metamorpherrat | 4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919

General

Target

4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe
Size

78KB
MD5

3682d0e08952bd54fa17a1fca835727e
SHA1

e3ea814f3be54232c1ca53ebca6a710de7b4708d
SHA256

4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919
SHA512

b22f55673c20afa9a52dee71469cea1d63b33627475fb18b9dca6dfb600810cec5a6bc9d6d9d45d71a4a688750732d4d1de0fd5eb69441c5f3d9e63c8a6b475a
SSDEEP

1536:tc58pXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt96R9/41Shz:tc58ZSyRxvhTzXPvCbW2Ui9/jz

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Deletes itself 1 IoCs

pid	Process
2844	tmpA42B.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2844	tmpA42B.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1996	4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe
1996	4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpA42B.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA42B.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1996	4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe
Token: SeDebugPrivilege	2844	tmpA42B.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 2040	1996	4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe	30
PID 1996 wrote to memory of 2040	1996	4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe	30
PID 1996 wrote to memory of 2040	1996	4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe	30
PID 1996 wrote to memory of 2040	1996	4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe	30
PID 2040 wrote to memory of 2536	2040	vbc.exe	32
PID 2040 wrote to memory of 2536	2040	vbc.exe	32
PID 2040 wrote to memory of 2536	2040	vbc.exe	32
PID 2040 wrote to memory of 2536	2040	vbc.exe	32
PID 1996 wrote to memory of 2844	1996	4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe	33
PID 1996 wrote to memory of 2844	1996	4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe	33
PID 1996 wrote to memory of 2844	1996	4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe	33
PID 1996 wrote to memory of 2844	1996	4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe	33

C:\Users\Admin\AppData\Local\Temp\4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe
"C:\Users\Admin\AppData\Local\Temp\4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ovxbf65t.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA719.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA718.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2536
- C:\Users\Admin\AppData\Local\Temp\tmpA42B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA42B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA719.tmp

Filesize
1KB

MD5
099b030a69a6e1194989ba3c8de1e17f

SHA1
5494d8c1b209177830d10aee64cf8a8872ead904

SHA256
1adf6170f0999d9696a4c3b224ed391dd7442c8049cfd3dd06cda3435f5d7278

SHA512
af0610d4b03046dd9a29491b2afae58f881ee12c8793fdd12d55d040318a89511b764d8559aef89bfcc938ba0d2d57337219fbed8411a380465652bd748e7f42

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovxbf65t.0.vb

Filesize
14KB

MD5
01301df5110b1f0b7637e2ab8fcbcf72

SHA1
a705cebdcc3de6e12fe82d4213c24e4dc8020c40

SHA256
f797438e2888645085b1f4d8012efb05a47757d549a3cd32419204ada4704ceb

SHA512
ad659c908c1f1124679395d51504318e4f6ffeb8db96ceb133b78a859becc803cdfd51cd92e1656374ef097f7b97a662db9d3210d0b5c1133e8149cbbbcd934e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovxbf65t.cmdline

Filesize
266B

MD5
b88891533f28b70d41cea0fcecc15aab

SHA1
9f74b8955ca2abd9a7bf9df0a23116c185851eb6

SHA256
bd15864658964a7e8dc16ad23ae275d99a07e99e2386c3bd4b5cd1f64ce4c411

SHA512
a2477ec1716cb9af00be38959c89afac2f36e3259dfc6f0764bee3a8cb6bffeb29571a8a5b8bb4a449c5923931b50a4c7c056455987e1b5a62bdb55285348fde

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA42B.tmp.exe

Filesize
78KB

MD5
be0e476a06ca700b7d9eb58b8d8ac8c8

SHA1
78063c4e18cc1550f903f3590d3349ad07585711

SHA256
9dd1e812ce807d4ac91e9f6f279504e22909dc182a7c0c64918de958e5e35150

SHA512
903b8a2c54b07dd89e0b21f920f8bd62c9a77b16847b5f71b092d1d8f15134bf2258e02d9c1d49a1d213deda8f653221fda5835fe85a79ea553d2b648af765bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA718.tmp

Filesize
660B

MD5
e325cf21abdaab2c7767bfec07ad5e8c

SHA1
da63d26669a47e62384ae1f89891f4eba83e6d25

SHA256
2aafec74fce3e7317b1957e228091e8a6b7cba656ca174802881b5884ba74428

SHA512
a1a636be15726444ea7a1ea100f7446887ae3ea8ab7d652f739f1d33100e46d9ecf919235a2d499582b9e6da273f2b078c1aaa65692f906efb73341755cfd0db

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1996-0-0x0000000074BC1000-0x0000000074BC2000-memory.dmp

Filesize
4KB

Download
memory/1996-1-0x0000000074BC0000-0x000000007516B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-6-0x0000000074BC0000-0x000000007516B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-23-0x0000000074BC0000-0x000000007516B000-memory.dmp

Filesize
5.7MB

Download
memory/2040-8-0x0000000074BC0000-0x000000007516B000-memory.dmp

Filesize
5.7MB

Download
memory/2040-18-0x0000000074BC0000-0x000000007516B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads