metamorpherrat | 49c757312ec6d00f120fd11de2b863acefe3b65430e09685d5f7c486fcb09be4

General

Target

49c757312ec6d00f120fd11de2b863acefe3b65430e09685d5f7c486fcb09be4N.exe
Size

78KB
MD5

1f1e0e927b192f9d4646c233e8f59080
SHA1

532c3458cb025a90f97787fbec0856bf7df0abac
SHA256

49c757312ec6d00f120fd11de2b863acefe3b65430e09685d5f7c486fcb09be4
SHA512

ad141c3f301d90ed09129db0da61043627d8427b75dc793956ad24d6bc7edd47d4b6c3065cc8deb3e3b4aa0074ccec678faa3ad7e15b96cdede18ed8e2dc6a7a
SSDEEP

1536:Me5vXT0XRhyRjVf3HaXOJR0zcEIvCZ1xjs9np/IPioYJbQtS6B9/h21Vj:Me5PSyRxvHF5vCbxwpI6Wp9/hu

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2444	tmp1E4A.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2120	49c757312ec6d00f120fd11de2b863acefe3b65430e09685d5f7c486fcb09be4N.exe
2120	49c757312ec6d00f120fd11de2b863acefe3b65430e09685d5f7c486fcb09be4N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_perf2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\mscordbi.exe\""	tmp1E4A.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49c757312ec6d00f120fd11de2b863acefe3b65430e09685d5f7c486fcb09be4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp1E4A.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2120	49c757312ec6d00f120fd11de2b863acefe3b65430e09685d5f7c486fcb09be4N.exe
Token: SeDebugPrivilege	2444	tmp1E4A.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 2688	2120	49c757312ec6d00f120fd11de2b863acefe3b65430e09685d5f7c486fcb09be4N.exe	30
PID 2120 wrote to memory of 2688	2120	49c757312ec6d00f120fd11de2b863acefe3b65430e09685d5f7c486fcb09be4N.exe	30
PID 2120 wrote to memory of 2688	2120	49c757312ec6d00f120fd11de2b863acefe3b65430e09685d5f7c486fcb09be4N.exe	30
PID 2120 wrote to memory of 2688	2120	49c757312ec6d00f120fd11de2b863acefe3b65430e09685d5f7c486fcb09be4N.exe	30
PID 2688 wrote to memory of 2740	2688	vbc.exe	32
PID 2688 wrote to memory of 2740	2688	vbc.exe	32
PID 2688 wrote to memory of 2740	2688	vbc.exe	32
PID 2688 wrote to memory of 2740	2688	vbc.exe	32
PID 2120 wrote to memory of 2444	2120	49c757312ec6d00f120fd11de2b863acefe3b65430e09685d5f7c486fcb09be4N.exe	33
PID 2120 wrote to memory of 2444	2120	49c757312ec6d00f120fd11de2b863acefe3b65430e09685d5f7c486fcb09be4N.exe	33
PID 2120 wrote to memory of 2444	2120	49c757312ec6d00f120fd11de2b863acefe3b65430e09685d5f7c486fcb09be4N.exe	33
PID 2120 wrote to memory of 2444	2120	49c757312ec6d00f120fd11de2b863acefe3b65430e09685d5f7c486fcb09be4N.exe	33

C:\Users\Admin\AppData\Local\Temp\49c757312ec6d00f120fd11de2b863acefe3b65430e09685d5f7c486fcb09be4N.exe
"C:\Users\Admin\AppData\Local\Temp\49c757312ec6d00f120fd11de2b863acefe3b65430e09685d5f7c486fcb09be4N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\igizpfpc.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1FB2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1FA1.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2740
- C:\Users\Admin\AppData\Local\Temp\tmp1E4A.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp1E4A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\49c757312ec6d00f120fd11de2b863acefe3b65430e09685d5f7c486fcb09be4N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1FB2.tmp

Filesize
1KB

MD5
17daf3550c9eca6d031911fbb540c4c2

SHA1
0640af9dcd20b1aab489fc79c26b66eb37f42698

SHA256
6219049d3968528c8d9592b9e8dab09912881b9428f361190fe988fc431e5ddd

SHA512
38dda685d9432feda3a6eb056fa40a3cd3a57b117d328414261506d347e89efd693a9eed9700f2cdafe5f28d47c3448dba4d5e8332c39afc3e04f0d062763502

Download Submit
C:\Users\Admin\AppData\Local\Temp\igizpfpc.0.vb

Filesize
14KB

MD5
da6460c251c87d3c4e3d1b5504903ac5

SHA1
73281257b41ff991259b1f13715671399f24e444

SHA256
2f6fd79ca7d9695ad4877baa383c9bbaf43915de03016bd683af93edef86237b

SHA512
b930b3cfbee0193423c6f0a1574b6603aa4cb079f76349c7ecbfef41c4a558e7f23274c63047fea7b2f592c7ee7f1028c63c72c0108911199e6052fbf4ac8054

Download Submit
C:\Users\Admin\AppData\Local\Temp\igizpfpc.cmdline

Filesize
266B

MD5
c99ebd9d281476c142635970ac485318

SHA1
2268f102bef3c0703619ec6406283f8faa4e8411

SHA256
ec65b18564dd81573e86abd1bbe508e890ab5bde12a04830f7ae30fb82ff7c77

SHA512
920a7d06a634ec9590a003fde77a6330626a1c480ea1602d037c005f8713634ea16ee2cedc18e63a35ac3e399c635cea523300c3eaf1f3a9a96662a427a7b15c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1E4A.tmp.exe

Filesize
78KB

MD5
74017e81775aa297d63e59b4f0e33bca

SHA1
ede51da8684ecda4c43a9361ed2b7c48722ad964

SHA256
0ee1a568d9ea031e49a2fd4265e645c7807d6408d935dc70e15d941520a0f3f9

SHA512
fa1a46699ba51326e72d32d8c3fd05b6b7927b2a72be78a3e4d372e599a2f72c7137091fdc053903951762076d90a95c722feb8846ae6cb88b76f2e85802e01f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1FA1.tmp

Filesize
660B

MD5
3a59044eb0ff5089ffeecd8150691989

SHA1
688747f1212b8da3f2519a217d0124c601068506

SHA256
d5d6720cea9f1c2167f43c9fad63046ef347f7c1d8b424bfa9984bbdadeb4de5

SHA512
cdba18f8b66961e1a0bcb9a9c8f4d91d02040130c99f74fac1b84f88d913dda049c713d823e338219e9034d9eb64e52760cc50d04d0152582aaee019107db547

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
097dd7d3902f824a3960ad33401b539f

SHA1
4e5c80de6a0886a8b02592a0c980b2bc2d9a4a8f

SHA256
e2eb52524ddfed5e52a54484b3fecdc9ebe24fb141d1445d37c99c0ab615df4f

SHA512
bb77c3f7b9b8c461b149f540a0dab99fdde474484b046d663228d8c0f1b6a20b72892643935069dd74134c8ab8e8f26b6badc210a6929a737541b9861007fbe4

Download Submit
memory/2120-0-0x0000000074B31000-0x0000000074B32000-memory.dmp

Filesize
4KB

Download
memory/2120-1-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/2120-2-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/2120-24-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/2688-8-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/2688-18-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads