metamorpherrat | 19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bf

General

Target

19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe
Size

78KB
MD5

101dc35f3de0a2ef05ae48feb50f3a40
SHA1

7d27ed36b125396902798471a5982cbc13c15e6b
SHA256

19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bf
SHA512

7a4d00a31a76b705db4c35da45b8c4a9fbffa20fab505c89c30c2f158aacea3f28ed2d489ffe70b3383384f97d37dcd6da512c3d0959168cd373bd1763d5bfa9
SSDEEP

1536:4HF3JIdXT0XRhyRjVf3HaXOJR0zcEIvCZ1xjs9np/IPioYJbQtH9/Xt1cS:4HF5INSyRxvHF5vCbxwpI6WH9/Xn

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2488	tmpD20E.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2372	19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe
2372	19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_perf2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\mscordbi.exe\""	tmpD20E.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD20E.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2372	19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe
Token: SeDebugPrivilege	2488	tmpD20E.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 684	2372	19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe	31
PID 2372 wrote to memory of 684	2372	19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe	31
PID 2372 wrote to memory of 684	2372	19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe	31
PID 2372 wrote to memory of 684	2372	19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe	31
PID 684 wrote to memory of 2364	684	vbc.exe	33
PID 684 wrote to memory of 2364	684	vbc.exe	33
PID 684 wrote to memory of 2364	684	vbc.exe	33
PID 684 wrote to memory of 2364	684	vbc.exe	33
PID 2372 wrote to memory of 2488	2372	19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe	34
PID 2372 wrote to memory of 2488	2372	19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe	34
PID 2372 wrote to memory of 2488	2372	19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe	34
PID 2372 wrote to memory of 2488	2372	19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe	34

C:\Users\Admin\AppData\Local\Temp\19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe
"C:\Users\Admin\AppData\Local\Temp\19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p3y0hiov.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:684
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD3F3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD3F2.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2364
- C:\Users\Admin\AppData\Local\Temp\tmpD20E.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpD20E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD3F3.tmp

Filesize
1KB

MD5
a0d0509fd08192550fa7707934f63e87

SHA1
15da6686d3733915105c7e3d08764b7244d4ae30

SHA256
fdfe0321c8e82d816a5a4859f4636982b21b2ceaa157846af26c476cfb154a1e

SHA512
338e5fa2ee6865205b097b9600e9f640ae4193e70510cd9926d8a973ceec22917e5b14d205d072e3b61d948bf7e63b6a2439839e8b2b19129888651695a8853c

Download Submit
C:\Users\Admin\AppData\Local\Temp\p3y0hiov.0.vb

Filesize
15KB

MD5
bc0f6c35d5352b4cd025f3b7a5675def

SHA1
f5e6b4b3509df2b3f4d128c91a8971ee28af9fa6

SHA256
bc9ee3d1c4eb30cb53cee50bd1446721918284bc164a2d7077a8505c0d04c5e1

SHA512
0a49fdaa35334de43aca623e51970e1af1ba3489ba10bbaf8ce9378d773eddde4b53a52685b8b6d843b52045b5db73b34ea305c19a039571cf1037ca659acce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\p3y0hiov.cmdline

Filesize
266B

MD5
9cff5142313ac9f866249de8a66bcdac

SHA1
34643a2437254556cf7181169b1d219326e14947

SHA256
4e2c2e6c640e42a8ee9f333a5bc8a1c8c62a49134b517d20606a9360701f5e09

SHA512
a38a5bcd55a7aac7d4d917bc0d443bdebd31546d18d6e283b876a7f9f9ecabcb3dff9d4599a84135222f4fb41a171e1df616c703ebd64bcc0113fe340424bf71

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD20E.tmp.exe

Filesize
78KB

MD5
f80f48d9ab84e8c7110b43d5abfaff64

SHA1
82928bb1573d7f9f6aece49cd460b8d7ed03851d

SHA256
c213d8520e4fd864a101727ff9332028b24029a651d9925316ad6c8de0453930

SHA512
60d7a2f26f05dc44bd6747bdad6d400e09c40e3bcc4949d96aea815392d6e75debecc25bb9b9df7b8c2b4e471496875dff82129b7d11f76276178188b18f821a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD3F2.tmp

Filesize
660B

MD5
31412ede1e205f1e9b548ad31b5135ef

SHA1
5f92d32e181263af3473b6a9f417a8d282f5edf1

SHA256
5ba6148417ae288c51d8887f88711c6a2fec3aa05c949fd49ef31f49e7db2de7

SHA512
0f54d1f28ef2756eeb98a4cee79b1133de45df15d24177e10c09016d4c752595ad77f16a15747f4fe26d1a6d40b3e81716bc40c28c4f0db649e513084b3b3b19

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
097dd7d3902f824a3960ad33401b539f

SHA1
4e5c80de6a0886a8b02592a0c980b2bc2d9a4a8f

SHA256
e2eb52524ddfed5e52a54484b3fecdc9ebe24fb141d1445d37c99c0ab615df4f

SHA512
bb77c3f7b9b8c461b149f540a0dab99fdde474484b046d663228d8c0f1b6a20b72892643935069dd74134c8ab8e8f26b6badc210a6929a737541b9861007fbe4

Download Submit
memory/684-8-0x0000000074A80000-0x000000007502B000-memory.dmp

Filesize
5.7MB

Download
memory/684-18-0x0000000074A80000-0x000000007502B000-memory.dmp

Filesize
5.7MB

Download
memory/2372-0-0x0000000074A81000-0x0000000074A82000-memory.dmp

Filesize
4KB

Download
memory/2372-1-0x0000000074A80000-0x000000007502B000-memory.dmp

Filesize
5.7MB

Download
memory/2372-2-0x0000000074A80000-0x000000007502B000-memory.dmp

Filesize
5.7MB

Download
memory/2372-24-0x0000000074A80000-0x000000007502B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads