metamorpherrat | d1791a601ce11d1330a81a12cbc25cf06ab87631e6de197d860713e2210aa10e

General

Target

d1791a601ce11d1330a81a12cbc25cf06ab87631e6de197d860713e2210aa10e.exe
Size

78KB
MD5

c43d8d3d18e24100eb4757ca61ea7aaf
SHA1

6c150fba353b5551c67d475c9019244985c769fd
SHA256

d1791a601ce11d1330a81a12cbc25cf06ab87631e6de197d860713e2210aa10e
SHA512

d5770722fe73876797c84d80ad033a49def9bad460fc75920187b12d7cb55e94bcdfdb461f8e42b1bfb628b7126114739f33645b189195aabe6165d681a3c9fe
SSDEEP

1536:OPy5jSBXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtC6N9/R1IRz:OPy5jSBSyRxvhTzXPvCbW2UF9/sz

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2892	tmp81EC.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
628	d1791a601ce11d1330a81a12cbc25cf06ab87631e6de197d860713e2210aa10e.exe
628	d1791a601ce11d1330a81a12cbc25cf06ab87631e6de197d860713e2210aa10e.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp81EC.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1791a601ce11d1330a81a12cbc25cf06ab87631e6de197d860713e2210aa10e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp81EC.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	628	d1791a601ce11d1330a81a12cbc25cf06ab87631e6de197d860713e2210aa10e.exe
Token: SeDebugPrivilege	2892	tmp81EC.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 388	628	d1791a601ce11d1330a81a12cbc25cf06ab87631e6de197d860713e2210aa10e.exe	28
PID 628 wrote to memory of 388	628	d1791a601ce11d1330a81a12cbc25cf06ab87631e6de197d860713e2210aa10e.exe	28
PID 628 wrote to memory of 388	628	d1791a601ce11d1330a81a12cbc25cf06ab87631e6de197d860713e2210aa10e.exe	28
PID 628 wrote to memory of 388	628	d1791a601ce11d1330a81a12cbc25cf06ab87631e6de197d860713e2210aa10e.exe	28
PID 388 wrote to memory of 2576	388	vbc.exe	30
PID 388 wrote to memory of 2576	388	vbc.exe	30
PID 388 wrote to memory of 2576	388	vbc.exe	30
PID 388 wrote to memory of 2576	388	vbc.exe	30
PID 628 wrote to memory of 2892	628	d1791a601ce11d1330a81a12cbc25cf06ab87631e6de197d860713e2210aa10e.exe	31
PID 628 wrote to memory of 2892	628	d1791a601ce11d1330a81a12cbc25cf06ab87631e6de197d860713e2210aa10e.exe	31
PID 628 wrote to memory of 2892	628	d1791a601ce11d1330a81a12cbc25cf06ab87631e6de197d860713e2210aa10e.exe	31
PID 628 wrote to memory of 2892	628	d1791a601ce11d1330a81a12cbc25cf06ab87631e6de197d860713e2210aa10e.exe	31

C:\Users\Admin\AppData\Local\Temp\d1791a601ce11d1330a81a12cbc25cf06ab87631e6de197d860713e2210aa10e.exe
"C:\Users\Admin\AppData\Local\Temp\d1791a601ce11d1330a81a12cbc25cf06ab87631e6de197d860713e2210aa10e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3jldugrf.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:388
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8354.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8353.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2576
- C:\Users\Admin\AppData\Local\Temp\tmp81EC.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp81EC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d1791a601ce11d1330a81a12cbc25cf06ab87631e6de197d860713e2210aa10e.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3jldugrf.0.vb

Filesize
14KB

MD5
d8ede0278ce03c994c45c0c0a259d605

SHA1
50d7ead2e82f2c4663a5512fb768cd0af2e69a5b

SHA256
41f8af2e5ce04bc2a4511c49dc1e718e9faa06f274c9d7472016a941ba4b7280

SHA512
8657def73bca201d9f5ad3efa0133b54e17272802c0da08613cbb7e9e8a14373a02ce685cc7896c3dce43262d69c62e276893a48005a0ae5238419c2d961cdc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3jldugrf.cmdline

Filesize
266B

MD5
a9b4b2250fc023fd31a2d6ff1fd5abf2

SHA1
7d04092310e9e1bd8ec4c1a0e4724b8876f3425e

SHA256
63c1fe7dda5a80b0637655badfde4d78a589ea70226b46c7c8092e8ab6728687

SHA512
91dcb0475bf3b2a27680f332930ca28b771823987154a9a12f624479260654dc7ec121a150b466c7716a4a62126205c546e5cdb708e3ee4817096d652543a4de

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8354.tmp

Filesize
1KB

MD5
beb26812412593a844424ab1ddb9e872

SHA1
2d8bc7907e4a441b8516f61ceb88a7c7f51ef150

SHA256
3ceedcbc6f69c6c9261507508f7f2f4c8ac7c8b76241e30cd98193895d31aec5

SHA512
6c1e947e928978052d70628ea5b91a7b31ff772e041064043215a4488e43d471cecb8522235632f9ad6bb58b970703797d2526fa66806761ac86f9a1d7033ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp81EC.tmp.exe

Filesize
78KB

MD5
0c63122cfc6b6225af2d2d012d475ab5

SHA1
7991c90218d8adbc4b124590ae2382acffc833e1

SHA256
fbd09d2392969b274031ef3d7b277c4b8d29905fd552be61e69376353995ade6

SHA512
fb689dd93bbc2ef0954fd21ea71fe63d90a81b58e87ff96c4dd25b064f6391e0f563d13a70a5956fc2add3b64e3ee56aafdbb60905892e4088afe8b4998cd0d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8353.tmp

Filesize
660B

MD5
1cf6b8b5f40e9598c6af4a48d57caa71

SHA1
1ce09dfc7083aa050aead0edde6fe9a5955d3a5f

SHA256
33ae490bb04caddebb6d8defbd8b769f0f5eeea158e647d820eb2c942c8bcdec

SHA512
0d3aaf0f8a2f5b80ba5f7071fc221eca4a978ec9c52ff58ad89f084cbbada43328ebd437032e267b23e4f9605e6a12e419979e9e19425e503f5707c4418aa205

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/388-8-0x0000000074BF0000-0x000000007519B000-memory.dmp

Filesize
5.7MB

Download
memory/388-18-0x0000000074BF0000-0x000000007519B000-memory.dmp

Filesize
5.7MB

Download
memory/628-0-0x0000000074BF1000-0x0000000074BF2000-memory.dmp

Filesize
4KB

Download
memory/628-1-0x0000000074BF0000-0x000000007519B000-memory.dmp

Filesize
5.7MB

Download
memory/628-2-0x0000000074BF0000-0x000000007519B000-memory.dmp

Filesize
5.7MB

Download
memory/628-24-0x0000000074BF0000-0x000000007519B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads