metamorpherrat | 4fdeaa8ce0efd2a0b39297ce2765950fb97411c4a8a74ed6353058dfaae0cf43

General

Target

4fdeaa8ce0efd2a0b39297ce2765950fb97411c4a8a74ed6353058dfaae0cf43N.exe
Size

78KB
MD5

5179c9c6ad63c61ba49cd65b2fbf8860
SHA1

0c86a4c9df098d8e4df7f0416259fadea6db93e7
SHA256

4fdeaa8ce0efd2a0b39297ce2765950fb97411c4a8a74ed6353058dfaae0cf43
SHA512

32c312d6c3f463744811ee59f125f82e3118965393e1a5b3bd4a96387566edacf1c572bd6bbf83ed8b4ac49a5dd53f0de4f468275bdd1b4eebdf2ad3175452cb
SSDEEP

1536:gHFo6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQteN9/81PB:gHFonhASyRxvhTzXPvCbW2UeN9/A

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2892	tmpA90B.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2656	4fdeaa8ce0efd2a0b39297ce2765950fb97411c4a8a74ed6353058dfaae0cf43N.exe
2656	4fdeaa8ce0efd2a0b39297ce2765950fb97411c4a8a74ed6353058dfaae0cf43N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpA90B.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4fdeaa8ce0efd2a0b39297ce2765950fb97411c4a8a74ed6353058dfaae0cf43N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA90B.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2656	4fdeaa8ce0efd2a0b39297ce2765950fb97411c4a8a74ed6353058dfaae0cf43N.exe
Token: SeDebugPrivilege	2892	tmpA90B.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2608	2656	4fdeaa8ce0efd2a0b39297ce2765950fb97411c4a8a74ed6353058dfaae0cf43N.exe	30
PID 2656 wrote to memory of 2608	2656	4fdeaa8ce0efd2a0b39297ce2765950fb97411c4a8a74ed6353058dfaae0cf43N.exe	30
PID 2656 wrote to memory of 2608	2656	4fdeaa8ce0efd2a0b39297ce2765950fb97411c4a8a74ed6353058dfaae0cf43N.exe	30
PID 2656 wrote to memory of 2608	2656	4fdeaa8ce0efd2a0b39297ce2765950fb97411c4a8a74ed6353058dfaae0cf43N.exe	30
PID 2608 wrote to memory of 2304	2608	vbc.exe	32
PID 2608 wrote to memory of 2304	2608	vbc.exe	32
PID 2608 wrote to memory of 2304	2608	vbc.exe	32
PID 2608 wrote to memory of 2304	2608	vbc.exe	32
PID 2656 wrote to memory of 2892	2656	4fdeaa8ce0efd2a0b39297ce2765950fb97411c4a8a74ed6353058dfaae0cf43N.exe	33
PID 2656 wrote to memory of 2892	2656	4fdeaa8ce0efd2a0b39297ce2765950fb97411c4a8a74ed6353058dfaae0cf43N.exe	33
PID 2656 wrote to memory of 2892	2656	4fdeaa8ce0efd2a0b39297ce2765950fb97411c4a8a74ed6353058dfaae0cf43N.exe	33
PID 2656 wrote to memory of 2892	2656	4fdeaa8ce0efd2a0b39297ce2765950fb97411c4a8a74ed6353058dfaae0cf43N.exe	33

C:\Users\Admin\AppData\Local\Temp\4fdeaa8ce0efd2a0b39297ce2765950fb97411c4a8a74ed6353058dfaae0cf43N.exe
"C:\Users\Admin\AppData\Local\Temp\4fdeaa8ce0efd2a0b39297ce2765950fb97411c4a8a74ed6353058dfaae0cf43N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qeltpeil.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA9E7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA9D6.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2304
- C:\Users\Admin\AppData\Local\Temp\tmpA90B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA90B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4fdeaa8ce0efd2a0b39297ce2765950fb97411c4a8a74ed6353058dfaae0cf43N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA9E7.tmp

Filesize
1KB

MD5
bbcab365fb76fd84aa59a5991bf31c60

SHA1
2cc5b9274ee5277e5f4a27710706bb16060db639

SHA256
c9d089fb147ca1a225424583b9a98bb2081751d7ec3faf0f1eedf127cc5760ea

SHA512
028436c3dd90d9621b669a68505991a5a5738625e97bfb45c4174179db87943dc03735126b27c02af3ae424cb8b08d6f477fda67eb459ac30955731186dd191d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qeltpeil.0.vb

Filesize
15KB

MD5
a9d34ac0f08092dd6131ce3eddfa6e85

SHA1
945867a3074002116762626d28c595d210c640b2

SHA256
5dbf7c43d4fdc1ebf0788bf9eb78e66045c5449f2e1145e8060d91785be897e6

SHA512
43b2ad3f2f3767b2f80b7b4888ddcf985200a8cdfbe961650f813eaee762d0d083eb8d6776403596f0ce8b06425af6aa900bab7ac0176cec99cbd7ea625f19ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\qeltpeil.cmdline

Filesize
266B

MD5
b8202b05387fa1d941428b16314dd012

SHA1
7635adb6150d5c16b0e9f34a80d1084927452252

SHA256
c8b5dfcf53825f1539b8ec35db7d523ed8a99a885cebd9b70fae0d24c276ecba

SHA512
6d3435f38024b5ac16a26e037f272c85cc4a69b2ed7c7017eb6d4ad8c9bbc236bea5135f6b9e55d095af7fb2b52520161b1db0c4b8c35523392caf6fa5c9ac1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA90B.tmp.exe

Filesize
78KB

MD5
ca37fec416ef63a47ddd6a96d9f119cd

SHA1
f8f0b8071cf17ed718c30fa7eb4b97e549beae39

SHA256
94ed9ebf274e693ff03e527128a9d410a886cdb17aae397afecbc970f7094036

SHA512
d5d726c49deddf9758b9a4495abe8073189f5545ac53911b4ffe6e1aed9953aba7a1c215ddf53fb77912792fc0f661fa256a95b2977ce04b6a2b2564a8d282f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA9D6.tmp

Filesize
660B

MD5
9b717a5c9cf889bb5328546e454fbff9

SHA1
b4ad6eac16094e6a8d3ef45b4f89ed34a3d278f4

SHA256
6cb6fecc3388563b669a44f434fe442377910b49b8df5aee9453679d37e76a5c

SHA512
ce7a4b033af789e7bc6e1b05799d10c346d8f78eab17c095fb2fbccfea57190462fc0917d885a7e2622f8dc283530c7463dec86c02eb598bd7c831d9fafe858c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2608-8-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/2608-18-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/2656-0-0x00000000747E1000-0x00000000747E2000-memory.dmp

Filesize
4KB

Download
memory/2656-1-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/2656-2-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/2656-24-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads