metamorpherrat | 19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bf

General

Target

19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe
Size

78KB
MD5

101dc35f3de0a2ef05ae48feb50f3a40
SHA1

7d27ed36b125396902798471a5982cbc13c15e6b
SHA256

19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bf
SHA512

7a4d00a31a76b705db4c35da45b8c4a9fbffa20fab505c89c30c2f158aacea3f28ed2d489ffe70b3383384f97d37dcd6da512c3d0959168cd373bd1763d5bfa9
SSDEEP

1536:4HF3JIdXT0XRhyRjVf3HaXOJR0zcEIvCZ1xjs9np/IPioYJbQtH9/Xt1cS:4HF5INSyRxvHF5vCbxwpI6WH9/Xn

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2936	tmp7F4D.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2900	19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe
2900	19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_perf2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\mscordbi.exe\""	tmp7F4D.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7F4D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2900	19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe
Token: SeDebugPrivilege	2936	tmp7F4D.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 2784	2900	19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe	30
PID 2900 wrote to memory of 2784	2900	19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe	30
PID 2900 wrote to memory of 2784	2900	19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe	30
PID 2900 wrote to memory of 2784	2900	19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe	30
PID 2784 wrote to memory of 2928	2784	vbc.exe	32
PID 2784 wrote to memory of 2928	2784	vbc.exe	32
PID 2784 wrote to memory of 2928	2784	vbc.exe	32
PID 2784 wrote to memory of 2928	2784	vbc.exe	32
PID 2900 wrote to memory of 2936	2900	19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe	33
PID 2900 wrote to memory of 2936	2900	19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe	33
PID 2900 wrote to memory of 2936	2900	19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe	33
PID 2900 wrote to memory of 2936	2900	19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe	33

C:\Users\Admin\AppData\Local\Temp\19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe
"C:\Users\Admin\AppData\Local\Temp\19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\crvhyrqf.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES83B2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc83B1.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2928
- C:\Users\Admin\AppData\Local\Temp\tmp7F4D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7F4D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES83B2.tmp

Filesize
1KB

MD5
58f1c40b04b86f4b4effc943c3fbc43b

SHA1
33fdf7894138710b7979fe1b46fe549794bab533

SHA256
cf1ff411d618f2a593616be45262c4423b7275b576603ce24af0256112ba26ff

SHA512
aad81f98c8998e5e9ceddb5b395128d00a2527d3992bd4a943cb9f2a3e066b82b74d213cecb03f84feedc9a58d4f74608903ed6988c4cf58db8d0d83b4ed3efc

Download Submit
C:\Users\Admin\AppData\Local\Temp\crvhyrqf.0.vb

Filesize
15KB

MD5
f84b31a791f167c1af72d1498e601a2d

SHA1
908e37b15fb88760015fae3389e5a7df866c49fe

SHA256
0972f4888e948f36077887028af011dee4c69ac311a788ee7391e643622d5033

SHA512
59df319023d09c60a2cac54dd9f92a612b7dec37a339c276d87b40cbbd6a34b380eef6fcf1630ccffdd1298fef93c91b6dfb6051f216281a2f771ac40e4933e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\crvhyrqf.cmdline

Filesize
266B

MD5
39ae16dcc5c3fa8fb552da412193e8c5

SHA1
0920c92bb1a13ddc09e82238be16a7d1bb13f767

SHA256
4b2e20869665bd346238e969bca2498bf41152f1c5b2f283c7548d1db9392bc0

SHA512
4fea5d369ea55fc06b94ea6c199fe30d21ffa6b54f88e1fb49fc1fa64453c1c3d7282c77b2cd49095e08a05441cdf5558f957c3fd9d7d64cce52bc6cfa6a2885

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7F4D.tmp.exe

Filesize
78KB

MD5
bdf5ee5706e9dac56a069a59ba6883af

SHA1
76ee33175512ed165718f103e412c7120e743f6e

SHA256
5cbc22868eea2efbb619ef0a4b8dfc5a972f148829d6d11d561c5843c8c6195b

SHA512
851bb78ee51feb70af61ca19b82f636467aad49748ce63410a86573a6cf623d3bfe99292ad636dbd8fe7c28e75235da233e9afffa4252260736cac1156f829b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc83B1.tmp

Filesize
660B

MD5
935006575931a367d493cf41ece22e53

SHA1
6b885896efab7309247c76a83ce348256686a182

SHA256
7729ac3159faff8195acb2908ea4353cb86eb449dd6dab8ed0d3fa4eff094719

SHA512
065ec344c7ab3a23295a4b0c21bb238642ccd6258ac4a6c88927c49835a906ed270ac2c56a7fbf9967866caaaf42c39dc94750bc410c548bbd64c9cc45ce895d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
097dd7d3902f824a3960ad33401b539f

SHA1
4e5c80de6a0886a8b02592a0c980b2bc2d9a4a8f

SHA256
e2eb52524ddfed5e52a54484b3fecdc9ebe24fb141d1445d37c99c0ab615df4f

SHA512
bb77c3f7b9b8c461b149f540a0dab99fdde474484b046d663228d8c0f1b6a20b72892643935069dd74134c8ab8e8f26b6badc210a6929a737541b9861007fbe4

Download Submit
memory/2784-8-0x0000000074C60000-0x000000007520B000-memory.dmp

Filesize
5.7MB

Download
memory/2784-18-0x0000000074C60000-0x000000007520B000-memory.dmp

Filesize
5.7MB

Download
memory/2900-0-0x0000000074C61000-0x0000000074C62000-memory.dmp

Filesize
4KB

Download
memory/2900-1-0x0000000074C60000-0x000000007520B000-memory.dmp

Filesize
5.7MB

Download
memory/2900-2-0x0000000074C60000-0x000000007520B000-memory.dmp

Filesize
5.7MB

Download
memory/2900-24-0x0000000074C60000-0x000000007520B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads