metamorpherrat | 3d5ffb4475cf0bd964711cfd63751cdb0607af8bfbae3ed87e441a297f89450e

General

Target

3d5ffb4475cf0bd964711cfd63751cdb0607af8bfbae3ed87e441a297f89450e.exe
Size

78KB
MD5

2fbeb1fee60c9fe58950b89334045d4a
SHA1

490d9c0c998fd52530bf6b7fe059dfe3f800476b
SHA256

3d5ffb4475cf0bd964711cfd63751cdb0607af8bfbae3ed87e441a297f89450e
SHA512

d9390d1279434c5c58826885dee464c403f3c959b95ad938de74d7a75c424c4725ecd0b13afa3700a23c06bab302fae6f3f77aa9a5b6ab616f68b0f40854bba1
SSDEEP

1536:OCHFo6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt1B9/k1PB:OCHFonhASyRxvhTzXPvCbW2U1B9/Q

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2696	tmpB2CB.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1908	3d5ffb4475cf0bd964711cfd63751cdb0607af8bfbae3ed87e441a297f89450e.exe
1908	3d5ffb4475cf0bd964711cfd63751cdb0607af8bfbae3ed87e441a297f89450e.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpB2CB.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB2CB.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3d5ffb4475cf0bd964711cfd63751cdb0607af8bfbae3ed87e441a297f89450e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1908	3d5ffb4475cf0bd964711cfd63751cdb0607af8bfbae3ed87e441a297f89450e.exe
Token: SeDebugPrivilege	2696	tmpB2CB.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 2932	1908	3d5ffb4475cf0bd964711cfd63751cdb0607af8bfbae3ed87e441a297f89450e.exe	30
PID 1908 wrote to memory of 2932	1908	3d5ffb4475cf0bd964711cfd63751cdb0607af8bfbae3ed87e441a297f89450e.exe	30
PID 1908 wrote to memory of 2932	1908	3d5ffb4475cf0bd964711cfd63751cdb0607af8bfbae3ed87e441a297f89450e.exe	30
PID 1908 wrote to memory of 2932	1908	3d5ffb4475cf0bd964711cfd63751cdb0607af8bfbae3ed87e441a297f89450e.exe	30
PID 2932 wrote to memory of 2436	2932	vbc.exe	32
PID 2932 wrote to memory of 2436	2932	vbc.exe	32
PID 2932 wrote to memory of 2436	2932	vbc.exe	32
PID 2932 wrote to memory of 2436	2932	vbc.exe	32
PID 1908 wrote to memory of 2696	1908	3d5ffb4475cf0bd964711cfd63751cdb0607af8bfbae3ed87e441a297f89450e.exe	33
PID 1908 wrote to memory of 2696	1908	3d5ffb4475cf0bd964711cfd63751cdb0607af8bfbae3ed87e441a297f89450e.exe	33
PID 1908 wrote to memory of 2696	1908	3d5ffb4475cf0bd964711cfd63751cdb0607af8bfbae3ed87e441a297f89450e.exe	33
PID 1908 wrote to memory of 2696	1908	3d5ffb4475cf0bd964711cfd63751cdb0607af8bfbae3ed87e441a297f89450e.exe	33

C:\Users\Admin\AppData\Local\Temp\3d5ffb4475cf0bd964711cfd63751cdb0607af8bfbae3ed87e441a297f89450e.exe
"C:\Users\Admin\AppData\Local\Temp\3d5ffb4475cf0bd964711cfd63751cdb0607af8bfbae3ed87e441a297f89450e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\eddyqzsj.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB397.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB396.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2436
- C:\Users\Admin\AppData\Local\Temp\tmpB2CB.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB2CB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3d5ffb4475cf0bd964711cfd63751cdb0607af8bfbae3ed87e441a297f89450e.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB397.tmp

Filesize
1KB

MD5
13c5b0580d26a3fa94b40ce5f875381c

SHA1
6e2554ea0f9429ce840c161d15d57c2c060cf659

SHA256
97c796353ab9b5a9ee6f36d4d446762f9702ce19548e2fa8cdc9c180d08bd7a9

SHA512
5b151b00d2b8d6fbf267f6d3079e47dba12c57f153b0e1d396fb58c2e8d3f252a8c6691aa75a498391b484e2236283750aa0b2725be7868c707fbe20102be8db

Download Submit
C:\Users\Admin\AppData\Local\Temp\eddyqzsj.0.vb

Filesize
15KB

MD5
b31fde54581e33e48950f99ce3aec547

SHA1
7b27c1cfe444b8bcec11a205d7af70753aa7129f

SHA256
66f33d35d26798fe2574a6c5e0414f465d089e15c583a2754e6e8704055107f7

SHA512
68adf0467063b597545259fd34a9d8dcaca79b44e61022b19c5b8b500e07b0ef5ce83eeea8e4539a9a33d3b8c6f281e35b5cfc6238b0b356990fce5a5f1a73da

Download Submit
C:\Users\Admin\AppData\Local\Temp\eddyqzsj.cmdline

Filesize
266B

MD5
12078676a3f4db686a3a16af38d631d6

SHA1
7803b24054d219b8b15e68fe675b9afd46ff8acc

SHA256
d3c54607df70763f70dd08e970a256036e617485d58767d97a9dce2ff34ae485

SHA512
e392cd95baf781ef1887325ff0b299a5d883f0c23f722255bebc89ba57413ddc7f6fa62d776e4975903bce455cc65a925c83532aa3eb42713aad91702900f402

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB2CB.tmp.exe

Filesize
78KB

MD5
335b10f948c8817a90a1f81072b9570c

SHA1
1d978dc438a30af440463619ac558257bea211d1

SHA256
d6bd1c017504918e22ac17bd665179e5fac67118ffbc21ebcf931c9d56030835

SHA512
8957f9b66ab3f57c6c9c0429e718894f39119dbe341cd10e8c5a589a0b9b0ff8ffeab94795f7c4e1fe8628f34476cf7e79cb4229cf81890e478f6eee0207dde5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB396.tmp

Filesize
660B

MD5
8de17905e7fb919d1f45256d45825b8f

SHA1
c85588ec26982a55d700ca408405060aa369c012

SHA256
0658e7c3539a784062e591e531b4704a1c610b66d4d250a3d4335e89e7e65032

SHA512
b467a63ea9cb8300b157b83be096aa04bb9feec73d2b684b2451242079309f2112ebac6f9a795d0e4e4934518f0772b8949c882c89228f99cfab369c65fb7652

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1908-0-0x00000000748C1000-0x00000000748C2000-memory.dmp

Filesize
4KB

Download
memory/1908-1-0x00000000748C0000-0x0000000074E6B000-memory.dmp

Filesize
5.7MB

Download
memory/1908-6-0x00000000748C0000-0x0000000074E6B000-memory.dmp

Filesize
5.7MB

Download
memory/1908-24-0x00000000748C0000-0x0000000074E6B000-memory.dmp

Filesize
5.7MB

Download
memory/2932-8-0x00000000748C0000-0x0000000074E6B000-memory.dmp

Filesize
5.7MB

Download
memory/2932-18-0x00000000748C0000-0x0000000074E6B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads