metamorpherrat | e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166

General

Target

e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exe
Size

78KB
MD5

d4b315d9874a3aa8f9fd98b14eca2206
SHA1

431ff598d7882074480500320b252c2d1b3824f5
SHA256

e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166
SHA512

53a86e36d3a7be8b79377b3b6fde04edd4d437c41a97107ca68bbd3fa59ef51f62b96b4d126fbb8de5d087ccb339acb1e14c787418a8bcb006731de354212841
SSDEEP

1536:FuHY6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQte6Q9/51gTt:FuHYnhASyRxvhTzXPvCbW2Ue6Q9/Gt

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp7B19.tmp.exe

pid process

2932 tmp7B19.tmp.exe

pid	process
2932	tmp7B19.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exe

pid	process
2208	e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exe
2208	e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp7B19.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp7B19.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exevbc.execvtres.exetmp7B19.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7B19.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exetmp7B19.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2208	e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exe
Token: SeDebugPrivilege	2932	tmp7B19.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exevbc.exe

description	pid	process	target process
PID 2208 wrote to memory of 2744	2208	e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exe	vbc.exe
PID 2208 wrote to memory of 2744	2208	e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exe	vbc.exe
PID 2208 wrote to memory of 2744	2208	e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exe	vbc.exe
PID 2208 wrote to memory of 2744	2208	e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exe	vbc.exe
PID 2744 wrote to memory of 2808	2744	vbc.exe	cvtres.exe
PID 2744 wrote to memory of 2808	2744	vbc.exe	cvtres.exe
PID 2744 wrote to memory of 2808	2744	vbc.exe	cvtres.exe
PID 2744 wrote to memory of 2808	2744	vbc.exe	cvtres.exe
PID 2208 wrote to memory of 2932	2208	e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exe	tmp7B19.tmp.exe
PID 2208 wrote to memory of 2932	2208	e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exe	tmp7B19.tmp.exe
PID 2208 wrote to memory of 2932	2208	e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exe	tmp7B19.tmp.exe
PID 2208 wrote to memory of 2932	2208	e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exe	tmp7B19.tmp.exe

C:\Users\Admin\AppData\Local\Temp\e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exe
"C:\Users\Admin\AppData\Local\Temp\e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\snddhubg.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7DF7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7DF6.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2808
- C:\Users\Admin\AppData\Local\Temp\tmp7B19.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7B19.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7DF7.tmp

Filesize
1KB

MD5
ae25249942879c0101e61023abdf78a8

SHA1
963616044199154ea11ce1c3f6d040446f5b4e5d

SHA256
d1175df8f35d948a2790b584e11e970075e4c4aa33384a197340df700233ca4b

SHA512
8ec0edaf8c4e5b0ffeccc280204ede5d7ce13d1ef2c109b07dfb06a73ff4206c6d8d4a60c224844f6ab5b924e3338445448e89494ecf5c387eb11909ea61ffcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\snddhubg.0.vb

Filesize
15KB

MD5
4e32cb8f76dbf8e04f9a053755290752

SHA1
aa6c88f092f9094eb4eacfefe7b1c10df298a951

SHA256
a475cf809af3605f1c9d1f090d833994e8ba01f0b740dc9837519d61a7615864

SHA512
cb162b48e1430cfe42695f97df29c9fbf05197a1f47b9bbfdf0a5000e937d380df1acc7276d76577371c6b2aaad6c8bcbd66797620ff15edd3f382de2571d72a

Download Submit
C:\Users\Admin\AppData\Local\Temp\snddhubg.cmdline

Filesize
266B

MD5
eeab43f99cdb4c1d0da8baa089bab82e

SHA1
a708a6fab164a82dba5d21e6132a5fb0d12834ed

SHA256
fc5e73b5f63180f7a322755dd7f30412f23ea8f181847ac4ac2682e61e82d7c3

SHA512
31e8bf3478fea26d5a96c2c54bc8632e24cb1648b653f3af482cb938c56f2346be882b63de242a6fe81b15ea3615e2a0de27ba91fed92082f9297add126d053d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7B19.tmp.exe

Filesize
78KB

MD5
2a8ef465ede41282b3e4b2673bba6b75

SHA1
409a11ba842bfe543df6851eea0ea6d55aac946e

SHA256
8c3116a2a73274909a58c92db2f7e8d2ca1e5e7a933d0efa5a7cca34f07b46fa

SHA512
b44d3547f1b83d49ab700fcfc1456736cde63f43fbfce0e7fb01cf79fe664d33e45d9943d74c3b350d9b3d1358a3a7a034983fb2f0d7edbc687ad91b9670de57

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7DF6.tmp

Filesize
660B

MD5
69d6458503796a92b7e08fb3d716f860

SHA1
07956d256d07d7b59432799595bae10b29121f36

SHA256
16d976d4851411a401c9f884679561286c570e7719ac847fb11ac1d70150629c

SHA512
9c4baff6ccc8ca9d934bde7fb1f96d345fd6de3704e8b0f23181b5413ee6515fee80719485b662a9ac6a83459702523ad0c6d1ae01b0e57738b677ead048239c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2208-0-0x00000000745D1000-0x00000000745D2000-memory.dmp

Filesize
4KB

Download
memory/2208-1-0x00000000745D0000-0x0000000074B7B000-memory.dmp

Filesize
5.7MB

Download
memory/2208-2-0x00000000745D0000-0x0000000074B7B000-memory.dmp

Filesize
5.7MB

Download
memory/2208-24-0x00000000745D0000-0x0000000074B7B000-memory.dmp

Filesize
5.7MB

Download
memory/2744-8-0x00000000745D0000-0x0000000074B7B000-memory.dmp

Filesize
5.7MB

Download
memory/2744-18-0x00000000745D0000-0x0000000074B7B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads