SHA512
bc9ecaa117b48e9a4bacf4ebbe91215ac78be0d580d4553d18c780f02eff9bc2dc38daf8d8e409ad815aed604c7f3a1d2c377595253e257f38bbb75c7f905a5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xm4953yz.0.vb

Filesize
15KB

MD5
59cfde3ec5228efbcd41e69a59d71d7a

SHA1
c53a18feb9091c7f391955d083e0f88e953a3859

SHA256
79ce8289afdfa53570096d0bd14a74793ca7f6520cdd40b0812c8b03753f3922

SHA512
2e5d8409a2cbbb75f7ed23f3b2b69bae026f27de3c182989af760964a62d5707222e7e5d77c42d91e6b6c2204cc6a94321be6200cde689735e0f34f8708e0812

Download Submit
C:\Users\Admin\AppData\Local\Temp\xm4953yz.cmdline

Filesize
266B

MD5
50ce87d76cb040ee518de725df10a5f2

SHA1
23add33e1b71ea4b78450f5d933c38d79dda5eb4

SHA256
6bba40ea198683caea72479b5c1ec2ae1df9afad134fade66f0ee83ade5a7912

SHA512
24e3fa026dd158d7c3b953602976728b2b8e9255cf8811a9bb20894cb3badc729b9f117439bc26995120c66f84dc5c663ab6f601a73a8edf395ae78b9c11b97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/1136-8-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/1136-18-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/3060-0-0x0000000074DE1000-0x0000000074DE2000-memory.dmp

Filesize
4KB

Download
memory/3060-1-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/3060-6-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/3060-24-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads