metamorpherrat | 4db877338b83434ef48cb10da3234084ed8784fa00632535dc8f5192127b9958

General

Target

4db877338b83434ef48cb10da3234084ed8784fa00632535dc8f5192127b9958.exe
Size

78KB
MD5

4a6df5ed5fd827595e6aa1e0183f9977
SHA1

4b6b213814da26ecb5b945179ed4b69169d3e205
SHA256

4db877338b83434ef48cb10da3234084ed8784fa00632535dc8f5192127b9958
SHA512

688d2fbfb8b5fd3554a0f66a4cc064ebdc01ef5dc8ce57a85494fcd7077bd88e75b45330b38e553138b8bbe489c0637342cd25cd4da06c4016d136970b328189
SSDEEP

1536:0StHFo6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQte679/ih1a3R:0StHFo53Ln7N041Qqhge679/nR

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2252	tmp2F1C.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2848	4db877338b83434ef48cb10da3234084ed8784fa00632535dc8f5192127b9958.exe
2848	4db877338b83434ef48cb10da3234084ed8784fa00632535dc8f5192127b9958.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp2F1C.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4db877338b83434ef48cb10da3234084ed8784fa00632535dc8f5192127b9958.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp2F1C.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2848	4db877338b83434ef48cb10da3234084ed8784fa00632535dc8f5192127b9958.exe
Token: SeDebugPrivilege	2252	tmp2F1C.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2852	2848	4db877338b83434ef48cb10da3234084ed8784fa00632535dc8f5192127b9958.exe	30
PID 2848 wrote to memory of 2852	2848	4db877338b83434ef48cb10da3234084ed8784fa00632535dc8f5192127b9958.exe	30
PID 2848 wrote to memory of 2852	2848	4db877338b83434ef48cb10da3234084ed8784fa00632535dc8f5192127b9958.exe	30
PID 2848 wrote to memory of 2852	2848	4db877338b83434ef48cb10da3234084ed8784fa00632535dc8f5192127b9958.exe	30
PID 2852 wrote to memory of 2068	2852	vbc.exe	32
PID 2852 wrote to memory of 2068	2852	vbc.exe	32
PID 2852 wrote to memory of 2068	2852	vbc.exe	32
PID 2852 wrote to memory of 2068	2852	vbc.exe	32
PID 2848 wrote to memory of 2252	2848	4db877338b83434ef48cb10da3234084ed8784fa00632535dc8f5192127b9958.exe	33
PID 2848 wrote to memory of 2252	2848	4db877338b83434ef48cb10da3234084ed8784fa00632535dc8f5192127b9958.exe	33
PID 2848 wrote to memory of 2252	2848	4db877338b83434ef48cb10da3234084ed8784fa00632535dc8f5192127b9958.exe	33
PID 2848 wrote to memory of 2252	2848	4db877338b83434ef48cb10da3234084ed8784fa00632535dc8f5192127b9958.exe	33

C:\Users\Admin\AppData\Local\Temp\4db877338b83434ef48cb10da3234084ed8784fa00632535dc8f5192127b9958.exe
"C:\Users\Admin\AppData\Local\Temp\4db877338b83434ef48cb10da3234084ed8784fa00632535dc8f5192127b9958.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lsruqge0.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES318D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc318C.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2068
- C:\Users\Admin\AppData\Local\Temp\tmp2F1C.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp2F1C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4db877338b83434ef48cb10da3234084ed8784fa00632535dc8f5192127b9958.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES318D.tmp

Filesize
1KB

MD5
8d54e9e7408afb389ae9ece9b76a613e

SHA1
6d5059cc87b5f954efebdc10051551ba29f3ead6

SHA256
31aa273842d32837b8c6fb05ec8eb0e6a4a3fe8e165cf01f174be615a92fbeba

SHA512
a6066c0acfadab1a89e6d3bb5abef7f1b460d10d7b9a27a7b7132077b6d2362078771bf39c48e12f2f6daa91b294d5c4539fbdd34e512b150e4b64afcfac238e

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsruqge0.0.vb

Filesize
15KB

MD5
47d795c688e164ffd57711a3a7faab31

SHA1
296c136732b7696b6a5493b34808bd973654dbec

SHA256
7c767795427cd5cbcd8f9b9199ae47df909a6b8214552055e5dc060fb965a46e

SHA512
76f942e5b078bceb80d3a32aaf4b3607c5b851c1e33b9efe8b7a0cb8ce0d78b5671c73fd87c83f862907a6695e8babe530a6c4134315281400ade11c05efb76d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsruqge0.cmdline

Filesize
266B

MD5
e9385a16dc7e89abdbd7c93fa0acce5f

SHA1
eeea9d5893f855e4bccbaea995068bcdef056372

SHA256
6472c1396bc6f96d5d1b7e257efd45a851b71a1343d53081591e3b25e1f61507

SHA512
8f4cfb17c716c5c6e867559ac37f6b924962ae2320ae21c290dc00094ac22f5a02a3ff27c9e9baea0639957d3e297702a234a8241368790edad062dd37303bf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2F1C.tmp.exe

Filesize
78KB

MD5
3e2184a273534c65e57dd3c902d8fe30

SHA1
1822e8fa18e216b03d397e5ab13538ff7e06f28f

SHA256
38eeb39cdd7179953e403d44447194478c434841f9d3b1bda23f592ff2e1efd3

SHA512
ccb2f6fc2d55a33d6cb92b1049b8032cefef7a44a0254cc361f4c8eb70863f33e0d970cf1e9ce1d08cc5486716904107aacd727f59891d1d1d7d92678bd706f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc318C.tmp

Filesize
660B

MD5
151492b93642fc3a6a9631b6bfb0c1ff

SHA1
4b9797e701573753c4bce1678c90450dfc921378

SHA256
2610e1388ca758466b02fc46ec109d36a9e51b633fd156c519a5b1c7a3323b85

SHA512
95894c7ed3bb7958db9abaec458fc2cc051811e40d9ecb7b8aec7c7df8fe8c4c5fb0859befc3a260cfc5c561e2179f0ae0328b0d717d7ac4b62cf6af8d3c9e15

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2848-0-0x0000000074F01000-0x0000000074F02000-memory.dmp

Filesize
4KB

Download
memory/2848-1-0x0000000074F00000-0x00000000754AB000-memory.dmp

Filesize
5.7MB

Download
memory/2848-2-0x0000000074F00000-0x00000000754AB000-memory.dmp

Filesize
5.7MB

Download
memory/2848-24-0x0000000074F00000-0x00000000754AB000-memory.dmp

Filesize
5.7MB

Download
memory/2852-8-0x0000000074F00000-0x00000000754AB000-memory.dmp

Filesize
5.7MB

Download
memory/2852-18-0x0000000074F00000-0x00000000754AB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads