metamorpherrat | daf90052fe5fd7a81d930e5020b5b3436a08be7b65d836dcbedb59249108f07e

General

Target

daf90052fe5fd7a81d930e5020b5b3436a08be7b65d836dcbedb59249108f07e.exe
Size

78KB
MD5

3eaa57246d006fbaca448ac1b236849a
SHA1

f2a6dd57973db30f3621ecf6dd8eacdffad61aef
SHA256

daf90052fe5fd7a81d930e5020b5b3436a08be7b65d836dcbedb59249108f07e
SHA512

373975a3d6f8d6aac5f223f0966648b93a0e0a871c258e3c13b7e14965854ce90736880b3739790e8322abc2bc01614565f167b768df8411c7ae306e18c0358b
SSDEEP

1536:pWV5jSJXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtN6o9/c1Nk:pWV5jS5SyRxvhTzXPvCbW2U/9/r

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2488	tmpA286.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1880	daf90052fe5fd7a81d930e5020b5b3436a08be7b65d836dcbedb59249108f07e.exe
1880	daf90052fe5fd7a81d930e5020b5b3436a08be7b65d836dcbedb59249108f07e.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpA286.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	daf90052fe5fd7a81d930e5020b5b3436a08be7b65d836dcbedb59249108f07e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA286.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1880	daf90052fe5fd7a81d930e5020b5b3436a08be7b65d836dcbedb59249108f07e.exe
Token: SeDebugPrivilege	2488	tmpA286.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 1072	1880	daf90052fe5fd7a81d930e5020b5b3436a08be7b65d836dcbedb59249108f07e.exe	30
PID 1880 wrote to memory of 1072	1880	daf90052fe5fd7a81d930e5020b5b3436a08be7b65d836dcbedb59249108f07e.exe	30
PID 1880 wrote to memory of 1072	1880	daf90052fe5fd7a81d930e5020b5b3436a08be7b65d836dcbedb59249108f07e.exe	30
PID 1880 wrote to memory of 1072	1880	daf90052fe5fd7a81d930e5020b5b3436a08be7b65d836dcbedb59249108f07e.exe	30
PID 1072 wrote to memory of 2120	1072	vbc.exe	32
PID 1072 wrote to memory of 2120	1072	vbc.exe	32
PID 1072 wrote to memory of 2120	1072	vbc.exe	32
PID 1072 wrote to memory of 2120	1072	vbc.exe	32
PID 1880 wrote to memory of 2488	1880	daf90052fe5fd7a81d930e5020b5b3436a08be7b65d836dcbedb59249108f07e.exe	33
PID 1880 wrote to memory of 2488	1880	daf90052fe5fd7a81d930e5020b5b3436a08be7b65d836dcbedb59249108f07e.exe	33
PID 1880 wrote to memory of 2488	1880	daf90052fe5fd7a81d930e5020b5b3436a08be7b65d836dcbedb59249108f07e.exe	33
PID 1880 wrote to memory of 2488	1880	daf90052fe5fd7a81d930e5020b5b3436a08be7b65d836dcbedb59249108f07e.exe	33

C:\Users\Admin\AppData\Local\Temp\daf90052fe5fd7a81d930e5020b5b3436a08be7b65d836dcbedb59249108f07e.exe
"C:\Users\Admin\AppData\Local\Temp\daf90052fe5fd7a81d930e5020b5b3436a08be7b65d836dcbedb59249108f07e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lqd2lucs.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA323.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA322.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2120
- C:\Users\Admin\AppData\Local\Temp\tmpA286.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA286.tmp.exe" C:\Users\Admin\AppData\Local\Temp\daf90052fe5fd7a81d930e5020b5b3436a08be7b65d836dcbedb59249108f07e.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA323.tmp

Filesize
1KB

MD5
0f8bc01d5df3e0938219f255f55f8f11

SHA1
1d780afeea3a1bf8ede9f0501472b560fb844a6a

SHA256
015ca80d5d287f900426005f92d8049e49a1bfda03342596b2cd3d55913c5330

SHA512
da0efec535174f3ee601f241effb65038b57c1e7509bbdc115643bb09a552b7971177922bbd1daa434895216f3dc62756f73ed2788fbb7070969e0eef9abac6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\lqd2lucs.0.vb

Filesize
14KB

MD5
3ddc539de9c52631e3fc5df7efdff625

SHA1
b8385dd4bb58a34afa607a6e51fe9db978f29b87

SHA256
06e4cae512084b26b8d5b24680a683fb521059d970275a1412a8621a0e7fdc25

SHA512
a4e03681c3bb35287a3d198c163b43fbd508d29e1628d8d70ca314ab6ccead9c676c94f169abd2fc26eea38e8a767620d3f0e62ec0da2b46720b3fb2bcd79a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\lqd2lucs.cmdline

Filesize
266B

MD5
ea763b67511109256fd7c522a8bec895

SHA1
eaa369b3f2a28e3b750cb4f8e8d8842ca337495b

SHA256
fd36ba9205682b3468ad9004a96565493703a8b5c14a1072659b115f23a5476c

SHA512
168a5fad8b89bccf04a35420288680aaee215a8a77981ae6ef5260f3ce631d4cacf240e5da1db8b1709420f6ab631ecdb50f839673cb16a3e829dff753ba9acd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA286.tmp.exe

Filesize
78KB

MD5
31ed5dc70b52871e5ad1664b08558819

SHA1
266e199c91a03973d6e8e340af05f80fcb093a16

SHA256
da3bc1671f4d722387e3c20bc97f78fb237d60da888311336068e56d0acd111a

SHA512
7b35357c9b2ec0f5dc0b3ffa0ac1592ee8279dae16d2a3778357b6f0144b9de8b018534e0449967aecbf2b06a671645b1a3171ba5237013dc53cd9debffdb258

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA322.tmp

Filesize
660B

MD5
ec466584cd683bc2ff4a7fcd437beab1

SHA1
de02943d75cddbc6b7834030dbdd9233682774b8

SHA256
22432f9aca32e120cb233ee6b35b2a389ef91c9f0045eeb0b999aa821a36457e

SHA512
65e8c364c14b590674e1665174f5a226156d4632d4fa341157b64aae996b47fdf99df2344d2e58685258730501b054e86d159542ecbee024155c42b82e1359d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1072-8-0x0000000074CC0000-0x000000007526B000-memory.dmp

Filesize
5.7MB

Download
memory/1072-18-0x0000000074CC0000-0x000000007526B000-memory.dmp

Filesize
5.7MB

Download
memory/1880-0-0x0000000074CC1000-0x0000000074CC2000-memory.dmp

Filesize
4KB

Download
memory/1880-1-0x0000000074CC0000-0x000000007526B000-memory.dmp

Filesize
5.7MB

Download
memory/1880-2-0x0000000074CC0000-0x000000007526B000-memory.dmp

Filesize
5.7MB

Download
memory/1880-24-0x0000000074CC0000-0x000000007526B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads