metamorpherrat | e6806de448ff52ea2c78106fd0022ac06becee89011484b4a779eb701f4009ce

General

Target

e6806de448ff52ea2c78106fd0022ac06becee89011484b4a779eb701f4009ce.exe
Size

78KB
MD5

456c1ad72e09f02d88e6ab78d6ce43f4
SHA1

49e1e1e8180c54c9a8900592462a5acff2d78df4
SHA256

e6806de448ff52ea2c78106fd0022ac06becee89011484b4a779eb701f4009ce
SHA512

df660ad128a8bb6d43a48e804e75b17273bd959679a740b2e8ab82f348d6f26e5cfebeb3d22b12af57841c612b936756bee3204902f8be3b00f0340d3f877b61
SSDEEP

1536:sPWtHFo6M7t/vZv0kH9gDDtWzYCnJPeoYrGQtQ9/01pg:sPWtHFonh/l0Y9MDYrm7Q9/L

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2668	tmp46E0.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2748	e6806de448ff52ea2c78106fd0022ac06becee89011484b4a779eb701f4009ce.exe
2748	e6806de448ff52ea2c78106fd0022ac06becee89011484b4a779eb701f4009ce.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmp46E0.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp46E0.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e6806de448ff52ea2c78106fd0022ac06becee89011484b4a779eb701f4009ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2748	e6806de448ff52ea2c78106fd0022ac06becee89011484b4a779eb701f4009ce.exe
Token: SeDebugPrivilege	2668	tmp46E0.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2700	2748	e6806de448ff52ea2c78106fd0022ac06becee89011484b4a779eb701f4009ce.exe	30
PID 2748 wrote to memory of 2700	2748	e6806de448ff52ea2c78106fd0022ac06becee89011484b4a779eb701f4009ce.exe	30
PID 2748 wrote to memory of 2700	2748	e6806de448ff52ea2c78106fd0022ac06becee89011484b4a779eb701f4009ce.exe	30
PID 2748 wrote to memory of 2700	2748	e6806de448ff52ea2c78106fd0022ac06becee89011484b4a779eb701f4009ce.exe	30
PID 2700 wrote to memory of 2844	2700	vbc.exe	32
PID 2700 wrote to memory of 2844	2700	vbc.exe	32
PID 2700 wrote to memory of 2844	2700	vbc.exe	32
PID 2700 wrote to memory of 2844	2700	vbc.exe	32
PID 2748 wrote to memory of 2668	2748	e6806de448ff52ea2c78106fd0022ac06becee89011484b4a779eb701f4009ce.exe	33
PID 2748 wrote to memory of 2668	2748	e6806de448ff52ea2c78106fd0022ac06becee89011484b4a779eb701f4009ce.exe	33
PID 2748 wrote to memory of 2668	2748	e6806de448ff52ea2c78106fd0022ac06becee89011484b4a779eb701f4009ce.exe	33
PID 2748 wrote to memory of 2668	2748	e6806de448ff52ea2c78106fd0022ac06becee89011484b4a779eb701f4009ce.exe	33

C:\Users\Admin\AppData\Local\Temp\e6806de448ff52ea2c78106fd0022ac06becee89011484b4a779eb701f4009ce.exe
"C:\Users\Admin\AppData\Local\Temp\e6806de448ff52ea2c78106fd0022ac06becee89011484b4a779eb701f4009ce.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pftypzdd.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES47F9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc47F8.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2844
- C:\Users\Admin\AppData\Local\Temp\tmp46E0.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp46E0.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e6806de448ff52ea2c78106fd0022ac06becee89011484b4a779eb701f4009ce.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES47F9.tmp

Filesize
1KB

MD5
9d578b5c7fdffcabfb5eaaa610ca4fd0

SHA1
eb88f3e9fe515a12b8e15703f5c99e6bb16f9995

SHA256
ef84db6d4ead12ae73d14dd291783191da87bafc12685558b1a3162fae30c076

SHA512
68f65ccb711db04144f21db0fee7df16c7c0fbedcc4cb068d71fe04e89c8978505c808013ae4d68a7da115fd8bea959e2333a860c65fea66dab1d39ec2888fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftypzdd.0.vb

Filesize
15KB

MD5
a9732c728c422f5f98b424898b7dded2

SHA1
5f864b3c3f6ef1baf67077430df3a3fe941de0e3

SHA256
a7cc957facd2ad490ab0456868c0a1c6484f38709e3c221ba300442068bc3d49

SHA512
f0585f53812ff8551320dbdbe02bf358b08a9b536f24d61899e8eee63f57b85d80f5d7af2bc288697374b91332f4b4fa602c3a3d6eff2b4aa5ce62e840c0d7cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftypzdd.cmdline

Filesize
266B

MD5
4fd0b6239244dc0a3c71c28bb55d234c

SHA1
41fa3f2c2c2fbfb0a0d9e0824e6de2936a2a6030

SHA256
b8c3e6be6b59716464ec0a1f3fcdaeff5995b636773b78677139f1168b9781a8

SHA512
82cfa63794137c6ee5fd9ece85c5b16ffb8c8f1538514c420f544a28bff5ed65afa5364c570b1d07e7b5d34c4349a5219d480aa23251386e5aeec02ccabbaa0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp46E0.tmp.exe

Filesize
78KB

MD5
8fe45568c3c5a42b93b3ccfe52f1168f

SHA1
1e05c86a187a92753095d302da70c7cd7f97ba20

SHA256
a0292521e004cb21cb422d387a96737dc53c4ebb7dc9daa9b5fb5d8d77869fa8

SHA512
800fe31298306127e9fd9fbd8e922fae69006d73ba9584e771b23cd918a5b259d85740cb13eaae99d433edc7f4771257cd375b12b207e4b9af26b990e7258263

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc47F8.tmp

Filesize
660B

MD5
7215f93d8e3e5e37ca0822c8a686ea17

SHA1
fcaf26245373989d197d562428f1358a8be537f7

SHA256
16ad7aec4ef29d43c421079ebab6bd32d8c24e8101d10ecd910f16e928e8313b

SHA512
c45018e03dbab42243b993a61f07869d9b6bda7fee5dac75a4ae2218787c5e9e6253cc4bd54759e6f9467936ef2068c7d8cd11c6915f6e84748a9e32272078f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/2700-8-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/2700-18-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/2748-0-0x0000000074851000-0x0000000074852000-memory.dmp

Filesize
4KB

Download
memory/2748-1-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/2748-2-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/2748-23-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads