metamorpherrat | ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282

General

Target

ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282N.exe
Size

78KB
MD5

081f7eb3cea9d5246d73df6921c44600
SHA1

71c7e898b40db4f7a0a2c4dd242e6afd8b946a93
SHA256

ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282
SHA512

75087f8ff785895fcdc10cee72241e7efaade4ea926310aa3fb4c87df3a95828b033d7cc9f23d555277071e536a50c3e639f0dd74e54f5a624ae5c63e4b0a815
SSDEEP

1536:95jSBXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtN679/I1K4:95jSBSyRxvhTzXPvCbW2UU9/m

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Deletes itself 1 IoCs

pid	Process
2688	tmpDAE4.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2688	tmpDAE4.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2464	ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282N.exe
2464	ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpDAE4.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpDAE4.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2464	ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282N.exe
Token: SeDebugPrivilege	2688	tmpDAE4.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 2472	2464	ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282N.exe	31
PID 2464 wrote to memory of 2472	2464	ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282N.exe	31
PID 2464 wrote to memory of 2472	2464	ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282N.exe	31
PID 2464 wrote to memory of 2472	2464	ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282N.exe	31
PID 2472 wrote to memory of 2500	2472	vbc.exe	33
PID 2472 wrote to memory of 2500	2472	vbc.exe	33
PID 2472 wrote to memory of 2500	2472	vbc.exe	33
PID 2472 wrote to memory of 2500	2472	vbc.exe	33
PID 2464 wrote to memory of 2688	2464	ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282N.exe	34
PID 2464 wrote to memory of 2688	2464	ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282N.exe	34
PID 2464 wrote to memory of 2688	2464	ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282N.exe	34
PID 2464 wrote to memory of 2688	2464	ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282N.exe	34

C:\Users\Admin\AppData\Local\Temp\ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282N.exe
"C:\Users\Admin\AppData\Local\Temp\ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pybvuysr.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDC3C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDC3B.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2500
- C:\Users\Admin\AppData\Local\Temp\tmpDAE4.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpDAE4.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESDC3C.tmp

Filesize
1KB

MD5
ee570a9563208d07329d73b5e34679cf

SHA1
ad630689207563f53a96eae0c865a215e6305800

SHA256
066af5fce9438181828c4e90446dbac98eed85e0c7d75ed7526fd4f73ea4a7df

SHA512
7d96a85fa36493f00675cee554a3c00b98ca46a5d5a143a389bf06d6190743622b4a7aaf00c3f3ff838f70604d2faf52563feef02dec64a59b7b637deba252e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\pybvuysr.0.vb

Filesize
14KB

MD5
2596f17c952551572f127ecd9bcb7dab

SHA1
09294d9ef4b6b80488cd01b3fc5bc87de82eda58

SHA256
731e925fd5c22ed1219b6b0f17394a3c8cc6d830374c05f06fc108dc92dc988b

SHA512
ded09112ad30c0c4b74c9e6be2accdb2e8fbdb8cfaede490406a9b0c6b94dee7f6dcb9bfbae09d487677a1626f63ed893b8ed0509123229ee45212bee5e8bb5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pybvuysr.cmdline

Filesize
266B

MD5
9125e5666420464e4d997a05eeb7b436

SHA1
a18dc1e1d69054e7fd4da2402717156f5cb090ac

SHA256
32eac5176a108017a01c251e76a904438337e8c7c06510999385baf4f54309dd

SHA512
85d7b1c3052f386afc8538384ddd41d83b77f03e2672a1bb0603c91a1c4fe31d65c387323c285d66ac9b1b889dcf698771bcf03431706ae4d036f28491242d8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDAE4.tmp.exe

Filesize
78KB

MD5
5c567df255f0744e416454bebd0d29d5

SHA1
032721bd4e238b89db2fc2c445faf214f795d428

SHA256
99a6cd2b8473de35bc2553d565554e4b337cfdbbb80b36f9a9b17fbf45f8a419

SHA512
240d94a1859b3d63548c0fa7c9850a5da77cda214e556ec73f0edaf2bf9ae8ae89135462330a6d5a15ff19e58a08171787302fca7c5985282f3e240516664cfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDC3B.tmp

Filesize
660B

MD5
7cd61516a2d582a9404b3ac6b40cb187

SHA1
2e560302558480b4dfb3f25f1a46b072898aa538

SHA256
760c307e9a79da6767926976dfa6691932062c96ba6c7d641cc8d296ce894841

SHA512
60a7283330858f9bdf40d515434b6ad4be9e575ea7e6e286fc0b6923a4b3eabedfd5a265279c7e0007b2f8fb1e3f13cba2ca1c2cadd86b33f31fe3ad69e812c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2464-0-0x0000000074FD1000-0x0000000074FD2000-memory.dmp

Filesize
4KB

Download
memory/2464-1-0x0000000074FD0000-0x000000007557B000-memory.dmp

Filesize
5.7MB

Download
memory/2464-2-0x0000000074FD0000-0x000000007557B000-memory.dmp

Filesize
5.7MB

Download
memory/2464-24-0x0000000074FD0000-0x000000007557B000-memory.dmp

Filesize
5.7MB

Download
memory/2472-8-0x0000000074FD0000-0x000000007557B000-memory.dmp

Filesize
5.7MB

Download
memory/2472-18-0x0000000074FD0000-0x000000007557B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads