metamorpherrat | 06aeb2b64f9e0519d32e318ef55190e55a91ff86c2a610959cb1f20a3255978f

General

Target

06aeb2b64f9e0519d32e318ef55190e55a91ff86c2a610959cb1f20a3255978f.exe
Size

78KB
MD5

4623746f0d9f743321ec82e4a1742914
SHA1

80cf2a15c3ec339c7d0433b19050a5a8fefdeed9
SHA256

06aeb2b64f9e0519d32e318ef55190e55a91ff86c2a610959cb1f20a3255978f
SHA512

ec226481090820f09123698bd7bc20bb869611312341f5c04d2f47160a88b7f20e1cfb9c87a007f06ff5eb76804e9dd5008dc077b3e1166ae899f945fbe2b414
SSDEEP

1536:HHY6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQten9/G+1M9h:HHYnhASyRxvhTzXPvCbW2Uen9/Gh

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2792	tmp4135.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1792	06aeb2b64f9e0519d32e318ef55190e55a91ff86c2a610959cb1f20a3255978f.exe
1792	06aeb2b64f9e0519d32e318ef55190e55a91ff86c2a610959cb1f20a3255978f.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp4135.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp4135.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	06aeb2b64f9e0519d32e318ef55190e55a91ff86c2a610959cb1f20a3255978f.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1792	06aeb2b64f9e0519d32e318ef55190e55a91ff86c2a610959cb1f20a3255978f.exe
Token: SeDebugPrivilege	2792	tmp4135.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 2760	1792	06aeb2b64f9e0519d32e318ef55190e55a91ff86c2a610959cb1f20a3255978f.exe	30
PID 1792 wrote to memory of 2760	1792	06aeb2b64f9e0519d32e318ef55190e55a91ff86c2a610959cb1f20a3255978f.exe	30
PID 1792 wrote to memory of 2760	1792	06aeb2b64f9e0519d32e318ef55190e55a91ff86c2a610959cb1f20a3255978f.exe	30
PID 1792 wrote to memory of 2760	1792	06aeb2b64f9e0519d32e318ef55190e55a91ff86c2a610959cb1f20a3255978f.exe	30
PID 2760 wrote to memory of 2944	2760	vbc.exe	32
PID 2760 wrote to memory of 2944	2760	vbc.exe	32
PID 2760 wrote to memory of 2944	2760	vbc.exe	32
PID 2760 wrote to memory of 2944	2760	vbc.exe	32
PID 1792 wrote to memory of 2792	1792	06aeb2b64f9e0519d32e318ef55190e55a91ff86c2a610959cb1f20a3255978f.exe	33
PID 1792 wrote to memory of 2792	1792	06aeb2b64f9e0519d32e318ef55190e55a91ff86c2a610959cb1f20a3255978f.exe	33
PID 1792 wrote to memory of 2792	1792	06aeb2b64f9e0519d32e318ef55190e55a91ff86c2a610959cb1f20a3255978f.exe	33
PID 1792 wrote to memory of 2792	1792	06aeb2b64f9e0519d32e318ef55190e55a91ff86c2a610959cb1f20a3255978f.exe	33

C:\Users\Admin\AppData\Local\Temp\06aeb2b64f9e0519d32e318ef55190e55a91ff86c2a610959cb1f20a3255978f.exe
"C:\Users\Admin\AppData\Local\Temp\06aeb2b64f9e0519d32e318ef55190e55a91ff86c2a610959cb1f20a3255978f.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\udi0diu0.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4377.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4366.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2944
- C:\Users\Admin\AppData\Local\Temp\tmp4135.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4135.tmp.exe" C:\Users\Admin\AppData\Local\Temp\06aeb2b64f9e0519d32e318ef55190e55a91ff86c2a610959cb1f20a3255978f.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4377.tmp

Filesize
1KB

MD5
d607a3bf6e05f11b74fea67077f5cd01

SHA1
21a97de8b4ab1fa70deb0113c60ef55e6d67a127

SHA256
133b2d4e1391c5bb3ab655f348f890d43788f2168e475bf9fdb437d3cce02cc9

SHA512
54c9edc6d8ad26675cdd6a31a027d5bcb42d710797e24fd2723ac49130b827edfd82c77a562111f74d25ddb23fdbbe06f2d0d3b88719359c571deefc18e975ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4135.tmp.exe

Filesize
78KB

MD5
d563cdba34cc4a8cdf7583be6f7ffdcc

SHA1
6e200dc6cab72ef7a3f37aacc30dd2d197028111

SHA256
1ba77970443fc9c2c79b19612637ef8716cc812b7ad0e776ed0ee074b873203d

SHA512
bf5d44da59e808ebe7dc7a6235081580bc239d9d28f1e92350824d785f6cc23deeaf3aa3651b91adcc50cde9b9baba328e2a6cca86a99266815fe55385b4d81f

Download Submit
C:\Users\Admin\AppData\Local\Temp\udi0diu0.0.vb

Filesize
15KB

MD5
7c2c05663d10a88715a06cdb47b5d4fc

SHA1
9354d065d36967df85ab02cd83de27bf268e2fe4

SHA256
5783447a1563302b2a66ed8c9c9a0d882002800ce1fd9cafedba301b6cc28b89

SHA512
a44d06ef77e026161f6ba0741651d1ade187fb43de70f1c6dc7b8c1ae401ceddacbc67c5f5b7a84e739fcdbd47c74fac4e6b26971c517d9b0cedb3db6f8954c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\udi0diu0.cmdline

Filesize
266B

MD5
3f114a4915c3340645f8973846904976

SHA1
9d4c1b67157c4b6630894c685e5705feab9f5ab1

SHA256
6fdecc85f57d48d7394ddb447991781ccab877109132febca22395fc61f545dd

SHA512
654394aeb6ab4f2ba455840245fd336658f10092ab6fafb2ec7f1410ed3174591e3d13667b0ed448f79e4611f5906d97a34daa65a354413a87295513f8b77ce5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4366.tmp

Filesize
660B

MD5
aa3fab58f5f56590928eb35621898b0a

SHA1
7b8c26057875f81db4ba95c3f012af02000b94bb

SHA256
66902cff81832ac2a6ee1571d9b502bd227deee030f149ee5602a7360ed1cbae

SHA512
dea4effa1e45acff5383c7fc4f1a99534b9ea03cb70c4234fd0ec4d78fb159cbd45c3dc9783d689ac47b7cb35d80e27a5acaf7cf18636802e287fd81e0189103

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1792-0-0x0000000074621000-0x0000000074622000-memory.dmp

Filesize
4KB

Download
memory/1792-1-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/1792-5-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/1792-24-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/2760-8-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/2760-18-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads