metamorpherrat | ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282

General

Target

ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282N.exe
Size

78KB
MD5

081f7eb3cea9d5246d73df6921c44600
SHA1

71c7e898b40db4f7a0a2c4dd242e6afd8b946a93
SHA256

ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282
SHA512

75087f8ff785895fcdc10cee72241e7efaade4ea926310aa3fb4c87df3a95828b033d7cc9f23d555277071e536a50c3e639f0dd74e54f5a624ae5c63e4b0a815
SSDEEP

1536:95jSBXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtN679/I1K4:95jSBSyRxvhTzXPvCbW2UU9/m

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2956	tmp7FCA.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
528	ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282N.exe
528	ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp7FCA.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7FCA.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	528	ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282N.exe
Token: SeDebugPrivilege	2956	tmp7FCA.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 528 wrote to memory of 1476	528	ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282N.exe	31
PID 528 wrote to memory of 1476	528	ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282N.exe	31
PID 528 wrote to memory of 1476	528	ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282N.exe	31
PID 528 wrote to memory of 1476	528	ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282N.exe	31
PID 1476 wrote to memory of 2952	1476	vbc.exe	33
PID 1476 wrote to memory of 2952	1476	vbc.exe	33
PID 1476 wrote to memory of 2952	1476	vbc.exe	33
PID 1476 wrote to memory of 2952	1476	vbc.exe	33
PID 528 wrote to memory of 2956	528	ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282N.exe	34
PID 528 wrote to memory of 2956	528	ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282N.exe	34
PID 528 wrote to memory of 2956	528	ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282N.exe	34
PID 528 wrote to memory of 2956	528	ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282N.exe	34

C:\Users\Admin\AppData\Local\Temp\ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282N.exe
"C:\Users\Admin\AppData\Local\Temp\ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:528
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pabyzhak.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES80C5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc80C4.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2952
- C:\Users\Admin\AppData\Local\Temp\tmp7FCA.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7FCA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES80C5.tmp

Filesize
1KB

MD5
559b7ad44091322550df8e06da9fb515

SHA1
cc8cbce51d4322258cb3e81cadd2b1cf7b3614fb

SHA256
bbe1e8b17bdf95556e55ce18aeb727a400ffbb8d61a3c47b755bf958e444e929

SHA512
914133f20c7e7af489bdef6cbbdab72a861a21fd7a252df22741b98d92bac6145fe1e01afbf4d156fa546d8c8aabb03619c34c9dc47c64930c59b24ae02214fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\pabyzhak.0.vb

Filesize
14KB

MD5
900b28e4b9916c981b27d053d0c7bde6

SHA1
bc3f4150ff9ba51bab4622b02cab0895f87179be

SHA256
e7dd9f94cb7e3e0270ad3f2acf77b38a1eeb0174208c3e837d457bdf93322e2e

SHA512
ddeaaf67f026c5e7fed887f68ecd4267510d94dd90ff48e41cbadc7ae4fbf713c06d75a07aac6e73903abf2d38783302379f652ccc792841a5fa968e6a63c29d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pabyzhak.cmdline

Filesize
266B

MD5
84f76de6c2bf634816b13cb8016e208d

SHA1
8b0dd7dacbebf8030a7ed37f54123c86205e13f7

SHA256
7ec1d75a421e33fc5fac854905f8b69538109d1cc76d24dac59d5676060281b9

SHA512
744b9cfaa14d7e55eaa8b483f2e8fc0b5ca9107794776deec60cf22ac185d0575fca9dccd2c975415dc47c142bc9b324652f79a7982bab9d4c201042e3f63dee

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7FCA.tmp.exe

Filesize
78KB

MD5
1888adc3c214eefcfbaf43232f493fad

SHA1
1c78f899384159995b991ac07b98ea4d5046322b

SHA256
5f1a1e1f6252c2c15195bd7d420e5a8ea9df775421fa8357ad833e33045b66ea

SHA512
dd64eb592ec4a18413559d8892b4325bfa1d6250ec410e98e669f6b01ffa0c6fd0932fd9097c591079b9f241e9d69a2bf479608000affc6ab629469477b636a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc80C4.tmp

Filesize
660B

MD5
a4dd4f6fd7b7b78d9bf274a7fedcf65a

SHA1
e45608eaeff1d9681c368aa4873560e241574d21

SHA256
9f8688717f72ed3503ce72aa9effbb0a1ac03f5373f0e7e45db5947946ed93fa

SHA512
8a4bb0d96da711dd034ebe4fb9433675edd0355b0d37531a0d75586edd26697c8e0547fa6b77c2b40cded38011cd9f70eaa4b7dcc4833d0cd883b973261a4693

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/528-0-0x0000000073EF1000-0x0000000073EF2000-memory.dmp

Filesize
4KB

Download
memory/528-1-0x0000000073EF0000-0x000000007449B000-memory.dmp

Filesize
5.7MB

Download
memory/528-2-0x0000000073EF0000-0x000000007449B000-memory.dmp

Filesize
5.7MB

Download
memory/528-24-0x0000000073EF0000-0x000000007449B000-memory.dmp

Filesize
5.7MB

Download
memory/1476-8-0x0000000073EF0000-0x000000007449B000-memory.dmp

Filesize
5.7MB

Download
memory/1476-18-0x0000000073EF0000-0x000000007449B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads