metamorpherrat | 4c184591659cd508490638fce2759a6896c3a7870ae62b251498ee0578784837

General

Target

4c184591659cd508490638fce2759a6896c3a7870ae62b251498ee0578784837N.exe
Size

78KB
MD5

c3a1198b17e210186d0f8d4d59965880
SHA1

beae2dcb7ac5d4da4025f1ad6afd559a726d2453
SHA256

4c184591659cd508490638fce2759a6896c3a7870ae62b251498ee0578784837
SHA512

f72add240e530c845129fcd10548c20b6e7c6ee6378be469317eda123d91d0081341836c915ceb41eacb53ccc529a1a7fbbc1481fb3a7d03f2f52858870e7787
SSDEEP

1536:mHFo6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtC9/t18G:mHFonhASyRxvhTzXPvCbW2UC9/b

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2916	tmp37B3.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1712	4c184591659cd508490638fce2759a6896c3a7870ae62b251498ee0578784837N.exe
1712	4c184591659cd508490638fce2759a6896c3a7870ae62b251498ee0578784837N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp37B3.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp37B3.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4c184591659cd508490638fce2759a6896c3a7870ae62b251498ee0578784837N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1712	4c184591659cd508490638fce2759a6896c3a7870ae62b251498ee0578784837N.exe
Token: SeDebugPrivilege	2916	tmp37B3.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 3008	1712	4c184591659cd508490638fce2759a6896c3a7870ae62b251498ee0578784837N.exe	29
PID 1712 wrote to memory of 3008	1712	4c184591659cd508490638fce2759a6896c3a7870ae62b251498ee0578784837N.exe	29
PID 1712 wrote to memory of 3008	1712	4c184591659cd508490638fce2759a6896c3a7870ae62b251498ee0578784837N.exe	29
PID 1712 wrote to memory of 3008	1712	4c184591659cd508490638fce2759a6896c3a7870ae62b251498ee0578784837N.exe	29
PID 3008 wrote to memory of 3024	3008	vbc.exe	31
PID 3008 wrote to memory of 3024	3008	vbc.exe	31
PID 3008 wrote to memory of 3024	3008	vbc.exe	31
PID 3008 wrote to memory of 3024	3008	vbc.exe	31
PID 1712 wrote to memory of 2916	1712	4c184591659cd508490638fce2759a6896c3a7870ae62b251498ee0578784837N.exe	32
PID 1712 wrote to memory of 2916	1712	4c184591659cd508490638fce2759a6896c3a7870ae62b251498ee0578784837N.exe	32
PID 1712 wrote to memory of 2916	1712	4c184591659cd508490638fce2759a6896c3a7870ae62b251498ee0578784837N.exe	32
PID 1712 wrote to memory of 2916	1712	4c184591659cd508490638fce2759a6896c3a7870ae62b251498ee0578784837N.exe	32

C:\Users\Admin\AppData\Local\Temp\4c184591659cd508490638fce2759a6896c3a7870ae62b251498ee0578784837N.exe
"C:\Users\Admin\AppData\Local\Temp\4c184591659cd508490638fce2759a6896c3a7870ae62b251498ee0578784837N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\i3pijoqd.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES38BD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc38BC.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3024
- C:\Users\Admin\AppData\Local\Temp\tmp37B3.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp37B3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4c184591659cd508490638fce2759a6896c3a7870ae62b251498ee0578784837N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES38BD.tmp

Filesize
1KB

MD5
53c8dd2146ecc70c3782016004a93326

SHA1
7310efd51235ba79abb99b976946ccea2a250cdb

SHA256
7d75cb3241b6906d09e40d237fea4adb8562a56871372fe1b3389303462b7192

SHA512
30d13400a4c9aae0e7e7f64e7b121f6f563cbc97b24e29fb87a32e712141429c1c664f1a013db85ce766eb16a0938890d33ee7fa09e14d6e6d6f6b25b98cac41

Download Submit
C:\Users\Admin\AppData\Local\Temp\i3pijoqd.0.vb

Filesize
15KB

MD5
c0dc55db2b2f204aa99434c1e7b62b29

SHA1
0f1add603c921bd9aeb81bb9a1c1008a67ab8bff

SHA256
8c4d0487cb0705f9499ecbbbb7c70e95164b084f37a1b8676cfe0a7a636bd595

SHA512
bca7c985fb6677ebea46b8d9a4cc79cfa340ebe7251f2ad696e65f49eb5d36c3aec1505d41d7c5ca3ae1e43b302ddd0d475354e56052f6da54a31d2ed7e4abce

Download Submit
C:\Users\Admin\AppData\Local\Temp\i3pijoqd.cmdline

Filesize
266B

MD5
f4d592dccbd92d87feb0f4672cd90142

SHA1
12d5fdf24b16f999e5ab887aed51b322bbaa18fc

SHA256
d5783c5bf7ef2fae757ffb1fabbb2f69b0625663a5701f16cda1953455a02a1b

SHA512
939fe0051b0c8257482d0fe069066a101326f051a3a96f037a7e7f43cdddb83afb54d9a8483bb131e35dca54328fe49cb60f108ce44977dfebb8ade3abd156c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp37B3.tmp.exe

Filesize
78KB

MD5
473d5d9d12e61d09bc7782b441bcf513

SHA1
42a5417834f5bc423f493907f14dd2e64bc2cb40

SHA256
71da75321dc7704b206cbb2568996e7a9bf32c1ed662fb5d43f8be2e97966517

SHA512
46158b000d75696ae5d562d2f672442a11785efc011a04ee11a40171e660247917a9c267c9d193b06809cc0027f8b01fd12a127d1ab9cc3e53ce3ee46d5b5e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc38BC.tmp

Filesize
660B

MD5
e3e0a810c30f39ec01e74377c92d21e5

SHA1
0f3bcde184029e339817e265f2300f19bc22e503

SHA256
1c92c26c54ed3a7f8978cd97a625252b27bd15c0a9c305a61b580769a37df09e

SHA512
7abf3e3eda7e4c91ba208cbd73c4947a11961866a263d054798e2de30211fb8f970101fad3239507cbbe94d3ef2843edd9f66efa31679571bf1151b505c19334

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1712-0-0x00000000746A1000-0x00000000746A2000-memory.dmp

Filesize
4KB

Download
memory/1712-1-0x00000000746A0000-0x0000000074C4B000-memory.dmp

Filesize
5.7MB

Download
memory/1712-2-0x00000000746A0000-0x0000000074C4B000-memory.dmp

Filesize
5.7MB

Download
memory/1712-24-0x00000000746A0000-0x0000000074C4B000-memory.dmp

Filesize
5.7MB

Download
memory/3008-8-0x00000000746A0000-0x0000000074C4B000-memory.dmp

Filesize
5.7MB

Download
memory/3008-18-0x00000000746A0000-0x0000000074C4B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads