metamorpherrat | b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bb

General

Target

b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe
Size

78KB
MD5

0d40169fe50fde60e4e88e57ef018dd0
SHA1

55fbbc205c7ac64b480281f8418e0c5e5d430872
SHA256

b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bb
SHA512

860290b7444922a9ca23dcb37a927557ab6d44a3c00bea9f47950a23c6c6eaaf14e012f35308d4774905990c01483aa5974fd5704eeb374b3f2d6ea6bca2bcf7
SSDEEP

1536:FuHFo6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtew9/UT1Od:FuHFonhASyRxvhTzXPvCbW2Uew9/N

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
1804	tmp80D3.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2076	b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe
2076	b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp80D3.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp80D3.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2076	b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe
Token: SeDebugPrivilege	1804	tmp80D3.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 1848	2076	b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe	30
PID 2076 wrote to memory of 1848	2076	b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe	30
PID 2076 wrote to memory of 1848	2076	b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe	30
PID 2076 wrote to memory of 1848	2076	b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe	30
PID 1848 wrote to memory of 2300	1848	vbc.exe	32
PID 1848 wrote to memory of 2300	1848	vbc.exe	32
PID 1848 wrote to memory of 2300	1848	vbc.exe	32
PID 1848 wrote to memory of 2300	1848	vbc.exe	32
PID 2076 wrote to memory of 1804	2076	b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe	33
PID 2076 wrote to memory of 1804	2076	b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe	33
PID 2076 wrote to memory of 1804	2076	b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe	33
PID 2076 wrote to memory of 1804	2076	b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe	33

C:\Users\Admin\AppData\Local\Temp\b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe
"C:\Users\Admin\AppData\Local\Temp\b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\82uh9pwf.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1848
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8190.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc818F.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2300
- C:\Users\Admin\AppData\Local\Temp\tmp80D3.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp80D3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\82uh9pwf.0.vb

Filesize
15KB

MD5
4b38a0c659551afff7b2164769966923

SHA1
8a14b92399c91588d7880c03e67ee175bb278769

SHA256
718188b16dbf5d48fea4be0bfd5271dbc846787d03b626b39bb7f2b4f00f15dd

SHA512
fab9e7e171bd831a47a9e90290eea0345ddfc48ade36b00c4fb49d7ea81fc1e3a404bafd4ec8f298ec9d6d15c1a9a3e226aa4d959408aedefb4eba88dc4ac35b

Download Submit
C:\Users\Admin\AppData\Local\Temp\82uh9pwf.cmdline

Filesize
266B

MD5
0bcdb658f3044ba96cf2f557b06a1937

SHA1
74cbc86e9a5cb95ea8135df7c7355b459c0e4911

SHA256
b6b4a5dfb1ae29a91b87e850ade5ff8b3b59c7d6af49229702939191c6a5d3e6

SHA512
946d2157bedd16d2aa9a64a3cbe032d65ee18bd51c4bf4e0191628371d3748fce07143cb3c64483dd8dfc5635ffbbd8cd13c94d1e82f74ba85dd384d04be2f0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8190.tmp

Filesize
1KB

MD5
155468a2f55f31cc3cf6ae57d1e0496f

SHA1
c5a8519f20157a2eab3203c2a4b64fba7819a928

SHA256
5aae1c36db88e991574788e206d9b1e47a6fb301b83e26666c48b750aae4bb79

SHA512
6d57d3490b072039c21f5e22ff1e0345b066959a037b388f9a50c2113e8cc981d44b9e535603bb811ce1156cca3ff337f847ee09256badda5e9a97532fc26c8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp80D3.tmp.exe

Filesize
78KB

MD5
7f0951e823b10b29b3b469f1564bf833

SHA1
73695285b5d810a5ca7b09364333e4b4e5bc1100

SHA256
6550b2cf47e9f76025af83c65bc19e37230d3698c80f4366de59841a49c4a3ff

SHA512
e921f0a2871f8913dea78d6b5d91a00cf8fa37dc312d34d18dab147618dc134aad564d9863306a4d2853b04e1ab5dcdbbf1b19629048a34ebee7b07760c7f1e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc818F.tmp

Filesize
660B

MD5
75a52caf48f5e41ee45a65a2ac6000e3

SHA1
5d953fff2ddec9867b997f9248d19a9ddcf4bf51

SHA256
3e97d06ae6777c254cb1654a6b79091061bef780b59938f7d1d7cea387cf7389

SHA512
2e9bb7718878f30d2a43ae6a36d5ac3463e8e5a9aee8d7aa553dd9099d4e481465162ff00a62ae35ef4ef102f9329ca546655fb25244a4fa62b778074cbd9b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1848-9-0x0000000074800000-0x0000000074DAB000-memory.dmp

Filesize
5.7MB

Download
memory/1848-18-0x0000000074800000-0x0000000074DAB000-memory.dmp

Filesize
5.7MB

Download
memory/2076-0-0x0000000074801000-0x0000000074802000-memory.dmp

Filesize
4KB

Download
memory/2076-1-0x0000000074800000-0x0000000074DAB000-memory.dmp

Filesize
5.7MB

Download
memory/2076-2-0x0000000074800000-0x0000000074DAB000-memory.dmp

Filesize
5.7MB

Download
memory/2076-24-0x0000000074800000-0x0000000074DAB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads