metamorpherrat | dfe2cd97937a37030cad9c96f37a5a93ac8b5806d687333083176718dae0442d

General

Target

dfe2cd97937a37030cad9c96f37a5a93ac8b5806d687333083176718dae0442d.exe
Size

78KB
MD5

ad17443af685ea7bd728ada4dcfd3844
SHA1

3173d8adb196f463521133e38d08e78fab3674b2
SHA256

dfe2cd97937a37030cad9c96f37a5a93ac8b5806d687333083176718dae0442d
SHA512

5483d8bb622400dda41a3ded0026a754939913ccfedec4adca9370067a10ef83b0396b639a72eb77f2522f053c0eccda2142195870c6dc8a2706546a5cf34833
SSDEEP

1536:lRCHY6M7t/vZv0kH9gDDtWzYCnJPeoYrGQteA9/y1ADc:lRCHYnh/l0Y9MDYrm7eA9/pc

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2296	tmp9D49.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
3012	dfe2cd97937a37030cad9c96f37a5a93ac8b5806d687333083176718dae0442d.exe
3012	dfe2cd97937a37030cad9c96f37a5a93ac8b5806d687333083176718dae0442d.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmp9D49.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dfe2cd97937a37030cad9c96f37a5a93ac8b5806d687333083176718dae0442d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9D49.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3012	dfe2cd97937a37030cad9c96f37a5a93ac8b5806d687333083176718dae0442d.exe
Token: SeDebugPrivilege	2296	tmp9D49.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2400	3012	dfe2cd97937a37030cad9c96f37a5a93ac8b5806d687333083176718dae0442d.exe	30
PID 3012 wrote to memory of 2400	3012	dfe2cd97937a37030cad9c96f37a5a93ac8b5806d687333083176718dae0442d.exe	30
PID 3012 wrote to memory of 2400	3012	dfe2cd97937a37030cad9c96f37a5a93ac8b5806d687333083176718dae0442d.exe	30
PID 3012 wrote to memory of 2400	3012	dfe2cd97937a37030cad9c96f37a5a93ac8b5806d687333083176718dae0442d.exe	30
PID 2400 wrote to memory of 3008	2400	vbc.exe	32
PID 2400 wrote to memory of 3008	2400	vbc.exe	32
PID 2400 wrote to memory of 3008	2400	vbc.exe	32
PID 2400 wrote to memory of 3008	2400	vbc.exe	32
PID 3012 wrote to memory of 2296	3012	dfe2cd97937a37030cad9c96f37a5a93ac8b5806d687333083176718dae0442d.exe	33
PID 3012 wrote to memory of 2296	3012	dfe2cd97937a37030cad9c96f37a5a93ac8b5806d687333083176718dae0442d.exe	33
PID 3012 wrote to memory of 2296	3012	dfe2cd97937a37030cad9c96f37a5a93ac8b5806d687333083176718dae0442d.exe	33
PID 3012 wrote to memory of 2296	3012	dfe2cd97937a37030cad9c96f37a5a93ac8b5806d687333083176718dae0442d.exe	33

C:\Users\Admin\AppData\Local\Temp\dfe2cd97937a37030cad9c96f37a5a93ac8b5806d687333083176718dae0442d.exe
"C:\Users\Admin\AppData\Local\Temp\dfe2cd97937a37030cad9c96f37a5a93ac8b5806d687333083176718dae0442d.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zdd_jieo.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E34.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9E33.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3008
- C:\Users\Admin\AppData\Local\Temp\tmp9D49.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9D49.tmp.exe" C:\Users\Admin\AppData\Local\Temp\dfe2cd97937a37030cad9c96f37a5a93ac8b5806d687333083176718dae0442d.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9E34.tmp

Filesize
1KB

MD5
fe08cf99429f19b7ab22a93e770a5501

SHA1
2131e83c46dc0021f37fcd41727cab20e86ecd7b

SHA256
6fae4a7c7c3c3649ec6c27d18b852ac918394cc7c9ceb171282b0e4d59658f57

SHA512
624ab37ad8fc15e8517f5b14a56bb83da98f307885ec99d7d807ed4040e465ad52dc959e663c6a29b6bef65efd01dd6963e164a0d0df1fe12e6e4150a3af6f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9D49.tmp.exe

Filesize
78KB

MD5
88a43e60e1d1922a56f16d1863451879

SHA1
46e4c9852d3705c4216090f39233a3f97fcb9672

SHA256
6aa41af99684d0e2d5ca856defef51af8daf6fdd5c821024cb8755af40942d58

SHA512
e0bb1605c979acabaad693ce293d1af607cfaa8062b8ac6cfc7633ea073e461b0efaeb31be4249ecd3c2de9a6231f46b4fbf941d932ff0b110bcae7387aa3abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9E33.tmp

Filesize
660B

MD5
cdf5051fab186893dbf6b141ae7ddf68

SHA1
37dc2aec13a6faa28bb70463b835b180111baeaa

SHA256
9de6818c0c250fac95773e7fb2723b599376cd4b3bca1dec763129b87bb3956e

SHA512
d2603d7a7d8b567f8493bb6f9e94a00aac86db234ae1decfde2dba2e0915410461a45278c2b037c4365506b2facfd59910ce60af09b673525860eb79271b7913

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zdd_jieo.0.vb

Filesize
15KB

MD5
bb0c01e74969bcc19e29e570f690a453

SHA1
ae1a9644fca3be0162436450844617ecaf543625

SHA256
aab76c5808a1c8ccacba8acad1c6064b75533e3440d30e0d382d81ac30e49593

SHA512
f3efa34e814222acbbf2344c21b4044cc2666f1f8f6bc8d5eac6f4fe25575c85bc4308823d868a4a1a7db3a81051c18b9a9747a19ec0284fd4d068d045542cec

Download Submit
C:\Users\Admin\AppData\Local\Temp\zdd_jieo.cmdline

Filesize
266B

MD5
94f053f294e329b2fbe329e947213a58

SHA1
21258248d1cc77681ecc839c867f88adc4907f1c

SHA256
f1525524320a0cbab442cea7e2f42891dcaba75128b3ea2f4a0845d68642a2da

SHA512
e6d458a2b9b3fa020ff282bf40a2364700c4ffc3a910641e09955e4a05f50b741b3897ccfbbd510ea11389b0da52fbf0c446c087fe6e2e29d26df4320f9cda15

Download Submit
memory/2400-8-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/2400-18-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/3012-0-0x0000000074291000-0x0000000074292000-memory.dmp

Filesize
4KB

Download
memory/3012-1-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/3012-2-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/3012-24-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads