metamorpherrat | bdbe5fc8ed566a09851b5575d4c21957cd41c03f303175f3902da2d2cef62714

General

Target

bdbe5fc8ed566a09851b5575d4c21957cd41c03f303175f3902da2d2cef62714.exe
Size

78KB
MD5

940cbf6fc38ae3ed695bd467dcd82a31
SHA1

37dcc728fd377786af00bacadc10ee427c6cee26
SHA256

bdbe5fc8ed566a09851b5575d4c21957cd41c03f303175f3902da2d2cef62714
SHA512

7480a388874546d61a1df263cd35ffa41545b1f712db92a43bffb1cccaa4aa6137aeaa7e0fb8ece873c098087a1519bfa0425b879a794c015a7f3ae435bc5734
SSDEEP

1536:SWtHY6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtS9/dC1Kc:SWtHYnhASyRxvhTzXPvCbW2US9/e

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
3068	tmp7916.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1868	bdbe5fc8ed566a09851b5575d4c21957cd41c03f303175f3902da2d2cef62714.exe
1868	bdbe5fc8ed566a09851b5575d4c21957cd41c03f303175f3902da2d2cef62714.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp7916.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bdbe5fc8ed566a09851b5575d4c21957cd41c03f303175f3902da2d2cef62714.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7916.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1868	bdbe5fc8ed566a09851b5575d4c21957cd41c03f303175f3902da2d2cef62714.exe
Token: SeDebugPrivilege	3068	tmp7916.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 2280	1868	bdbe5fc8ed566a09851b5575d4c21957cd41c03f303175f3902da2d2cef62714.exe	28
PID 1868 wrote to memory of 2280	1868	bdbe5fc8ed566a09851b5575d4c21957cd41c03f303175f3902da2d2cef62714.exe	28
PID 1868 wrote to memory of 2280	1868	bdbe5fc8ed566a09851b5575d4c21957cd41c03f303175f3902da2d2cef62714.exe	28
PID 1868 wrote to memory of 2280	1868	bdbe5fc8ed566a09851b5575d4c21957cd41c03f303175f3902da2d2cef62714.exe	28
PID 2280 wrote to memory of 2668	2280	vbc.exe	30
PID 2280 wrote to memory of 2668	2280	vbc.exe	30
PID 2280 wrote to memory of 2668	2280	vbc.exe	30
PID 2280 wrote to memory of 2668	2280	vbc.exe	30
PID 1868 wrote to memory of 3068	1868	bdbe5fc8ed566a09851b5575d4c21957cd41c03f303175f3902da2d2cef62714.exe	31
PID 1868 wrote to memory of 3068	1868	bdbe5fc8ed566a09851b5575d4c21957cd41c03f303175f3902da2d2cef62714.exe	31
PID 1868 wrote to memory of 3068	1868	bdbe5fc8ed566a09851b5575d4c21957cd41c03f303175f3902da2d2cef62714.exe	31
PID 1868 wrote to memory of 3068	1868	bdbe5fc8ed566a09851b5575d4c21957cd41c03f303175f3902da2d2cef62714.exe	31

C:\Users\Admin\AppData\Local\Temp\bdbe5fc8ed566a09851b5575d4c21957cd41c03f303175f3902da2d2cef62714.exe
"C:\Users\Admin\AppData\Local\Temp\bdbe5fc8ed566a09851b5575d4c21957cd41c03f303175f3902da2d2cef62714.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jmnqvmkp.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES79D2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc79D1.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2668
- C:\Users\Admin\AppData\Local\Temp\tmp7916.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7916.tmp.exe" C:\Users\Admin\AppData\Local\Temp\bdbe5fc8ed566a09851b5575d4c21957cd41c03f303175f3902da2d2cef62714.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES79D2.tmp

Filesize
1KB

MD5
85a9c4763319594922a256954a1e9001

SHA1
910859c9647e71dd9735cfb356433f1702a6ecdc

SHA256
29642b18c1c1f6f07e83261944c90b2a3bdb899505cfa6125119ef8caed14d73

SHA512
5c03100f145668630ea947c06c648d833b10f5e1092dc2430bb6eb1746a5b16599f3bea1e113d6adef156a5cebfaeb57adb098071eab9c9386bdc841f086f92d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jmnqvmkp.0.vb

Filesize
15KB

MD5
40bd52cb2ccdf544642815d660e98c14

SHA1
094fb41c6a89e56e156e201ee9404540c926ab24

SHA256
67da0416e48a9acf6807cea145580d7da28b0c2de74fc4ded219dfbd20b7cd15

SHA512
154aebc97b5a072dd6cc677c9a72d5f55ce6546add1d753c3804eee5d60fab2f6ecd9075db1ceb015050f135407ae11e83e9b053310312f553ee86fa952424a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jmnqvmkp.cmdline

Filesize
266B

MD5
184f0cbe091dd16f10785300c6998134

SHA1
4b43ceebad7446edb5c58f2569564ccc47a5c694

SHA256
82b3fd6cbf00fe96fc7ca83adca46447f32a4b9bc42dd204c9b60839986320b9

SHA512
57c7d60b5b269587b9fbe6a35f9b794e993f4891a3f8c0dcf6f54d50740b7ee5846fa088150aa26545e0cd003b0bc4877b741d4e4e3ed5feefaba59c85f64547

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7916.tmp.exe

Filesize
78KB

MD5
0b7022c66ff1b8e44afda79069ff60f4

SHA1
89f4f89fdcaf8af3a5e8da2d4100af4833150dca

SHA256
7169912adfdc2328b278cacd3b41cb0c6f26ae93d84e1d90f23959fd24aab5ca

SHA512
9fa745bf8d1e872f3fb5c9b5b08e18fb0c13cfe035c5388e202d1922bdd6f252af70b0f118eef833b0a1aac28f788aa782bafd660944a781d6f932465b3daa80

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc79D1.tmp

Filesize
660B

MD5
a2c5b817a91fe1f8816816b1b1c2c16a

SHA1
905f09ce86eb7a77ae4fec6b0e3fb93425e6d990

SHA256
c3e5175e140e7e38664a7386c71307e6af2d227356966085b5d671594172880f

SHA512
eae88c33dbbee36040cf70d8f270129f4173d5312de466ec5b98d0c4061dcacc9808d05597c7fa236bda2e517f2c5f3d6309696c1bf32a97de8f319d2002f3be

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1868-0-0x0000000074421000-0x0000000074422000-memory.dmp

Filesize
4KB

Download
memory/1868-1-0x0000000074420000-0x00000000749CB000-memory.dmp

Filesize
5.7MB

Download
memory/1868-2-0x0000000074420000-0x00000000749CB000-memory.dmp

Filesize
5.7MB

Download
memory/1868-24-0x0000000074420000-0x00000000749CB000-memory.dmp

Filesize
5.7MB

Download
memory/2280-9-0x0000000074420000-0x00000000749CB000-memory.dmp

Filesize
5.7MB

Download
memory/2280-18-0x0000000074420000-0x00000000749CB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads