metamorpherrat | 551d2ba4e7467f30fdae24fc5633ae6e26f1ca271e807b1267818d9f96304910

General

Target

551d2ba4e7467f30fdae24fc5633ae6e26f1ca271e807b1267818d9f96304910N.exe
Size

78KB
MD5

1f868660854617ee3ec7eb725188bdd0
SHA1

81ed12ec6dac4d4b74f80f02337cda1ed3bf0be2
SHA256

551d2ba4e7467f30fdae24fc5633ae6e26f1ca271e807b1267818d9f96304910
SHA512

963cbd76196c10c45d2ae2c576b45083e35a9599112f9ddc1f6c878945de4a247210152a23af480dfcf9c70c84235c0a8195cc7cebc986ed93a37f5e81b4b7ac
SSDEEP

1536:lPCHHM7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtg9/t16X:lPCHshASyRxvhTzXPvCbW2Ug9/w

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2588	tmpB606.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1664	551d2ba4e7467f30fdae24fc5633ae6e26f1ca271e807b1267818d9f96304910N.exe
1664	551d2ba4e7467f30fdae24fc5633ae6e26f1ca271e807b1267818d9f96304910N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpB606.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	551d2ba4e7467f30fdae24fc5633ae6e26f1ca271e807b1267818d9f96304910N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB606.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1664	551d2ba4e7467f30fdae24fc5633ae6e26f1ca271e807b1267818d9f96304910N.exe
Token: SeDebugPrivilege	2588	tmpB606.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 1628	1664	551d2ba4e7467f30fdae24fc5633ae6e26f1ca271e807b1267818d9f96304910N.exe	30
PID 1664 wrote to memory of 1628	1664	551d2ba4e7467f30fdae24fc5633ae6e26f1ca271e807b1267818d9f96304910N.exe	30
PID 1664 wrote to memory of 1628	1664	551d2ba4e7467f30fdae24fc5633ae6e26f1ca271e807b1267818d9f96304910N.exe	30
PID 1664 wrote to memory of 1628	1664	551d2ba4e7467f30fdae24fc5633ae6e26f1ca271e807b1267818d9f96304910N.exe	30
PID 1628 wrote to memory of 2436	1628	vbc.exe	32
PID 1628 wrote to memory of 2436	1628	vbc.exe	32
PID 1628 wrote to memory of 2436	1628	vbc.exe	32
PID 1628 wrote to memory of 2436	1628	vbc.exe	32
PID 1664 wrote to memory of 2588	1664	551d2ba4e7467f30fdae24fc5633ae6e26f1ca271e807b1267818d9f96304910N.exe	33
PID 1664 wrote to memory of 2588	1664	551d2ba4e7467f30fdae24fc5633ae6e26f1ca271e807b1267818d9f96304910N.exe	33
PID 1664 wrote to memory of 2588	1664	551d2ba4e7467f30fdae24fc5633ae6e26f1ca271e807b1267818d9f96304910N.exe	33
PID 1664 wrote to memory of 2588	1664	551d2ba4e7467f30fdae24fc5633ae6e26f1ca271e807b1267818d9f96304910N.exe	33

C:\Users\Admin\AppData\Local\Temp\551d2ba4e7467f30fdae24fc5633ae6e26f1ca271e807b1267818d9f96304910N.exe
"C:\Users\Admin\AppData\Local\Temp\551d2ba4e7467f30fdae24fc5633ae6e26f1ca271e807b1267818d9f96304910N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lnybd2ab.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB848.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB847.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2436
- C:\Users\Admin\AppData\Local\Temp\tmpB606.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB606.tmp.exe" C:\Users\Admin\AppData\Local\Temp\551d2ba4e7467f30fdae24fc5633ae6e26f1ca271e807b1267818d9f96304910N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB848.tmp

Filesize
1KB

MD5
38f0fa643572a4ab1771a671372185fa

SHA1
2150b2bf3d539d856bb2a1df33d51b22e33825c8

SHA256
448229ae878c0cfc2ce40847d435cb69dfa6af92835166e279bd6c933faf4892

SHA512
4c0ed6a1e7d648b2dcea4a49dde2aaa7d79103c0dbe268d74e2cc06d68f3dd9340c6fd585653d0b1bfd2b9159d368b21edd6974553bea7018354300b680ef278

Download Submit
C:\Users\Admin\AppData\Local\Temp\lnybd2ab.0.vb

Filesize
15KB

MD5
c4879ff5ff90fa69888f5702d76309ab

SHA1
158e721a966648c25dd8d0d33ba738457b0d0763

SHA256
8583c564e9d86cf29e2fd6c9361252182c08fe975b955ceb25f6491d7c0df383

SHA512
9b205558db67053054f17c9fa230da15f0e3a0baa1337398bf9c48624ac9145500e7dcc87d7116a76cc795f9bbc967e294cc3e144f6871a12d73d034c2f44653

Download Submit
C:\Users\Admin\AppData\Local\Temp\lnybd2ab.cmdline

Filesize
266B

MD5
eba07397de4650832e986daa6b1bcdfc

SHA1
0013c5217f46fd5dbbdfa22a104d47fb8cb6f0d8

SHA256
fefb7956c7d80b4eb4893d47a765b9a7fefbcb7fb8441164b212172b450376de

SHA512
e91e9e32f8d3e1cea83130ad4f876c7a56a771be147d828bfd7fd56df8db6b083aec3f4915918b31b24a1f9857fbe45961b88c0389ff189ed361b3a41b029a07

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB606.tmp.exe

Filesize
78KB

MD5
5f47d10ce762dabad7a101bfc8056840

SHA1
1c8e6c45e7b239d4df1825e7b91220cce2069269

SHA256
02ef53e94c7fe5fa80f221af4301a53edd1724eac05d09430a0de9786c308328

SHA512
5ff3308d1255a9f8893e90252c8ef624fecd20a0f32e0fbd594d740302f2171e1cbe3b6772c75e59374a674c59a5abf8f38a323c181da6b5b527a7f10b11c908

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB847.tmp

Filesize
660B

MD5
eba7fd90795813e5d41da67ab779f110

SHA1
c7c22da610d88319d7135a5aaa339041f122446a

SHA256
f015df5b8b7b0a28f34a6117270b8a32d3503731125d6420375943c1ddfc4f27

SHA512
0e34055fac49152c18d08d5e7ada7c0fe08c8d0f8595b1d981c70f6753ca7b50477d48d1a25adc74cd48afd9726e98f2de72a9e38d167a338c682b3af6208fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1628-8-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/1628-18-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/1664-0-0x00000000747C1000-0x00000000747C2000-memory.dmp

Filesize
4KB

Download
memory/1664-1-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/1664-5-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/1664-24-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads