metamorpherrat | baaf54b05f102a10e3dd0e44c11c988fc97cc5e796ca631378b7e4f25715e712

General

Target

baaf54b05f102a10e3dd0e44c11c988fc97cc5e796ca631378b7e4f25715e712N.exe
Size

78KB
MD5

35419f1ef04bb0f1b76f9b96f3f8ce10
SHA1

1557d4d09d9f56d81035a65b331189b845dc81c1
SHA256

baaf54b05f102a10e3dd0e44c11c988fc97cc5e796ca631378b7e4f25715e712
SHA512

90300c711954f902017af6252dd4d77c4a73b2cbcb472b3eff5508d86b3ef81636493ac860ad5f0323c9e29b0f806d62b815be658c73f16ca4f95810bfdcdbeb
SSDEEP

1536:VHF3M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtz9/l1QXF:VHF8hASyRxvhTzXPvCbW2Uz9/4V

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2920	tmpD3E2.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2316	baaf54b05f102a10e3dd0e44c11c988fc97cc5e796ca631378b7e4f25715e712N.exe
2316	baaf54b05f102a10e3dd0e44c11c988fc97cc5e796ca631378b7e4f25715e712N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpD3E2.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	baaf54b05f102a10e3dd0e44c11c988fc97cc5e796ca631378b7e4f25715e712N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD3E2.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2316	baaf54b05f102a10e3dd0e44c11c988fc97cc5e796ca631378b7e4f25715e712N.exe
Token: SeDebugPrivilege	2920	tmpD3E2.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 864	2316	baaf54b05f102a10e3dd0e44c11c988fc97cc5e796ca631378b7e4f25715e712N.exe	31
PID 2316 wrote to memory of 864	2316	baaf54b05f102a10e3dd0e44c11c988fc97cc5e796ca631378b7e4f25715e712N.exe	31
PID 2316 wrote to memory of 864	2316	baaf54b05f102a10e3dd0e44c11c988fc97cc5e796ca631378b7e4f25715e712N.exe	31
PID 2316 wrote to memory of 864	2316	baaf54b05f102a10e3dd0e44c11c988fc97cc5e796ca631378b7e4f25715e712N.exe	31
PID 864 wrote to memory of 572	864	vbc.exe	33
PID 864 wrote to memory of 572	864	vbc.exe	33
PID 864 wrote to memory of 572	864	vbc.exe	33
PID 864 wrote to memory of 572	864	vbc.exe	33
PID 2316 wrote to memory of 2920	2316	baaf54b05f102a10e3dd0e44c11c988fc97cc5e796ca631378b7e4f25715e712N.exe	34
PID 2316 wrote to memory of 2920	2316	baaf54b05f102a10e3dd0e44c11c988fc97cc5e796ca631378b7e4f25715e712N.exe	34
PID 2316 wrote to memory of 2920	2316	baaf54b05f102a10e3dd0e44c11c988fc97cc5e796ca631378b7e4f25715e712N.exe	34
PID 2316 wrote to memory of 2920	2316	baaf54b05f102a10e3dd0e44c11c988fc97cc5e796ca631378b7e4f25715e712N.exe	34

C:\Users\Admin\AppData\Local\Temp\baaf54b05f102a10e3dd0e44c11c988fc97cc5e796ca631378b7e4f25715e712N.exe
"C:\Users\Admin\AppData\Local\Temp\baaf54b05f102a10e3dd0e44c11c988fc97cc5e796ca631378b7e4f25715e712N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dpw5lhln.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:864
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD4CD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD4CC.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:572
- C:\Users\Admin\AppData\Local\Temp\tmpD3E2.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpD3E2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\baaf54b05f102a10e3dd0e44c11c988fc97cc5e796ca631378b7e4f25715e712N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD4CD.tmp

Filesize
1KB

MD5
619f5e1221daa8ea20b8fb309bfc49aa

SHA1
ec43ffce0dd2774c381dbdae06379a1fb83d67ad

SHA256
b3d5d8b80df8856db19141e354f5a0af91f78b8a2f0b22cd2451832e991a5ebc

SHA512
c97de8ab8a9c60a319321451da9b21ea9d97f3668a53bab86a4504a76fd66911c422606159c2fd91fc1c8dedfbe3c3f13a755f2761bd2160c89517d318ddab84

Download Submit
C:\Users\Admin\AppData\Local\Temp\dpw5lhln.0.vb

Filesize
15KB

MD5
1a7af7373891bfa9f6e808302ef01513

SHA1
2ed7139db345d80ebb3fa51508b13f0e85f1fbb7

SHA256
982bd5f4c039c3c288014f725c3d5b1506a31ec82620fbd4f501593818f42c2a

SHA512
d390aa9701fcfb85afbdd78b1d7f34af20962b4d366e0e45e1c4ae2b48e8ff48520194755a24bb3981c7ca0ae3d7025a006b33584bfbce5f6f86642eea7d3de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\dpw5lhln.cmdline

Filesize
266B

MD5
711e8794c6590d4a1fe4bd0d10538a5f

SHA1
3357d40ebe2825e92394ec93bf6f2fd662514182

SHA256
32854eabf814c8b7a657e9bc78ded8120c81086bebeeffb4685e9739f27a4d3f

SHA512
0cceee49f41ad095a457c90c61dd8012a0c5a05f8b37e8e92b8557d4c14465b0c874c120dd04454794898808a06fc70b67739d5db9baf8a7a75e625091c8edaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD3E2.tmp.exe

Filesize
78KB

MD5
dba0d5616e0ddf7338ef447e280e84e4

SHA1
300a6c7e0ffb95cc1a42cde01b879629318abf70

SHA256
9f0b286bd218b0306cb2b937b95525551310c076cddeb23b20521c75558fe2d8

SHA512
71dbedc626e873e9e8bfc3d4b2aa14445e0c758cf25bdcfd385a7a38df1385e7eab91dde15b15ae2f81e2fc3953362ad41ec7322fc6cebc1bece4fddf626c043

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD4CC.tmp

Filesize
660B

MD5
b75f66832159bf59846694b3a28193c8

SHA1
e1214160a36f7b146077745147ead789b1495689

SHA256
005b32cbfac0f2299e08e72bf09786dc219c0f8229b6e09fda277d622cfb19ff

SHA512
2b22cc0373933d76574a0077f2792cd94b720331bd44bea3c8793615d42ea8cc2741e66a81af8aeaa53a372cbaca705b2eb4f7cb3c715c9e648f89bf2e5b70e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/864-8-0x0000000074830000-0x0000000074DDB000-memory.dmp

Filesize
5.7MB

Download
memory/864-18-0x0000000074830000-0x0000000074DDB000-memory.dmp

Filesize
5.7MB

Download
memory/2316-0-0x0000000074831000-0x0000000074832000-memory.dmp

Filesize
4KB

Download
memory/2316-1-0x0000000074830000-0x0000000074DDB000-memory.dmp

Filesize
5.7MB

Download
memory/2316-2-0x0000000074830000-0x0000000074DDB000-memory.dmp

Filesize
5.7MB

Download
memory/2316-24-0x0000000074830000-0x0000000074DDB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads