metamorpherrat | d9aa41b41a2ee065685cafbb1843a4d97f08352a8199009657b88d6007535b5a

General

Target

d9aa41b41a2ee065685cafbb1843a4d97f08352a8199009657b88d6007535b5aN.exe
Size

78KB
MD5

92e31cdf5b80c13dd2ce3eb15a26e140
SHA1

6fc45160397fded95b5a6b989013cf42d28cc4bf
SHA256

d9aa41b41a2ee065685cafbb1843a4d97f08352a8199009657b88d6007535b5a
SHA512

d98bca07a3792308fa3eb433ae664cd80559f28c815b2d2b6f80c6677c07cac0621624e43cbe8cc58b31243a0772cc1e431041bb337c0093b8b9d16aef77964e
SSDEEP

1536:7Py58eXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtN629/m1YB:7Py58WSyRxvhTzXPvCbW2UZ9/X

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
3008	tmp565A.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1684	d9aa41b41a2ee065685cafbb1843a4d97f08352a8199009657b88d6007535b5aN.exe
1684	d9aa41b41a2ee065685cafbb1843a4d97f08352a8199009657b88d6007535b5aN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp565A.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d9aa41b41a2ee065685cafbb1843a4d97f08352a8199009657b88d6007535b5aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp565A.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1684	d9aa41b41a2ee065685cafbb1843a4d97f08352a8199009657b88d6007535b5aN.exe
Token: SeDebugPrivilege	3008	tmp565A.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 2936	1684	d9aa41b41a2ee065685cafbb1843a4d97f08352a8199009657b88d6007535b5aN.exe	28
PID 1684 wrote to memory of 2936	1684	d9aa41b41a2ee065685cafbb1843a4d97f08352a8199009657b88d6007535b5aN.exe	28
PID 1684 wrote to memory of 2936	1684	d9aa41b41a2ee065685cafbb1843a4d97f08352a8199009657b88d6007535b5aN.exe	28
PID 1684 wrote to memory of 2936	1684	d9aa41b41a2ee065685cafbb1843a4d97f08352a8199009657b88d6007535b5aN.exe	28
PID 2936 wrote to memory of 2052	2936	vbc.exe	30
PID 2936 wrote to memory of 2052	2936	vbc.exe	30
PID 2936 wrote to memory of 2052	2936	vbc.exe	30
PID 2936 wrote to memory of 2052	2936	vbc.exe	30
PID 1684 wrote to memory of 3008	1684	d9aa41b41a2ee065685cafbb1843a4d97f08352a8199009657b88d6007535b5aN.exe	31
PID 1684 wrote to memory of 3008	1684	d9aa41b41a2ee065685cafbb1843a4d97f08352a8199009657b88d6007535b5aN.exe	31
PID 1684 wrote to memory of 3008	1684	d9aa41b41a2ee065685cafbb1843a4d97f08352a8199009657b88d6007535b5aN.exe	31
PID 1684 wrote to memory of 3008	1684	d9aa41b41a2ee065685cafbb1843a4d97f08352a8199009657b88d6007535b5aN.exe	31

C:\Users\Admin\AppData\Local\Temp\d9aa41b41a2ee065685cafbb1843a4d97f08352a8199009657b88d6007535b5aN.exe
"C:\Users\Admin\AppData\Local\Temp\d9aa41b41a2ee065685cafbb1843a4d97f08352a8199009657b88d6007535b5aN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\avfj2ox2.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5735.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5734.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2052
- C:\Users\Admin\AppData\Local\Temp\tmp565A.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp565A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d9aa41b41a2ee065685cafbb1843a4d97f08352a8199009657b88d6007535b5aN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5735.tmp

Filesize
1KB

MD5
1bc40082d070d8dd8a014af46aa9030d

SHA1
5263e10a15ab62e222679959200da2e68f3702ec

SHA256
6b23078eac375a60b07a1cf9f62fe113856f8325e3915b799611c914052ed11c

SHA512
1e67805b9de0003389152d6d15c76891299f50712604cdddd2371e9ac9c8a332d3614e331f7d74cd252dc725b7a54f4858f560c3a520d91da5f2c8659929ba9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\avfj2ox2.0.vb

Filesize
14KB

MD5
8cbe2d0522c397f5f946fae23b3c9e59

SHA1
46a901da1614e4b0568f9adf440873eb872cbd68

SHA256
6578eb3e248ada1df0324a642d6c950196a1c25ce43cb8a0431decd743f593b0

SHA512
c096065eb468aef64e94f8f351dbb5d2f43ef65eab8541de646f7bfadd512b6c69194e6dbb775e504fbedefce7e2782da71852c8e5502c415bcefe217a00cc31

Download Submit
C:\Users\Admin\AppData\Local\Temp\avfj2ox2.cmdline

Filesize
266B

MD5
a57a7c2d269cdc768ab6202fb2d34a60

SHA1
3c229823b32bde6fd7347379ff6ac52eb48957ae

SHA256
3f6ba21827274e6dbea1d5deeb7c6ea1a90c9b1a3f1bd74f7efcaf433d48391f

SHA512
c36544ea4a0f4eb00407559962ab07d1d67a39e38dc415f34ed6d807160a6a850f89c4abac9de437dfb0142341c287c359cbb6ba802ee0900f1b03c354af042b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp565A.tmp.exe

Filesize
78KB

MD5
8b615f545dd1ce43cf5f52121963f18f

SHA1
348146c5014c81f97f3a590475666d49f79cfac5

SHA256
408b8389828394d8d5054cbfc34729c700cea3f618f1830c9273d1b5ef0349dd

SHA512
2c7536c957eadee00499a78621c2ab8e9a7f63e8dab2eadc95faa44184e26a4a92d3b5f240d04ea3c712a44fcc3090a31bdc24622e23d970f7c67a98708dcfb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5734.tmp

Filesize
660B

MD5
24cc5513992afe5fe8ce9d43147b09b2

SHA1
b34cd4ac31e6a7916aa815d88df910a157d91507

SHA256
ea756f049c0e896660484c156de948a43181ae3b705448287b9ef53f3fb95ac9

SHA512
9c7d8f366b080c4209d850cdbf040c10a98873669b20af7ab14c94cd5b7f54e8bdcbbbb69186370082e2f1fd3e86e923d01686c5f3866cfe8221280e407d5120

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1684-0-0x0000000074D71000-0x0000000074D72000-memory.dmp

Filesize
4KB

Download
memory/1684-1-0x0000000074D70000-0x000000007531B000-memory.dmp

Filesize
5.7MB

Download
memory/1684-2-0x0000000074D70000-0x000000007531B000-memory.dmp

Filesize
5.7MB

Download
memory/1684-24-0x0000000074D70000-0x000000007531B000-memory.dmp

Filesize
5.7MB

Download
memory/2936-8-0x0000000074D70000-0x000000007531B000-memory.dmp

Filesize
5.7MB

Download
memory/2936-18-0x0000000074D70000-0x000000007531B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads