metamorpherrat | 98162ecbacd91fd2d4ba8f3381a72d927fd8c3772b5526067a45a2466b118ff4

General

Target

98162ecbacd91fd2d4ba8f3381a72d927fd8c3772b5526067a45a2466b118ff4.exe
Size

78KB
MD5

b6964b69084e547da48a124ffe8b27a1
SHA1

82aa88b6240930f876c47f6b4d0a5eef543379c0
SHA256

98162ecbacd91fd2d4ba8f3381a72d927fd8c3772b5526067a45a2466b118ff4
SHA512

3a6d9e992b1a7353da033b87fc96f8791560de9758e0f3e144b8b3a48f9764cc91d8ce004d1e17ae9053c75ebd6b2804a8b9a88dac22f8585f958f59ae907101
SSDEEP

1536:sy5mXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtN6l9/71xi:sy5uSyRxvhTzXPvCbW2UG9/e

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
812	tmpB951.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1768	98162ecbacd91fd2d4ba8f3381a72d927fd8c3772b5526067a45a2466b118ff4.exe
1768	98162ecbacd91fd2d4ba8f3381a72d927fd8c3772b5526067a45a2466b118ff4.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpB951.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	98162ecbacd91fd2d4ba8f3381a72d927fd8c3772b5526067a45a2466b118ff4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB951.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1768	98162ecbacd91fd2d4ba8f3381a72d927fd8c3772b5526067a45a2466b118ff4.exe
Token: SeDebugPrivilege	812	tmpB951.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 2664	1768	98162ecbacd91fd2d4ba8f3381a72d927fd8c3772b5526067a45a2466b118ff4.exe	30
PID 1768 wrote to memory of 2664	1768	98162ecbacd91fd2d4ba8f3381a72d927fd8c3772b5526067a45a2466b118ff4.exe	30
PID 1768 wrote to memory of 2664	1768	98162ecbacd91fd2d4ba8f3381a72d927fd8c3772b5526067a45a2466b118ff4.exe	30
PID 1768 wrote to memory of 2664	1768	98162ecbacd91fd2d4ba8f3381a72d927fd8c3772b5526067a45a2466b118ff4.exe	30
PID 2664 wrote to memory of 2856	2664	vbc.exe	32
PID 2664 wrote to memory of 2856	2664	vbc.exe	32
PID 2664 wrote to memory of 2856	2664	vbc.exe	32
PID 2664 wrote to memory of 2856	2664	vbc.exe	32
PID 1768 wrote to memory of 812	1768	98162ecbacd91fd2d4ba8f3381a72d927fd8c3772b5526067a45a2466b118ff4.exe	33
PID 1768 wrote to memory of 812	1768	98162ecbacd91fd2d4ba8f3381a72d927fd8c3772b5526067a45a2466b118ff4.exe	33
PID 1768 wrote to memory of 812	1768	98162ecbacd91fd2d4ba8f3381a72d927fd8c3772b5526067a45a2466b118ff4.exe	33
PID 1768 wrote to memory of 812	1768	98162ecbacd91fd2d4ba8f3381a72d927fd8c3772b5526067a45a2466b118ff4.exe	33

C:\Users\Admin\AppData\Local\Temp\98162ecbacd91fd2d4ba8f3381a72d927fd8c3772b5526067a45a2466b118ff4.exe
"C:\Users\Admin\AppData\Local\Temp\98162ecbacd91fd2d4ba8f3381a72d927fd8c3772b5526067a45a2466b118ff4.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\o3cx3jov.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA8A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBA89.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2856
- C:\Users\Admin\AppData\Local\Temp\tmpB951.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB951.tmp.exe" C:\Users\Admin\AppData\Local\Temp\98162ecbacd91fd2d4ba8f3381a72d927fd8c3772b5526067a45a2466b118ff4.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBA8A.tmp

Filesize
1KB

MD5
b6406b1d57287d3aa17d02e47e1202f7

SHA1
c70c59c06bb87930369508b80b82b37858422aa6

SHA256
816fdfb3d2086cb9ee34e8042f62e628e5111f0bfb940a8580611d61360be5dd

SHA512
07b9cd009de42b72267849e85826a04b9cc25c228d7f1ceaa600abdb0c463f041e2e6f7b294014be7c1c4140ce6e6f249c9571cd078358059ac6059ce09a4d7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\o3cx3jov.0.vb

Filesize
14KB

MD5
78a8ee35e34ce41b93317d3f1ddb4d78

SHA1
daf8637a55e1891a3a6a8f258df45cf8f4d83b61

SHA256
75c07e65e38857bdb10f9a37ead49c72e944d0b74f61051b21f9a73c5a6bb313

SHA512
fef23ae483cf43f68afad8b1c54d576b4181b4dc63ac317a0db9c5647f1043c0c7ed5134bae6980c1ecbb29febf6bf55037271f8ee0fc1d5a977e6c04a16d9a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\o3cx3jov.cmdline

Filesize
266B

MD5
78539acb49156ab8b7e6cba8f6b4a6b2

SHA1
aed9b7cb810e147587d698c698f597e16a7eece8

SHA256
e0f5fbedaed3d83c1e516da2fc5ee1f2069d55368e4f408bf5e5852f67ab729b

SHA512
0b03e8603c8e82a38b2f9eac8ca39b5010b719c956b4ffe37d6d7fb145a53167eb9744e5e60a44e3a1887571728f7ebbd6c38fd7c30e3e7c4fd93b5171111501

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB951.tmp.exe

Filesize
78KB

MD5
bc2938d1758e73ae5890661f0c3035db

SHA1
d8e08e1390a02cb7bd0a73aefd7bcd67c990eaeb

SHA256
6d557c065ddc94a6de6e5887b3db8961d84ae1f7f0fc7234a2ed566fc61e2e30

SHA512
9bc9dbc96355b037bb75ee5c14737922020a75105c13887988a24bb44d56ef527271b958e7e359fd8a526b7c6345c27338db73eb78de3600480973529d2d6c5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBA89.tmp

Filesize
660B

MD5
5f2d079cf938d14f5c289e103b45a513

SHA1
a1c238805f1563e0af7c4e5b889337ef312401c2

SHA256
e3609993eb63577ae9f5fafc96280428133a03fc1ae68f3363ac895d14474491

SHA512
523a37582d59600f2babe765072ab340a65bce2c59951eef246da129cdfea19f6185fd2fc8d25fb54995fd447f727ea4c0e9380c5f9091d2ba098fa0c9be8101

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1768-0-0x0000000074421000-0x0000000074422000-memory.dmp

Filesize
4KB

Download
memory/1768-1-0x0000000074420000-0x00000000749CB000-memory.dmp

Filesize
5.7MB

Download
memory/1768-2-0x0000000074420000-0x00000000749CB000-memory.dmp

Filesize
5.7MB

Download
memory/1768-24-0x0000000074420000-0x00000000749CB000-memory.dmp

Filesize
5.7MB

Download
memory/2664-8-0x0000000074420000-0x00000000749CB000-memory.dmp

Filesize
5.7MB

Download
memory/2664-18-0x0000000074420000-0x00000000749CB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads