metamorpherrat | 4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64

General

Target

4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64N.exe
Size

78KB
MD5

3be3da337f614dc1ea0697ee3da2f670
SHA1

2757deb690cef71fea6d519d7db774a3fab47888
SHA256

4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64
SHA512

eaf2896b8c0b5be90d166929e452872c530669f4d94a3c1daffd17a5d17bc96ee8a9999abe9f14781917c952b7fbd272e5466dcd0af01a90cb3f090644781c57
SSDEEP

1536:VStHFo6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQte19/e1k/:VStHFonhASyRxvhTzXPvCbW2Ue19/h

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Deletes itself 1 IoCs

pid	Process
2768	tmpF2C8.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2768	tmpF2C8.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2760	4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64N.exe
2760	4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpF2C8.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpF2C8.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2760	4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64N.exe
Token: SeDebugPrivilege	2768	tmpF2C8.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 2752	2760	4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64N.exe	31
PID 2760 wrote to memory of 2752	2760	4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64N.exe	31
PID 2760 wrote to memory of 2752	2760	4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64N.exe	31
PID 2760 wrote to memory of 2752	2760	4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64N.exe	31
PID 2752 wrote to memory of 2636	2752	vbc.exe	33
PID 2752 wrote to memory of 2636	2752	vbc.exe	33
PID 2752 wrote to memory of 2636	2752	vbc.exe	33
PID 2752 wrote to memory of 2636	2752	vbc.exe	33
PID 2760 wrote to memory of 2768	2760	4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64N.exe	34
PID 2760 wrote to memory of 2768	2760	4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64N.exe	34
PID 2760 wrote to memory of 2768	2760	4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64N.exe	34
PID 2760 wrote to memory of 2768	2760	4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64N.exe	34

C:\Users\Admin\AppData\Local\Temp\4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64N.exe
"C:\Users\Admin\AppData\Local\Temp\4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nbouamhb.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF4CB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF4CA.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2636
- C:\Users\Admin\AppData\Local\Temp\tmpF2C8.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpF2C8.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF4CB.tmp

Filesize
1KB

MD5
b1e8c195b8db8875a67a2ae9ae5dae3e

SHA1
22d5a170bbc90622ef2a5d9fefd72466eae5f79b

SHA256
fb1b624a799453ef86e63ff34ce904e5cca7f0d357fa13e0f5ac4f1cb18ce1c8

SHA512
313c78e97c16563997afb535cbb488f392c215d50b5b8723157e773faae9e6696a6c9a2c1feb876f38fe38af225c159771361d08552074fe88b6ed823f335f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbouamhb.0.vb

Filesize
15KB

MD5
3b3a16e5a8c377b611015b2d3f8673a1

SHA1
abda8ac449bd4e08df6acbf6d5285df1c92fbb5b

SHA256
a10428c5667eb4a1f9568e6d5d2e2d86e1872c14663f5220ea3d64b226c43909

SHA512
a24dac05c758e6b3b7b2976b83cea6155ce19c3b59f947b3532b30e7093570dbb5a4ff89309882262b9c840962c0342d3a2cc7361ca3824c3034e1c8e88d3f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbouamhb.cmdline

Filesize
266B

MD5
cb2c040bcead5c7d7e86a933b9ca18e4

SHA1
ee6be8b6a0ea2815db06a7d8e553cf977564fa7a

SHA256
2ae424e69c006b4eb3d881c14a679418693fd7bb0d844ee2ed8e12b2feac9936

SHA512
9d4ba5ae55b8060d00431816ec8aceef347bb0cd81017e0c8a595c23ceb0931642071017aad947771a42d66988caf301d06904ccb120e7760e40354ac9551aa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF2C8.tmp.exe

Filesize
78KB

MD5
ca23428132bec8a61ed70adb46912b1b

SHA1
5864773e515b6b0e06c4bc9a9a272b1ac7ca0e04

SHA256
3eaa0ac41f7a18c21f4b76d380f846e66692211743ff1b814997031d3338d7fb

SHA512
8a9cb78b135f07e815a5f57fb5654168c29c1706bfeff21a837b4d9894538c51ba39f22ba4ccec5a633cb9937082dd95bc26a70c35c8314ece571cf2e8545716

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF4CA.tmp

Filesize
660B

MD5
aa9ebc03cce051ae87a42474debf2db9

SHA1
51043e41e3e2c662e4654c2637a9acae42c0bcda

SHA256
c5f04b5b45aef724da82b741c4a0a8e8d7ed3428974c23ec4a767c18021c52bc

SHA512
cfc8b15d8fa2073cbe92df3c74f1787dc2c65157b2f7b120dd891e92fca10c439204a37593cc27ef5d74723766baa94499ca0dd7f9420d0d67fcd547639f4cef

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2752-8-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2752-18-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2760-0-0x0000000074A41000-0x0000000074A42000-memory.dmp

Filesize
4KB

Download
memory/2760-1-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2760-2-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2760-23-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads