metamorpherrat | 72b1fa70de67bc81ed12f206e5ad7af28592f0b07057170f4bed935325a4e9e4

General

Target

72b1fa70de67bc81ed12f206e5ad7af28592f0b07057170f4bed935325a4e9e4.exe
Size

78KB
MD5

ff2b602b2c24683b28896975bdf74338
SHA1

ab7b0ac5262e1a68d5c40dcf275adae83a531cd1
SHA256

72b1fa70de67bc81ed12f206e5ad7af28592f0b07057170f4bed935325a4e9e4
SHA512

334319c1f043e37eed2ad17ace5813c4494a54bb3370fe47fff2d828ee1433fa700083ea40635e4e460d5d54bb9905362903d7022463870215728edf92cfe280
SSDEEP

1536:kRWV5jGXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtC629/JWV16AM:kRWV5jOSyRxvhTzXPvCbW2Ue9/aM

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2052	tmpFAF2.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2232	72b1fa70de67bc81ed12f206e5ad7af28592f0b07057170f4bed935325a4e9e4.exe
2232	72b1fa70de67bc81ed12f206e5ad7af28592f0b07057170f4bed935325a4e9e4.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpFAF2.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpFAF2.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	72b1fa70de67bc81ed12f206e5ad7af28592f0b07057170f4bed935325a4e9e4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2232	72b1fa70de67bc81ed12f206e5ad7af28592f0b07057170f4bed935325a4e9e4.exe
Token: SeDebugPrivilege	2052	tmpFAF2.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2660	2232	72b1fa70de67bc81ed12f206e5ad7af28592f0b07057170f4bed935325a4e9e4.exe	30
PID 2232 wrote to memory of 2660	2232	72b1fa70de67bc81ed12f206e5ad7af28592f0b07057170f4bed935325a4e9e4.exe	30
PID 2232 wrote to memory of 2660	2232	72b1fa70de67bc81ed12f206e5ad7af28592f0b07057170f4bed935325a4e9e4.exe	30
PID 2232 wrote to memory of 2660	2232	72b1fa70de67bc81ed12f206e5ad7af28592f0b07057170f4bed935325a4e9e4.exe	30
PID 2660 wrote to memory of 2780	2660	vbc.exe	32
PID 2660 wrote to memory of 2780	2660	vbc.exe	32
PID 2660 wrote to memory of 2780	2660	vbc.exe	32
PID 2660 wrote to memory of 2780	2660	vbc.exe	32
PID 2232 wrote to memory of 2052	2232	72b1fa70de67bc81ed12f206e5ad7af28592f0b07057170f4bed935325a4e9e4.exe	33
PID 2232 wrote to memory of 2052	2232	72b1fa70de67bc81ed12f206e5ad7af28592f0b07057170f4bed935325a4e9e4.exe	33
PID 2232 wrote to memory of 2052	2232	72b1fa70de67bc81ed12f206e5ad7af28592f0b07057170f4bed935325a4e9e4.exe	33
PID 2232 wrote to memory of 2052	2232	72b1fa70de67bc81ed12f206e5ad7af28592f0b07057170f4bed935325a4e9e4.exe	33

C:\Users\Admin\AppData\Local\Temp\72b1fa70de67bc81ed12f206e5ad7af28592f0b07057170f4bed935325a4e9e4.exe
"C:\Users\Admin\AppData\Local\Temp\72b1fa70de67bc81ed12f206e5ad7af28592f0b07057170f4bed935325a4e9e4.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5zx8fv3t.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFC0C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFC0B.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2780
- C:\Users\Admin\AppData\Local\Temp\tmpFAF2.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpFAF2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\72b1fa70de67bc81ed12f206e5ad7af28592f0b07057170f4bed935325a4e9e4.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5zx8fv3t.0.vb

Filesize
14KB

MD5
0e237198ee1a076811fc29b20731769a

SHA1
289334335d99bd119de18e38bd346d2b79429dce

SHA256
44bd29d5b9e70b923716a113213f467c0ad17ebbea90a5f99e177e1c735f516f

SHA512
8973b2a48dacbdec535eb1d92539e3e47ce39ba97a33903d43c24739b22ab7902fb8554a1096b220a25a4b4b90eca627621f7a6e430d66e541a7a95192f9c287

Download Submit
C:\Users\Admin\AppData\Local\Temp\5zx8fv3t.cmdline

Filesize
266B

MD5
fdcab4e731705bde42577ad0810cdd77

SHA1
585762e3be68ea3032d30ae0920340823d18f3be

SHA256
ce010046a53caa61d359f022b3920e2e2393ff37727ef9a12a76b439babfd239

SHA512
7fba802121977ef8017d6a7a100c60cb80481e82da30d1d8bf953e8361cb93257c014cfb55b8e48b3d0607f79dc860846de60e863216165d14b9d395cb63837e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFC0C.tmp

Filesize
1KB

MD5
81eb106dcb552899f3fb55604ab9f081

SHA1
5e171732189b55ec150596a2abe494fbc5568a6b

SHA256
e845461cbf436bfc8605db379209275be01d9ab9a9ce1aaf61ac5012debac4eb

SHA512
e66be9c4f53f201839fdd62dd16a848dc717bb4b7ae978a056014fc6a68dbe348c836d61cbc4406aa2a3185bc08dbd2f3c37009eb11407293703618cb70247c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFAF2.tmp.exe

Filesize
78KB

MD5
57af886c5c1ae9cfbf10d32b0f22242c

SHA1
4e1ad7f46ad4659f4792902cd019c8868cc726da

SHA256
e17f54cfbcca91311913cd6ad4e8245217cbaf5ae4b0af11664cb3b7010cf58b

SHA512
b7123cc6d75fab704366a9b56d7d6e2a9cfa695c6bfc2beeed6b6b8c9cce67498147f3c677d20442b502c68b20ef1fe684c67ee694b65bdfa54e42329b527180

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFC0B.tmp

Filesize
660B

MD5
cd0422284742688a0412b4cd7d15e4ef

SHA1
56b473df71e0d1b6f9d42c900f0f962e3f4c58bf

SHA256
15fc83b7a6b233a701d0f5ed7fbae9586dd89ef437026321c7707e9b8df6460b

SHA512
1544c3887a9f8ba5aea0e5cde5b566a39e61f411e42749bed660eb8c5c6201a49e90751e88b82b67c502a878c3f64e7afed04294e40e757cf0e57b6ac8f71c3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2232-0-0x0000000074F51000-0x0000000074F52000-memory.dmp

Filesize
4KB

Download
memory/2232-1-0x0000000074F50000-0x00000000754FB000-memory.dmp

Filesize
5.7MB

Download
memory/2232-2-0x0000000074F50000-0x00000000754FB000-memory.dmp

Filesize
5.7MB

Download
memory/2232-23-0x0000000074F50000-0x00000000754FB000-memory.dmp

Filesize
5.7MB

Download
memory/2660-8-0x0000000074F50000-0x00000000754FB000-memory.dmp

Filesize
5.7MB

Download
memory/2660-18-0x0000000074F50000-0x00000000754FB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads