metamorpherrat | 2bd50f697f9c8ca5a35ebb19b6bbd2b4201098ba5e814e5b4ccef26339762298

General

Target

2bd50f697f9c8ca5a35ebb19b6bbd2b4201098ba5e814e5b4ccef26339762298.exe
Size

78KB
MD5

d5171a81084b9d20bfc69aa2b3702967
SHA1

418b105052f4d07a52e6f008f953ba000e0c052d
SHA256

2bd50f697f9c8ca5a35ebb19b6bbd2b4201098ba5e814e5b4ccef26339762298
SHA512

76681c1d08a39e340e46e4c4ce9715e1bc48ffbb85a96e375e7f86e3a4df30c1841fb345e51e7fdf3454bb694956998e93eea570fa1bf9fe415f0d0fdc44f410
SSDEEP

1536:oWtHHM7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQte6e9/YD12Q:oWtHshASyRxvhTzXPvCbW2Ue6e9/s

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2928	tmpDD64.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1140	2bd50f697f9c8ca5a35ebb19b6bbd2b4201098ba5e814e5b4ccef26339762298.exe
1140	2bd50f697f9c8ca5a35ebb19b6bbd2b4201098ba5e814e5b4ccef26339762298.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpDD64.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2bd50f697f9c8ca5a35ebb19b6bbd2b4201098ba5e814e5b4ccef26339762298.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpDD64.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1140	2bd50f697f9c8ca5a35ebb19b6bbd2b4201098ba5e814e5b4ccef26339762298.exe
Token: SeDebugPrivilege	2928	tmpDD64.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 2444	1140	2bd50f697f9c8ca5a35ebb19b6bbd2b4201098ba5e814e5b4ccef26339762298.exe	30
PID 1140 wrote to memory of 2444	1140	2bd50f697f9c8ca5a35ebb19b6bbd2b4201098ba5e814e5b4ccef26339762298.exe	30
PID 1140 wrote to memory of 2444	1140	2bd50f697f9c8ca5a35ebb19b6bbd2b4201098ba5e814e5b4ccef26339762298.exe	30
PID 1140 wrote to memory of 2444	1140	2bd50f697f9c8ca5a35ebb19b6bbd2b4201098ba5e814e5b4ccef26339762298.exe	30
PID 2444 wrote to memory of 2940	2444	vbc.exe	32
PID 2444 wrote to memory of 2940	2444	vbc.exe	32
PID 2444 wrote to memory of 2940	2444	vbc.exe	32
PID 2444 wrote to memory of 2940	2444	vbc.exe	32
PID 1140 wrote to memory of 2928	1140	2bd50f697f9c8ca5a35ebb19b6bbd2b4201098ba5e814e5b4ccef26339762298.exe	33
PID 1140 wrote to memory of 2928	1140	2bd50f697f9c8ca5a35ebb19b6bbd2b4201098ba5e814e5b4ccef26339762298.exe	33
PID 1140 wrote to memory of 2928	1140	2bd50f697f9c8ca5a35ebb19b6bbd2b4201098ba5e814e5b4ccef26339762298.exe	33
PID 1140 wrote to memory of 2928	1140	2bd50f697f9c8ca5a35ebb19b6bbd2b4201098ba5e814e5b4ccef26339762298.exe	33

C:\Users\Admin\AppData\Local\Temp\2bd50f697f9c8ca5a35ebb19b6bbd2b4201098ba5e814e5b4ccef26339762298.exe
"C:\Users\Admin\AppData\Local\Temp\2bd50f697f9c8ca5a35ebb19b6bbd2b4201098ba5e814e5b4ccef26339762298.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r09izhl7.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDF77.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDF76.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2940
- C:\Users\Admin\AppData\Local\Temp\tmpDD64.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpDD64.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2bd50f697f9c8ca5a35ebb19b6bbd2b4201098ba5e814e5b4ccef26339762298.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESDF77.tmp

Filesize
1KB

MD5
d94c909b8dabbc63cf483f125bc9c4b6

SHA1
b0f573b312fa243f06fc82986bf05af08e7d3533

SHA256
4e2a9efa39e4a53eb09d723986ded8b9227d72b0382fdbf17f9e0bd7da278a1c

SHA512
3f9aab6fcce5d3d0148569291413b99232a5337802a0f47699d61295daf5c75d08b8c8a6e086dc9b709bd4119d379d2141b41b8201a374dfb8c3b6719965dad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\r09izhl7.0.vb

Filesize
15KB

MD5
d54e1f4f922b7b00cb996e6ffd6a3b42

SHA1
07549fff12238c8f6dc28762227e795fd63e6b23

SHA256
0fe2205396c5fc3cefd47652103c07e78290e4e4106f3c5c0f01d852924bd8d1

SHA512
a3e6615abf36679f84c248e325027a8842f27002fc9abb43dce2ae8d6f4d7a54784ab9b55425a59f0a2d0d83ba8142519b0d888ce5bd0a36dbea842ac257e922

Download Submit
C:\Users\Admin\AppData\Local\Temp\r09izhl7.cmdline

Filesize
266B

MD5
9f98adde5eb14e5c056c0482fce7d465

SHA1
3f6f221dd9a429e4fb3136d9c30a7d39e093db71

SHA256
77943b3e742fe67f2fcdd7b713bc7b5eca178751ecf98a9d94ed50efc9566a46

SHA512
87f59df178fbbd09738b27c198a07291ab02d5a5f5ab21618d36c311ddc106f60aca4b8e6cf118460929c1153f2af94695c0d8ab4d1e732f9ee34f2acbc014c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDD64.tmp.exe

Filesize
78KB

MD5
2f197df3983fc1d8596c210f48377840

SHA1
daf9ed5fe5290be1e251e84fbc5132e9e218d2a4

SHA256
fba45086a3695062cdebf2628e341d79a3b69033ba6b5dc224893cb315bdf2e4

SHA512
0c4fbfeb3bd5daff9e74c2712146cf18aca81845c2729389ed280cf6f430582810c6713d4453ef62f539fb9df7d84d386307b8fc15667d4750670ac813628c22

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDF76.tmp

Filesize
660B

MD5
48b6a73ac06add6d9e92ee78fd66433e

SHA1
24c07481ef6d58067b0c8bb8d35cdd00044d76dd

SHA256
690c8d60db4ee03d3d9f18341e6746bc1238dbb6e38c440d545d9ba03793a8a6

SHA512
a12bf5804f6b8c057b4043d11f17d1d3572705451a8b7266018eda6ded43a08bb8fdd0fe21daeede2f16a5e8705c2b237020dc2a63dd778bcfc3f217457119f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1140-0-0x0000000074011000-0x0000000074012000-memory.dmp

Filesize
4KB

Download
memory/1140-1-0x0000000074010000-0x00000000745BB000-memory.dmp

Filesize
5.7MB

Download
memory/1140-2-0x0000000074010000-0x00000000745BB000-memory.dmp

Filesize
5.7MB

Download
memory/1140-24-0x0000000074010000-0x00000000745BB000-memory.dmp

Filesize
5.7MB

Download
memory/2444-8-0x0000000074010000-0x00000000745BB000-memory.dmp

Filesize
5.7MB

Download
memory/2444-18-0x0000000074010000-0x00000000745BB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads