metamorpherrat | 3c5ddf6e5f5940a6279dfe5439c3c139565817e0ac24ff25f1bbbd82561c0771

General

Target

3c5ddf6e5f5940a6279dfe5439c3c139565817e0ac24ff25f1bbbd82561c0771N.exe
Size

78KB
MD5

416f3a92bf80d60a7d15df33571131d0
SHA1

95773d53594751128e3628f729fc869e77805431
SHA256

3c5ddf6e5f5940a6279dfe5439c3c139565817e0ac24ff25f1bbbd82561c0771
SHA512

f29016418fa19f1e66c017bc550ff9982a5b51940f3d2f09a3d44fbee75a6796a1969efc738d9c6266591c7f1cbf36486375ce9273461d327e015fa33f1943c7
SSDEEP

1536:ne5OXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtN609/D11v:ne5GSyRxvhTzXPvCbW2U/9/r

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2936	tmp843D.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
628	3c5ddf6e5f5940a6279dfe5439c3c139565817e0ac24ff25f1bbbd82561c0771N.exe
628	3c5ddf6e5f5940a6279dfe5439c3c139565817e0ac24ff25f1bbbd82561c0771N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp843D.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c5ddf6e5f5940a6279dfe5439c3c139565817e0ac24ff25f1bbbd82561c0771N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp843D.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	628	3c5ddf6e5f5940a6279dfe5439c3c139565817e0ac24ff25f1bbbd82561c0771N.exe
Token: SeDebugPrivilege	2936	tmp843D.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 388	628	3c5ddf6e5f5940a6279dfe5439c3c139565817e0ac24ff25f1bbbd82561c0771N.exe	28
PID 628 wrote to memory of 388	628	3c5ddf6e5f5940a6279dfe5439c3c139565817e0ac24ff25f1bbbd82561c0771N.exe	28
PID 628 wrote to memory of 388	628	3c5ddf6e5f5940a6279dfe5439c3c139565817e0ac24ff25f1bbbd82561c0771N.exe	28
PID 628 wrote to memory of 388	628	3c5ddf6e5f5940a6279dfe5439c3c139565817e0ac24ff25f1bbbd82561c0771N.exe	28
PID 388 wrote to memory of 2576	388	vbc.exe	30
PID 388 wrote to memory of 2576	388	vbc.exe	30
PID 388 wrote to memory of 2576	388	vbc.exe	30
PID 388 wrote to memory of 2576	388	vbc.exe	30
PID 628 wrote to memory of 2936	628	3c5ddf6e5f5940a6279dfe5439c3c139565817e0ac24ff25f1bbbd82561c0771N.exe	31
PID 628 wrote to memory of 2936	628	3c5ddf6e5f5940a6279dfe5439c3c139565817e0ac24ff25f1bbbd82561c0771N.exe	31
PID 628 wrote to memory of 2936	628	3c5ddf6e5f5940a6279dfe5439c3c139565817e0ac24ff25f1bbbd82561c0771N.exe	31
PID 628 wrote to memory of 2936	628	3c5ddf6e5f5940a6279dfe5439c3c139565817e0ac24ff25f1bbbd82561c0771N.exe	31

C:\Users\Admin\AppData\Local\Temp\3c5ddf6e5f5940a6279dfe5439c3c139565817e0ac24ff25f1bbbd82561c0771N.exe
"C:\Users\Admin\AppData\Local\Temp\3c5ddf6e5f5940a6279dfe5439c3c139565817e0ac24ff25f1bbbd82561c0771N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0lcsmn2h.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:388
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8509.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8508.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2576
- C:\Users\Admin\AppData\Local\Temp\tmp843D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp843D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3c5ddf6e5f5940a6279dfe5439c3c139565817e0ac24ff25f1bbbd82561c0771N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0lcsmn2h.0.vb

Filesize
14KB

MD5
9b5bad0b4009757d9607dda0ba7af686

SHA1
89ad022379f84e2efd3d19025de20a77b0efb558

SHA256
09a93c3f25dad9676a9ff69032621c79defa95118ce93c2df2fa0643d138ba65

SHA512
929b3f19cebb004ab278d25d1278a453213bfbfd85520c956ad20478dea64c3a1446753802ffad2c4ad9ddac6d676dcbb964a62946663240d17f309d29d27a70

Download Submit
C:\Users\Admin\AppData\Local\Temp\0lcsmn2h.cmdline

Filesize
266B

MD5
afe2f350659c89cf2ef685d8fed65e22

SHA1
5471b18c15e9d6e711db43223259289b2a5e99b5

SHA256
3ecc3cc93fb1c0065032e3960650ae0c0317ff73accab1b5fe0d29e8d47a6331

SHA512
068b4cfd4cb48ee674ec2d87c48f0caca6e222fd22a23156b9005f302704b4254305f09e99748f1ab9163578a2d4db01a24c52803fec69865201d05139729e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8509.tmp

Filesize
1KB

MD5
edf26a936a0346574324e0c7f0bde0b4

SHA1
e4eb81cbda5c93a8c27a2ed3a90d6e04686f293b

SHA256
c6b783fedd2ac110516a5575730714210fc290ad47410ee3494f0e409796ec0a

SHA512
ed9d96e58d0e2812ebd79350f1fe96960c62e06bed893bb30f97acdd8cec7affb13e6f7e5497e09cc3b8b333ebf0ac3c80a6971c472e77233fee33d43fc1f939

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp843D.tmp.exe

Filesize
78KB

MD5
731d14b8e2afa100be328aba9a15152a

SHA1
13a878fa3a75b9dd845d1883003d192b1d7c1f75

SHA256
3560e0e26ab7eb64d6d6ad8c8e3d0b6bfd6229fa6f70f29b017c430eea869dfe

SHA512
d9f6f9b133cd620b42d63a285c7aa778cded50fa7c4c121397fd7e0072d524e679e482c2567b86722e8eb30849f5b282095be9e9aab87152d345ed16bce5e335

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8508.tmp

Filesize
660B

MD5
b01e4e5602c5aa2507c2f2c7325bd9f7

SHA1
2e16f3017c05a7b34735a428de4dda34e1c7da78

SHA256
797263a11125a2ccbd59a65e35bf7ea9d89fd7bbe70f07f6cfe4c343c5dc85b3

SHA512
54034bcaab1b740028e15727d53c49653635570bc8aaf7d7afdcabf29e0a4f556f2b391336b2a946331cae923b71f482d503d09426d2ea677c252309269f8935

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/388-8-0x0000000074BF0000-0x000000007519B000-memory.dmp

Filesize
5.7MB

Download
memory/388-18-0x0000000074BF0000-0x000000007519B000-memory.dmp

Filesize
5.7MB

Download
memory/628-0-0x0000000074BF1000-0x0000000074BF2000-memory.dmp

Filesize
4KB

Download
memory/628-1-0x0000000074BF0000-0x000000007519B000-memory.dmp

Filesize
5.7MB

Download
memory/628-2-0x0000000074BF0000-0x000000007519B000-memory.dmp

Filesize
5.7MB

Download
memory/628-24-0x0000000074BF0000-0x000000007519B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads