metamorpherrat | b592223b6619a4c3cba0888e5aa5fb13048af42219afa9d1c3cab5ca2350d96a

General

Target

b592223b6619a4c3cba0888e5aa5fb13048af42219afa9d1c3cab5ca2350d96aN.exe
Size

78KB
MD5

15b9526b434f3def70f14e8816a41780
SHA1

e1cc5bdb29f7c06503f30b624a80e95c4a53ff89
SHA256

b592223b6619a4c3cba0888e5aa5fb13048af42219afa9d1c3cab5ca2350d96a
SHA512

6bc1524b1205e9b60a11ee553c9c953b164939c3eda12b57942a39f81f15b32bc070f90be666c5e4fd43c63cec19cbe6cc0f6c4deeb2950b958e6b53ffade2ca
SSDEEP

1536:sc58eXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQts6R9/P1zf:sc58WSyRxvhTzXPvCbW2UP9/5

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2716	tmp8160.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
3016	b592223b6619a4c3cba0888e5aa5fb13048af42219afa9d1c3cab5ca2350d96aN.exe
3016	b592223b6619a4c3cba0888e5aa5fb13048af42219afa9d1c3cab5ca2350d96aN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp8160.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b592223b6619a4c3cba0888e5aa5fb13048af42219afa9d1c3cab5ca2350d96aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8160.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3016	b592223b6619a4c3cba0888e5aa5fb13048af42219afa9d1c3cab5ca2350d96aN.exe
Token: SeDebugPrivilege	2716	tmp8160.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 3060	3016	b592223b6619a4c3cba0888e5aa5fb13048af42219afa9d1c3cab5ca2350d96aN.exe	30
PID 3016 wrote to memory of 3060	3016	b592223b6619a4c3cba0888e5aa5fb13048af42219afa9d1c3cab5ca2350d96aN.exe	30
PID 3016 wrote to memory of 3060	3016	b592223b6619a4c3cba0888e5aa5fb13048af42219afa9d1c3cab5ca2350d96aN.exe	30
PID 3016 wrote to memory of 3060	3016	b592223b6619a4c3cba0888e5aa5fb13048af42219afa9d1c3cab5ca2350d96aN.exe	30
PID 3060 wrote to memory of 2756	3060	vbc.exe	32
PID 3060 wrote to memory of 2756	3060	vbc.exe	32
PID 3060 wrote to memory of 2756	3060	vbc.exe	32
PID 3060 wrote to memory of 2756	3060	vbc.exe	32
PID 3016 wrote to memory of 2716	3016	b592223b6619a4c3cba0888e5aa5fb13048af42219afa9d1c3cab5ca2350d96aN.exe	33
PID 3016 wrote to memory of 2716	3016	b592223b6619a4c3cba0888e5aa5fb13048af42219afa9d1c3cab5ca2350d96aN.exe	33
PID 3016 wrote to memory of 2716	3016	b592223b6619a4c3cba0888e5aa5fb13048af42219afa9d1c3cab5ca2350d96aN.exe	33
PID 3016 wrote to memory of 2716	3016	b592223b6619a4c3cba0888e5aa5fb13048af42219afa9d1c3cab5ca2350d96aN.exe	33

C:\Users\Admin\AppData\Local\Temp\b592223b6619a4c3cba0888e5aa5fb13048af42219afa9d1c3cab5ca2350d96aN.exe
"C:\Users\Admin\AppData\Local\Temp\b592223b6619a4c3cba0888e5aa5fb13048af42219afa9d1c3cab5ca2350d96aN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lv6vyl4u.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES82A8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc82A7.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2756
- C:\Users\Admin\AppData\Local\Temp\tmp8160.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8160.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b592223b6619a4c3cba0888e5aa5fb13048af42219afa9d1c3cab5ca2350d96aN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES82A8.tmp

Filesize
1KB

MD5
ea92d38216a5080aa262f4333195209a

SHA1
52f6fa123364041c975d083f373d1b5453070b75

SHA256
e6c9d519b04dd60dfbdeab429566497ef5ee2ae3ed202b6d718cf55896fecaef

SHA512
741ebf304a1c9e0565b0f199e97f281687ae9578e2b7f4560b6ac3d86b906860fc1134153a0782a43ffb2ad9f9e151add3ac975dcf010aabe2c66bfdb7207787

Download Submit
C:\Users\Admin\AppData\Local\Temp\lv6vyl4u.0.vb

Filesize
14KB

MD5
e6546875c3cda464dc050d0b7db566c9

SHA1
5b7b2711a602f8817a0432346c4cbf98a0b55157

SHA256
ba5af35ded1aceeedb379f7971db2b293ff7fd9e90300ba5b5d19e6aa122654f

SHA512
42a9f9eba30c56acc3d6dffeb8b01cb549dd1ed83f0bc1336d5bb5b1677615d344c11632e4a44a11795f33337227867fed1172717042d88df339581ed8dae300

Download Submit
C:\Users\Admin\AppData\Local\Temp\lv6vyl4u.cmdline

Filesize
266B

MD5
d02a2ddf189e89ea66cbbc03f0685ad7

SHA1
3fddf67ee9c37e3264a0da2dc7cf0ebee218dc01

SHA256
01b59628defeb82fff9f927ff08a37010f353e016976141d727e162b7e121bf9

SHA512
477563324334c05ca5d82777118da3389aefde9351701717ec5474c93ffa5fe0811b1419463b09b1997872e7183dd06563f80373cb5858f6191813755ec6cd07

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8160.tmp.exe

Filesize
78KB

MD5
298e388dfecb40f0a1a9527be4b654d2

SHA1
ab25cf7e131dc66d215905a57bd48e7657afadc2

SHA256
6ad2b34568ff872f759e6c0d39a4ea1ef98620442b80f2070bda5a396553ebe7

SHA512
38f0cc83cf4700ff71fdfe9abcc83542c6f97e0f989ec0292fd4b3ebd8ed667811bd6bd55d40a86eac12c0e2581b9da9fcd88a1bdfcd779b7a7215c1304dcb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc82A7.tmp

Filesize
660B

MD5
5f25825395ce0ff125f0ac85c217fdb9

SHA1
ad2efc530edfea50df70b9a90584125bb3b0ff9d

SHA256
6886f663b1ede00652af831f6d5f4ad64245ed1a4c36c612c4918d4425331bbc

SHA512
ba44fa0b129116b3515c45acf8a3edf656deaaf97d25c287d0abbfe88c01cbd363b71c2b8dca0c4952443347c5ad857b038dddce8febacbb31a8a3e616ec8bfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/3016-0-0x0000000074B81000-0x0000000074B82000-memory.dmp

Filesize
4KB

Download
memory/3016-1-0x0000000074B80000-0x000000007512B000-memory.dmp

Filesize
5.7MB

Download
memory/3016-2-0x0000000074B80000-0x000000007512B000-memory.dmp

Filesize
5.7MB

Download
memory/3016-23-0x0000000074B80000-0x000000007512B000-memory.dmp

Filesize
5.7MB

Download
memory/3060-8-0x0000000074B80000-0x000000007512B000-memory.dmp

Filesize
5.7MB

Download
memory/3060-18-0x0000000074B80000-0x000000007512B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads