metamorpherrat | 80edfb0ead390271de7d503785467111ef43f39e5433b589d8ad1cf64e1eabca

General

Target

80edfb0ead390271de7d503785467111ef43f39e5433b589d8ad1cf64e1eabca.exe
Size

78KB
MD5

c802b4205afac4a08c6f557a81945e9f
SHA1

fa110a055ec96832585ead355bd380d577aadecb
SHA256

80edfb0ead390271de7d503785467111ef43f39e5433b589d8ad1cf64e1eabca
SHA512

0cf7812e3bcaffc44336c40c31fcd450877f0725082e81a25182ea0809034c1d506afdf626bfe82339aaf2b3bba4532a5e16f812011ce638ab6e71cb32d0d5f6
SSDEEP

1536:UuHFo6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQte689/F317r:UuHFonhASyRxvhTzXPvCbW2Ue689/FZ

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2968	tmp8112.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1400	80edfb0ead390271de7d503785467111ef43f39e5433b589d8ad1cf64e1eabca.exe
1400	80edfb0ead390271de7d503785467111ef43f39e5433b589d8ad1cf64e1eabca.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp8112.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8112.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80edfb0ead390271de7d503785467111ef43f39e5433b589d8ad1cf64e1eabca.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1400	80edfb0ead390271de7d503785467111ef43f39e5433b589d8ad1cf64e1eabca.exe
Token: SeDebugPrivilege	2968	tmp8112.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 2332	1400	80edfb0ead390271de7d503785467111ef43f39e5433b589d8ad1cf64e1eabca.exe	30
PID 1400 wrote to memory of 2332	1400	80edfb0ead390271de7d503785467111ef43f39e5433b589d8ad1cf64e1eabca.exe	30
PID 1400 wrote to memory of 2332	1400	80edfb0ead390271de7d503785467111ef43f39e5433b589d8ad1cf64e1eabca.exe	30
PID 1400 wrote to memory of 2332	1400	80edfb0ead390271de7d503785467111ef43f39e5433b589d8ad1cf64e1eabca.exe	30
PID 2332 wrote to memory of 2944	2332	vbc.exe	32
PID 2332 wrote to memory of 2944	2332	vbc.exe	32
PID 2332 wrote to memory of 2944	2332	vbc.exe	32
PID 2332 wrote to memory of 2944	2332	vbc.exe	32
PID 1400 wrote to memory of 2968	1400	80edfb0ead390271de7d503785467111ef43f39e5433b589d8ad1cf64e1eabca.exe	33
PID 1400 wrote to memory of 2968	1400	80edfb0ead390271de7d503785467111ef43f39e5433b589d8ad1cf64e1eabca.exe	33
PID 1400 wrote to memory of 2968	1400	80edfb0ead390271de7d503785467111ef43f39e5433b589d8ad1cf64e1eabca.exe	33
PID 1400 wrote to memory of 2968	1400	80edfb0ead390271de7d503785467111ef43f39e5433b589d8ad1cf64e1eabca.exe	33

C:\Users\Admin\AppData\Local\Temp\80edfb0ead390271de7d503785467111ef43f39e5433b589d8ad1cf64e1eabca.exe
"C:\Users\Admin\AppData\Local\Temp\80edfb0ead390271de7d503785467111ef43f39e5433b589d8ad1cf64e1eabca.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4soxhrkd.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES82D7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc82D6.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2944
- C:\Users\Admin\AppData\Local\Temp\tmp8112.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8112.tmp.exe" C:\Users\Admin\AppData\Local\Temp\80edfb0ead390271de7d503785467111ef43f39e5433b589d8ad1cf64e1eabca.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4soxhrkd.0.vb

Filesize
15KB

MD5
5d76a594eb964db9ad8d0b8bc97a9220

SHA1
ae8bb4f691db1948ed2624744d1f9809ea34d4ce

SHA256
5113273a2dc230f7c126eaa74793d9c8df56948dff26824e1e26a444632dcd3a

SHA512
81392087d66f557d53e34026f6c8707920fa9aa01b64e492d0dce658a9b33af4cda2f5813e6978dff517aaea6bdb8f33681af8c773e1781a825160d4e7286fb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\4soxhrkd.cmdline

Filesize
266B

MD5
756c1cd63c2992c35aaf08ab81a73fb4

SHA1
69ba79ebabc01bf0559c6a8395fcc00562700445

SHA256
70e9955f78b664211d720e7db489c9d90b063aa7741c5de51cd1db0187a59c66

SHA512
41772120aca3fe3a94378be0ef9dc34b503c32c6b49dabe557f5d0719831c58e31a731083e407186fc4ca7cb9eb5cd002cb7e6bc77636ffcda1e0b1cf83d11b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES82D7.tmp

Filesize
1KB

MD5
bea48049ebc090abb4d68d6cdac69b65

SHA1
ff43486b9da445f8e877b2761146fc8f1145b97b

SHA256
a7daa31412c63bc14279d1175c6dd2859001858920e79b8f5587ae2031d13abe

SHA512
aa0cfe45a4d2a8690f054109752eebdef92e067c22aeb6b4fa7813ea23d9195e991fec24666f9349391c7dda6041032840f7ffa6fe89cb8a69f2604b0d4babde

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8112.tmp.exe

Filesize
78KB

MD5
c52df48719a7f75a9713a2e5b732a78f

SHA1
484e8d859e3dd4701369bd2c5c14dbdb05356984

SHA256
a5dddebe5dc8b76f273cd052a553f19856706631e768fc007dad5e6ac753aaac

SHA512
63708b207d0c5e368d6b05d1a516cabb839403d8b689e81cff414d38c57dcbdd893c213662b5df32ea0ea00afd46c00b3c6f3cbf703b06a0b01e27c3e0b35e73

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc82D6.tmp

Filesize
660B

MD5
0b294b5a9911c3e9c8b3770da4159ee8

SHA1
43298aa82bd0e0badcaf6d6ce1c4aa5a4fe8119d

SHA256
2dfec24c06ad46b79068ab2626b206dbf79ee9bdfc3b432b3e80c4f50191f34a

SHA512
ecaad5cb2279d06cee87037641831a27bae658ea899eb99f247181dcd3762e22861be836261dcdd459204c552c2e64f3fd9c1ca1c336b0cbf4feff290fcb7187

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1400-0-0x0000000074AD1000-0x0000000074AD2000-memory.dmp

Filesize
4KB

Download
memory/1400-1-0x0000000074AD0000-0x000000007507B000-memory.dmp

Filesize
5.7MB

Download
memory/1400-5-0x0000000074AD0000-0x000000007507B000-memory.dmp

Filesize
5.7MB

Download
memory/1400-24-0x0000000074AD0000-0x000000007507B000-memory.dmp

Filesize
5.7MB

Download
memory/2332-8-0x0000000074AD0000-0x000000007507B000-memory.dmp

Filesize
5.7MB

Download
memory/2332-18-0x0000000074AD0000-0x000000007507B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads