metamorpherrat | 4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64

General

Target

4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64N.exe
Size

78KB
MD5

3be3da337f614dc1ea0697ee3da2f670
SHA1

2757deb690cef71fea6d519d7db774a3fab47888
SHA256

4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64
SHA512

eaf2896b8c0b5be90d166929e452872c530669f4d94a3c1daffd17a5d17bc96ee8a9999abe9f14781917c952b7fbd272e5466dcd0af01a90cb3f090644781c57
SSDEEP

1536:VStHFo6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQte19/e1k/:VStHFonhASyRxvhTzXPvCbW2Ue19/h

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2688	tmp9FB9.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1928	4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64N.exe
1928	4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp9FB9.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9FB9.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1928	4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64N.exe
Token: SeDebugPrivilege	2688	tmp9FB9.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 2316	1928	4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64N.exe	30
PID 1928 wrote to memory of 2316	1928	4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64N.exe	30
PID 1928 wrote to memory of 2316	1928	4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64N.exe	30
PID 1928 wrote to memory of 2316	1928	4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64N.exe	30
PID 2316 wrote to memory of 1908	2316	vbc.exe	32
PID 2316 wrote to memory of 1908	2316	vbc.exe	32
PID 2316 wrote to memory of 1908	2316	vbc.exe	32
PID 2316 wrote to memory of 1908	2316	vbc.exe	32
PID 1928 wrote to memory of 2688	1928	4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64N.exe	33
PID 1928 wrote to memory of 2688	1928	4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64N.exe	33
PID 1928 wrote to memory of 2688	1928	4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64N.exe	33
PID 1928 wrote to memory of 2688	1928	4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64N.exe	33

C:\Users\Admin\AppData\Local\Temp\4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64N.exe
"C:\Users\Admin\AppData\Local\Temp\4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5pcuefrh.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA065.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA055.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1908
- C:\Users\Admin\AppData\Local\Temp\tmp9FB9.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9FB9.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5pcuefrh.0.vb

Filesize
15KB

MD5
3f00e0ce76c48c1e4db2c7552ce6c761

SHA1
e750e8573b9b371521df531e6a97ab43fae47e8e

SHA256
46acd459794c609ba9162d600ca9032dd88d1847bafa4c76fdc7a2bca2be87a7

SHA512
b823536a03302ce9ee4e897d352195af36049dd1796531eb1c5a7423b91a2c8f7dd6cd7495bb56f8579dd96ee4f418cadcd801c81284dbff3adb1d9436adeb1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5pcuefrh.cmdline

Filesize
266B

MD5
4810c5755da029d6b3300d74b91d7060

SHA1
71a107552a639486c96b466efdaca8150837aac6

SHA256
9a8176898282f56e4eda0d304ed4476092ba72554124cc7547e56f171a98750b

SHA512
a3b96f0afe8ef4335627edcf53c3eb2d3298bfdaa46dd1f3f96c9bc6ac6f925bd0a79db60539f70c62459515d61b19fed79b46fd0137e225ea63135e5b1b0059

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA065.tmp

Filesize
1KB

MD5
2878095654657dc94079d9e1c5d85465

SHA1
dfa04019f44ec3c8a32a953366611c8af84a44c3

SHA256
11382c167c22e200608c4c7908352349f6ce6fc30aa685f9c8163321e504a0da

SHA512
64e508208c8e935e73251c3fc23cad825ff839923b2b8aa6bddd0f76b5b8b4153bdb45411dfa46ecbb1abcd8ade41005cb36514f9b6c6e91ca2041fc3b28224b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9FB9.tmp.exe

Filesize
78KB

MD5
7df6b8378e872d1576f492c0c043dfc8

SHA1
3294389b6325648b66cb30e0e2a041fe3187f146

SHA256
57ef24707948deb24f0b9417cd341856753cc5dec00a7b4fd3457f7e47abbc3a

SHA512
e77de460714ff788cab71867c72f375e9cc49652cdd2e9b00732657a84310734670229981e40ce0b1865db45fe29c8c97fafb6c0f27ec6ab2684b9de1f8b0569

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA055.tmp

Filesize
660B

MD5
7402ee4455ab376a7495ffd72b57235a

SHA1
be5a936be83e896a7a43e560f36b87b804f7999f

SHA256
4f68aab4ee50f5c81274f3e8f29cbe67ad5d3b5d8277b54e84b68c676caf091d

SHA512
f0b5ebb89140e7dae51ce3417d1d36ffebc5231327ae5cba4eddfa32ff5cfcdb24ac772451d242b494659577fc6e59c08f2093887bce83dfe538d5c1c9e47827

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1928-0-0x00000000740C1000-0x00000000740C2000-memory.dmp

Filesize
4KB

Download
memory/1928-1-0x00000000740C0000-0x000000007466B000-memory.dmp

Filesize
5.7MB

Download
memory/1928-5-0x00000000740C0000-0x000000007466B000-memory.dmp

Filesize
5.7MB

Download
memory/1928-24-0x00000000740C0000-0x000000007466B000-memory.dmp

Filesize
5.7MB

Download
memory/2316-8-0x00000000740C0000-0x000000007466B000-memory.dmp

Filesize
5.7MB

Download
memory/2316-18-0x00000000740C0000-0x000000007466B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads