metamorpherrat | 030da98e7f439066071726284a69af80255e90a149c42703ade349519b22f3c2

General

Target

030da98e7f439066071726284a69af80255e90a149c42703ade349519b22f3c2N.exe
Size

78KB
MD5

7f3b33bc122eee12eb653918984d2ad0
SHA1

b0667a6af3346edc57635491a574216ed0623584
SHA256

030da98e7f439066071726284a69af80255e90a149c42703ade349519b22f3c2
SHA512

1c16ddf84e7f3c76821e53721260b298764adf2a731211fb535db4d59ef221d0d1fdc56e714328842df02a33985d0c635ff9164758296bd7fc8f9fb34d560b42
SSDEEP

1536:OWV5rXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtC659/F1Xu:OWV5rSyRxvhTzXPvCbW2Uh9/2

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Deletes itself 1 IoCs

pid	Process
2692	tmpD29B.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2692	tmpD29B.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2376	030da98e7f439066071726284a69af80255e90a149c42703ade349519b22f3c2N.exe
2376	030da98e7f439066071726284a69af80255e90a149c42703ade349519b22f3c2N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpD29B.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD29B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	030da98e7f439066071726284a69af80255e90a149c42703ade349519b22f3c2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2376	030da98e7f439066071726284a69af80255e90a149c42703ade349519b22f3c2N.exe
Token: SeDebugPrivilege	2692	tmpD29B.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 1404	2376	030da98e7f439066071726284a69af80255e90a149c42703ade349519b22f3c2N.exe	31
PID 2376 wrote to memory of 1404	2376	030da98e7f439066071726284a69af80255e90a149c42703ade349519b22f3c2N.exe	31
PID 2376 wrote to memory of 1404	2376	030da98e7f439066071726284a69af80255e90a149c42703ade349519b22f3c2N.exe	31
PID 2376 wrote to memory of 1404	2376	030da98e7f439066071726284a69af80255e90a149c42703ade349519b22f3c2N.exe	31
PID 1404 wrote to memory of 2228	1404	vbc.exe	33
PID 1404 wrote to memory of 2228	1404	vbc.exe	33
PID 1404 wrote to memory of 2228	1404	vbc.exe	33
PID 1404 wrote to memory of 2228	1404	vbc.exe	33
PID 2376 wrote to memory of 2692	2376	030da98e7f439066071726284a69af80255e90a149c42703ade349519b22f3c2N.exe	34
PID 2376 wrote to memory of 2692	2376	030da98e7f439066071726284a69af80255e90a149c42703ade349519b22f3c2N.exe	34
PID 2376 wrote to memory of 2692	2376	030da98e7f439066071726284a69af80255e90a149c42703ade349519b22f3c2N.exe	34
PID 2376 wrote to memory of 2692	2376	030da98e7f439066071726284a69af80255e90a149c42703ade349519b22f3c2N.exe	34

C:\Users\Admin\AppData\Local\Temp\030da98e7f439066071726284a69af80255e90a149c42703ade349519b22f3c2N.exe
"C:\Users\Admin\AppData\Local\Temp\030da98e7f439066071726284a69af80255e90a149c42703ade349519b22f3c2N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\k976ih37.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD3D4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD3D3.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2228
- C:\Users\Admin\AppData\Local\Temp\tmpD29B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpD29B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\030da98e7f439066071726284a69af80255e90a149c42703ade349519b22f3c2N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD3D4.tmp

Filesize
1KB

MD5
047946683f3f3f3b9723c964afd75820

SHA1
048f064987b331a78567e1dfeaa5ac9449d68f4e

SHA256
3803c3ea3c1ac6801227667dc5311f5b567371b7a4c4ab78dac2c50a4e2650c1

SHA512
52d019d50d7c33e05f684f4b3c55ae9e509a05c38790d731867145f34350dd6d870cb57ecd8e87d5436c9b05a753c00f262ecdb54f2059eaa5bc89cbcd4cd96f

Download Submit
C:\Users\Admin\AppData\Local\Temp\k976ih37.0.vb

Filesize
14KB

MD5
1732b6620b77291ea757bac6d3f9abd3

SHA1
be99917d43cf5e46fb81d8f931e0d7202940b9a1

SHA256
9c71a5a2b72174ac39902ee52979364f015f2447d0c259408fe4dc500d27390a

SHA512
aab65ed8a7c225db3e125ed0016f49b9f4bdab31335a8460dfa1a229d6361fc8b46625847cf80eff46be26f3d1c7e9188eca76f9005074fa39a7e67643955acc

Download Submit
C:\Users\Admin\AppData\Local\Temp\k976ih37.cmdline

Filesize
266B

MD5
1e553154da749cbaa747c2bc44ca272e

SHA1
797d222c47edbbb1c01269f306a799d0d57af3aa

SHA256
aeb2a2f5ff8b1f40905a909a6a7890273e40122541810e0922239f42cfd5a244

SHA512
9ea13e31791d0588daa796628dbb9b6e03bdbe4a1dd5e381972da163a8809e7c9eb7d3a4a67667b3f1d8592cf4b4ee41f4ed22af5832e85b2094375a5039620f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD29B.tmp.exe

Filesize
78KB

MD5
3f60698d588389fcb85bb9be49e029b5

SHA1
de1ab98bd3e5d66d4b3cd5a7c9b1e7980c0b71e2

SHA256
886e8c3d9dd0656f973baaec583a91644dc21bb62fb7324900ed583978e9d3e5

SHA512
9251f4e73933d126688dd4124f6e1e21fa8743d14e4b1057dfb2fc42de61dfa24cabc817e3b1fd8eea8cb52027420878e067daecbba7b0dc09ea83ed7eaea4ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD3D3.tmp

Filesize
660B

MD5
85f641d3f7be6333eade78544aca3a94

SHA1
7055dca033efb6ff61b232442dd216729a5fb7a6

SHA256
3e1e46ffce1d15516266176c75d8d2be3d2e149b2946ee9725be5e8f34763136

SHA512
9b0ba41f0c39de16a88f3c130d611d3c5846223634e2c1d391e835871b7eb136b6de9089c20377dd094cb8a4fce23787dbf0ec97380c320e84af65df014d7d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1404-8-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/1404-18-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/2376-0-0x0000000074851000-0x0000000074852000-memory.dmp

Filesize
4KB

Download
memory/2376-2-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/2376-1-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/2376-24-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads