metamorpherrat | e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166

General

Target

e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exe
Size

78KB
MD5

d4b315d9874a3aa8f9fd98b14eca2206
SHA1

431ff598d7882074480500320b252c2d1b3824f5
SHA256

e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166
SHA512

53a86e36d3a7be8b79377b3b6fde04edd4d437c41a97107ca68bbd3fa59ef51f62b96b4d126fbb8de5d087ccb339acb1e14c787418a8bcb006731de354212841
SSDEEP

1536:FuHY6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQte6Q9/51gTt:FuHYnhASyRxvhTzXPvCbW2Ue6Q9/Gt

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

Processes:

tmpB9BE.tmp.exe

pid	Process
2768	tmpB9BE.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exe

pid	Process
2312	e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exe
2312	e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpB9BE.tmp.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpB9BE.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exevbc.execvtres.exetmpB9BE.tmp.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB9BE.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exetmpB9BE.tmp.exe

description	pid	Process
Token: SeDebugPrivilege	2312	e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exe
Token: SeDebugPrivilege	2768	tmpB9BE.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exevbc.exe

description	pid	Process	procid_target
PID 2312 wrote to memory of 3044	2312	e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exe	30
PID 2312 wrote to memory of 3044	2312	e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exe	30
PID 2312 wrote to memory of 3044	2312	e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exe	30
PID 2312 wrote to memory of 3044	2312	e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exe	30
PID 3044 wrote to memory of 2640	3044	vbc.exe	32
PID 3044 wrote to memory of 2640	3044	vbc.exe	32
PID 3044 wrote to memory of 2640	3044	vbc.exe	32
PID 3044 wrote to memory of 2640	3044	vbc.exe	32
PID 2312 wrote to memory of 2768	2312	e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exe	33
PID 2312 wrote to memory of 2768	2312	e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exe	33
PID 2312 wrote to memory of 2768	2312	e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exe	33
PID 2312 wrote to memory of 2768	2312	e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exe	33

C:\Users\Admin\AppData\Local\Temp\e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exe
"C:\Users\Admin\AppData\Local\Temp\e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tm8ixi5y.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB16.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBB15.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2640
- C:\Users\Admin\AppData\Local\Temp\tmpB9BE.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB9BE.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBB16.tmp

Filesize
1KB

MD5
ae92dd1ad4ee91d104f39414c34bfd63

SHA1
6d4f1c612ffb984f5400982d139f00fd1d80ff5a

SHA256
8fa72dc15ce40eefed9d940dcdd1626fe58d1c2d36dd5235b73895e0a2a755cb

SHA512
656e20136aec0b736ee059fb13a0979def3d68c87c527170d04a7fca0f8c1318fe625bec662d6060567db626c9898e20fb33b1563d1611a1b5bc937ccd616c00

Download Submit
C:\Users\Admin\AppData\Local\Temp\tm8ixi5y.0.vb

Filesize
15KB

MD5
f617a0b2955106225de01d3519e781d6

SHA1
ed3779a0e6dacdd35309a8a73f9b7d865c051b86

SHA256
b2e4cbc7c12e7e5b24c6a91d3e899ff8c99d63c9f53dc64f28d66ed35fa92afe

SHA512
38c7b6d48d55bc5601e381b61b3d0d7413e8553e2355465686bfbd42935c65a566c4901da3004d91226120a408b2c438bf630ce578ba7fecc2a1b702ca44f503

Download Submit
C:\Users\Admin\AppData\Local\Temp\tm8ixi5y.cmdline

Filesize
266B

MD5
ce63dcf68258961a86e90c95c23efbd9

SHA1
12d8a7a87ff4704105ffe13c4113b2070330a313

SHA256
a618f3769f323e4cc3a5bb3556736b0a0a3d2757169a19fc908089b108e157a5

SHA512
642b8dd0a6b00b42a93258d5cacc2d9f8a00be076974e789eab417a4302a762b09b4646956757a8f7433677dee0f993c5c0723c24ddd3a0de592b458f546651c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB9BE.tmp.exe

Filesize
78KB

MD5
fa9bb8b30f8197ff099ba4b0c22150a3

SHA1
2fa5a2d4df4ac710b89aafbc34440ccb9912bd2f

SHA256
e16e3f102adeaf1849501508376c04e78cc2ff93e139860e12d95b99ce4ddc14

SHA512
9af7b5fdf5a0a9b2d499507caf0dc2e784b7be7303b451257193ec1a68cf357421868ca03ed58928cc7dd7461783ca5ff3379939ad16bb62320d39c559d6cdf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBB15.tmp

Filesize
660B

MD5
8179d0a2065c6a27e77b3b562a7630ab

SHA1
f77c76d041e15f38c91d012d27da90999f2d5957

SHA256
619d3854ae8e9d4346a14626d88cdf5b1155d32831db0120c118d57d94e7ef93

SHA512
0a938f6d1785070321730e0d1675c9cdec313aec090bb09e4eb0f4e63e1621324fac67e5c7f20a1ae5605bd7924e09bd1672246e2b45f131a5849b433bb9508b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2312-0-0x0000000074E71000-0x0000000074E72000-memory.dmp

Filesize
4KB

Download
memory/2312-1-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/2312-2-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/2312-24-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/3044-8-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/3044-18-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads