metamorpherrat | 4c16d4255077e312e81bdaff984b65fab478179e7c302be88e01a40648026d9d

General

Target

85179dcefb0ad2d2d5049c53d093e700N.exe
Size

78KB
MD5

85179dcefb0ad2d2d5049c53d093e700
SHA1

fa2570fd80b7366207c2eaa307a8b930e1b8e866
SHA256

4c16d4255077e312e81bdaff984b65fab478179e7c302be88e01a40648026d9d
SHA512

1b9e56e6cfe66b20eeba4e8672f7d947c6e10be3f78502bc7fcbc620055ce7ea92f09d0d2ae291819999217c7bc3d0261c5a27b1554566028011301327331646
SSDEEP

1536:NHFo6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtk9/op1RA:NHFonhASyRxvhTzXPvCbW2Uk9/oW

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmpD1DF.tmp.exe

pid process

2708 tmpD1DF.tmp.exe
Loads dropped DLL 2 IoCs

Processes:

85179dcefb0ad2d2d5049c53d093e700N.exe

pid process

2900 85179dcefb0ad2d2d5049c53d093e700N.exe
2900 85179dcefb0ad2d2d5049c53d093e700N.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2708	tmpD1DF.tmp.exe

pid	process
2900	85179dcefb0ad2d2d5049c53d093e700N.exe
2900	85179dcefb0ad2d2d5049c53d093e700N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpD1DF.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpD1DF.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

85179dcefb0ad2d2d5049c53d093e700N.exevbc.execvtres.exetmpD1DF.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	85179dcefb0ad2d2d5049c53d093e700N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD1DF.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

85179dcefb0ad2d2d5049c53d093e700N.exetmpD1DF.tmp.exe

description pid process

Token: SeDebugPrivilege 2900 85179dcefb0ad2d2d5049c53d093e700N.exe
Token: SeDebugPrivilege 2708 tmpD1DF.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2900	85179dcefb0ad2d2d5049c53d093e700N.exe
Token: SeDebugPrivilege	2708	tmpD1DF.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

85179dcefb0ad2d2d5049c53d093e700N.exevbc.exe

description	pid	process	target process
PID 2900 wrote to memory of 2096	2900	85179dcefb0ad2d2d5049c53d093e700N.exe	vbc.exe
PID 2900 wrote to memory of 2096	2900	85179dcefb0ad2d2d5049c53d093e700N.exe	vbc.exe
PID 2900 wrote to memory of 2096	2900	85179dcefb0ad2d2d5049c53d093e700N.exe	vbc.exe
PID 2900 wrote to memory of 2096	2900	85179dcefb0ad2d2d5049c53d093e700N.exe	vbc.exe
PID 2096 wrote to memory of 2692	2096	vbc.exe	cvtres.exe
PID 2096 wrote to memory of 2692	2096	vbc.exe	cvtres.exe
PID 2096 wrote to memory of 2692	2096	vbc.exe	cvtres.exe
PID 2096 wrote to memory of 2692	2096	vbc.exe	cvtres.exe
PID 2900 wrote to memory of 2708	2900	85179dcefb0ad2d2d5049c53d093e700N.exe	tmpD1DF.tmp.exe
PID 2900 wrote to memory of 2708	2900	85179dcefb0ad2d2d5049c53d093e700N.exe	tmpD1DF.tmp.exe
PID 2900 wrote to memory of 2708	2900	85179dcefb0ad2d2d5049c53d093e700N.exe	tmpD1DF.tmp.exe
PID 2900 wrote to memory of 2708	2900	85179dcefb0ad2d2d5049c53d093e700N.exe	tmpD1DF.tmp.exe

C:\Users\Admin\AppData\Local\Temp\85179dcefb0ad2d2d5049c53d093e700N.exe
"C:\Users\Admin\AppData\Local\Temp\85179dcefb0ad2d2d5049c53d093e700N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8qrlw_3p.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD2EA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD2E9.tmp"
3⤵
- System Location Discovery: System Language Discovery
PID:2692

C:\Users\Admin\AppData\Local\Temp\tmpD1DF.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpD1DF.tmp.exe" C:\Users\Admin\AppData\Local\Temp\85179dcefb0ad2d2d5049c53d093e700N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2708

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8qrlw_3p.0.vb
Filesize
15KB

MD5
776a2e67edfbdb31ab216aff856bbe11

SHA1
e5b367de35a3197b69061a66dc58ff5425c22c32

SHA256
18a410a15b531de835a2b75621b12d5a27c64cdff8238382b1820a15bf49d70d

SHA512
779aea45db9c2a65e8f293a404cec28fa057f15ff88e53862d53cb29dd85cd45858f5e05e258bfed9f8b3f93a1ce279f1249a7714f2001c6ea3dcfdbc5bf0601

Download Submit
C:\Users\Admin\AppData\Local\Temp\8qrlw_3p.cmdline
Filesize
266B

MD5
74615573ee49317d674041334c2082ab

SHA1
7a5a35736959d3f54b2a92efaa5f34176144b0a8

SHA256
7a7545fe196d3e2a5154e1831c37cab43e45869bfe77bb6be88e2ce71be2f530

SHA512
658e2972dd456d752ddda457c8388fb118b0dd72ee0b6733c097cf6093ec4eb45f10c1eff2c69a9197f0a603f73dcfcdbd54a19e98523d18d2079f39c128cfdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD2EA.tmp
Filesize
1KB

MD5
89e510721dad5eb34ea0feb4f7c2a71f

SHA1
a7357878e470420de71fa3f07f4d40dbb410c516

SHA256
56071ba9fbc27cdcee98cb3299aba199b51f221457183f5f9ca7ed2ffa0181b1

SHA512
4c36e48c370940341faceea78892fc60812c861bfdce4ea793fdbe6ed4b4c8ff9b315bcb767fe2456d24b1555de332c142955383e07df333fad87db60b452883

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD1DF.tmp.exe
Filesize
78KB

MD5
7c77b393a78f22dc61378a167019366d

SHA1
168d466124f45357e53cb9c365154b7e6869dfa0

SHA256
3206ec00f19540064b5c639387e7442e0ea07180c37e7c4f75d21ab47ab7d922

SHA512
918e46c723087b8f9334f6dacfd7d0335214da734bd1838da33faf667d3dab091a06187e046cfb9fb8a71ac2e49875d933714be9186ea4f27ed992367260cf75

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD2E9.tmp
Filesize
660B

MD5
ae712b8b531a90a249f4c864b3f91e11

SHA1
39a70bbef717e74f505c8be1d24e6942fbbeb86e

SHA256
30c24afa60b73444f72cc7859729e246784db52540260b6bab85aae664bfa049

SHA512
56ff7760460ac93cead8e0727cb75fc3c025951a4b75e016d3543ebdfec91dd9a55d2ba04dbca0baeb4d0b5a6d20574e117528b0042ed96169f420bd0fe74577

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2096-9-0x0000000074B90000-0x000000007513B000-memory.dmp

Filesize
5.7MB

Download
memory/2096-18-0x0000000074B90000-0x000000007513B000-memory.dmp

Filesize
5.7MB

Download
memory/2900-0-0x0000000074B91000-0x0000000074B92000-memory.dmp

Filesize
4KB

Download
memory/2900-1-0x0000000074B90000-0x000000007513B000-memory.dmp

Filesize
5.7MB

Download
memory/2900-2-0x0000000074B90000-0x000000007513B000-memory.dmp

Filesize
5.7MB

Download
memory/2900-24-0x0000000074B90000-0x000000007513B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads