metamorpherrat | 4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919

General

Target

4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe
Size

78KB
MD5

3682d0e08952bd54fa17a1fca835727e
SHA1

e3ea814f3be54232c1ca53ebca6a710de7b4708d
SHA256

4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919
SHA512

b22f55673c20afa9a52dee71469cea1d63b33627475fb18b9dca6dfb600810cec5a6bc9d6d9d45d71a4a688750732d4d1de0fd5eb69441c5f3d9e63c8a6b475a
SSDEEP

1536:tc58pXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt96R9/41Shz:tc58ZSyRxvhTzXPvCbW2Ui9/jz

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
1568	tmpE7EF.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2816	4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe
2816	4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpE7EF.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE7EF.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2816	4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe
Token: SeDebugPrivilege	1568	tmpE7EF.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 2768	2816	4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe	31
PID 2816 wrote to memory of 2768	2816	4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe	31
PID 2816 wrote to memory of 2768	2816	4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe	31
PID 2816 wrote to memory of 2768	2816	4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe	31
PID 2768 wrote to memory of 2780	2768	vbc.exe	33
PID 2768 wrote to memory of 2780	2768	vbc.exe	33
PID 2768 wrote to memory of 2780	2768	vbc.exe	33
PID 2768 wrote to memory of 2780	2768	vbc.exe	33
PID 2816 wrote to memory of 1568	2816	4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe	34
PID 2816 wrote to memory of 1568	2816	4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe	34
PID 2816 wrote to memory of 1568	2816	4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe	34
PID 2816 wrote to memory of 1568	2816	4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe	34

C:\Users\Admin\AppData\Local\Temp\4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe
"C:\Users\Admin\AppData\Local\Temp\4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3iv3wo35.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE8DA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE8D9.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2780
- C:\Users\Admin\AppData\Local\Temp\tmpE7EF.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpE7EF.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3iv3wo35.0.vb

Filesize
14KB

MD5
8e2306803e85a07eebeca716e09be628

SHA1
3f03aeb8cbf005f99a5eaa48ece7d11fae8c32b6

SHA256
268b6ee0a9ecb58275394c4998e0421bf3a5947a4db188d25212286443a4e76b

SHA512
35134221d8b477c2a1683f699fd73ea8d34475a700ceb972c344a1c9881f85749f9c629819642741573e5efd44c1b8e4e568e44fc647ab951f0258372e4fcf98

Download Submit
C:\Users\Admin\AppData\Local\Temp\3iv3wo35.cmdline

Filesize
266B

MD5
7718fb8e51a41e54fc3f5cd10e97860d

SHA1
868c8ce504f534789d21be0e2e89a1bd5439cae0

SHA256
4dc57878ff784d9fb334fb691daa29a29b8c168a776efc44216ed404ffbdace1

SHA512
d5210b4e339999967c5ce6e4ca01aef6871e517b6185c74a5f4db0f7a2cdd65853b65ab10d85aeecf686385ce5e1e7b72329ae707261f394a94732cfebbee1a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE8DA.tmp

Filesize
1KB

MD5
14c68d62193ff2fdc78835cbf710c795

SHA1
71f52f4597eedf95ffac45eae15db38ef49d0dd6

SHA256
1fb138804e4bd7d447d25badace6e770a9822c4416a42c06fc3e325f828f9a7b

SHA512
dc8e9c3bdc01b9f1e05cfc32057941b4f3210c5b0426e25527d9b75abf96cdef180cd89af035866adbffbb3d8096ea2358d436ce9ce587dc1191e409b21929bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE7EF.tmp.exe

Filesize
78KB

MD5
b6fe12925b1b46ffeec2973142dcdb15

SHA1
76616e4d518bb2e71ba913fea5ad95a8b29f910b

SHA256
bfec1e52cceee3b0b29bd40d6c5174351f9ea537f221fd74e9d00d63d22dcb73

SHA512
2dfb1655587e6c9b89c64702d3f477d437bf5e00eccbb527dadd4fbf52dd5f52182d9344e35896dbc1bcd961fea0b68f8297975ebe6ec0b2943390fba25e2682

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE8D9.tmp

Filesize
660B

MD5
b9b95ba73711843cc90f3fb20e6b9697

SHA1
0f94b014457675bc8641ce24eb5cbb059f40efa1

SHA256
353e7cfb6a23ad3cecac10b2085992e04bbdf202eca639c0966ae968a03aec3a

SHA512
8d21537cb82bd73c2d58dd0e85dc0c429973238eabcfaaed511516521673a34a2c75a2a4d12dad2d9280fa28a04d2df5afec164ca02eb0af731394a7acf202ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2768-8-0x00000000740C0000-0x000000007466B000-memory.dmp

Filesize
5.7MB

Download
memory/2768-18-0x00000000740C0000-0x000000007466B000-memory.dmp

Filesize
5.7MB

Download
memory/2816-0-0x00000000740C1000-0x00000000740C2000-memory.dmp

Filesize
4KB

Download
memory/2816-1-0x00000000740C0000-0x000000007466B000-memory.dmp

Filesize
5.7MB

Download
memory/2816-2-0x00000000740C0000-0x000000007466B000-memory.dmp

Filesize
5.7MB

Download
memory/2816-24-0x00000000740C0000-0x000000007466B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads