metamorpherrat | f58a32c0ecaef1da5124d6bf7376d20531ce665d715358813bf9d0313f5a0a43

General

Target

f58a32c0ecaef1da5124d6bf7376d20531ce665d715358813bf9d0313f5a0a43N.exe
Size

78KB
MD5

de2c534c212f2f0d897605365fe4b100
SHA1

d06c70ae00ebe4199de36be32bcc0ff8604518c3
SHA256

f58a32c0ecaef1da5124d6bf7376d20531ce665d715358813bf9d0313f5a0a43
SHA512

b956bc4a78f6a9c6b4dffa30b94512398ede2057366813780aa2644c4bb19325c5dea77f629f0de2f7fd253c22b553238e0ff99d9c86d12f8dd62cbe9e48737b
SSDEEP

1536:xy5jqXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt9659/r1PG:xy5jSSyRxvhTzXPvCbW2UC9/s

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2136	tmpC64B.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2356	f58a32c0ecaef1da5124d6bf7376d20531ce665d715358813bf9d0313f5a0a43N.exe
2356	f58a32c0ecaef1da5124d6bf7376d20531ce665d715358813bf9d0313f5a0a43N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpC64B.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f58a32c0ecaef1da5124d6bf7376d20531ce665d715358813bf9d0313f5a0a43N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC64B.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2356	f58a32c0ecaef1da5124d6bf7376d20531ce665d715358813bf9d0313f5a0a43N.exe
Token: SeDebugPrivilege	2136	tmpC64B.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 1284	2356	f58a32c0ecaef1da5124d6bf7376d20531ce665d715358813bf9d0313f5a0a43N.exe	30
PID 2356 wrote to memory of 1284	2356	f58a32c0ecaef1da5124d6bf7376d20531ce665d715358813bf9d0313f5a0a43N.exe	30
PID 2356 wrote to memory of 1284	2356	f58a32c0ecaef1da5124d6bf7376d20531ce665d715358813bf9d0313f5a0a43N.exe	30
PID 2356 wrote to memory of 1284	2356	f58a32c0ecaef1da5124d6bf7376d20531ce665d715358813bf9d0313f5a0a43N.exe	30
PID 1284 wrote to memory of 2976	1284	vbc.exe	32
PID 1284 wrote to memory of 2976	1284	vbc.exe	32
PID 1284 wrote to memory of 2976	1284	vbc.exe	32
PID 1284 wrote to memory of 2976	1284	vbc.exe	32
PID 2356 wrote to memory of 2136	2356	f58a32c0ecaef1da5124d6bf7376d20531ce665d715358813bf9d0313f5a0a43N.exe	33
PID 2356 wrote to memory of 2136	2356	f58a32c0ecaef1da5124d6bf7376d20531ce665d715358813bf9d0313f5a0a43N.exe	33
PID 2356 wrote to memory of 2136	2356	f58a32c0ecaef1da5124d6bf7376d20531ce665d715358813bf9d0313f5a0a43N.exe	33
PID 2356 wrote to memory of 2136	2356	f58a32c0ecaef1da5124d6bf7376d20531ce665d715358813bf9d0313f5a0a43N.exe	33

C:\Users\Admin\AppData\Local\Temp\f58a32c0ecaef1da5124d6bf7376d20531ce665d715358813bf9d0313f5a0a43N.exe
"C:\Users\Admin\AppData\Local\Temp\f58a32c0ecaef1da5124d6bf7376d20531ce665d715358813bf9d0313f5a0a43N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w5sx9hog.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC9C6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC9B5.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2976
- C:\Users\Admin\AppData\Local\Temp\tmpC64B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpC64B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f58a32c0ecaef1da5124d6bf7376d20531ce665d715358813bf9d0313f5a0a43N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC9C6.tmp

Filesize
1KB

MD5
ec8c5c64964fc938c05c8b46082aa335

SHA1
7b834bc5d7db664e267b14eec1897f2c8d5aa2f9

SHA256
06b26917d82da686c8b624c59a7e6529aa860faf24f7b40f89355e6ba291bdb4

SHA512
7ae449c7d89efdd84bca9be863a5f38d41f979c92c207dd304f13af168fde2d2deb7c9a67a5125b968d6fdc3977ebde565959a7d81431617062a8a1e21d36514

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC64B.tmp.exe

Filesize
78KB

MD5
8acc6e3cc4914bb15817cb54518d0bb3

SHA1
e755e1e629f0abf366dfa126a4957938e767baab

SHA256
5ff908e41131a1a23067585aab3dcef2c77dd3e28a2bcdaefa9d0ad4293e05cf

SHA512
1926fe5a749096fcb6a1a3616aaddc4f95bad8980d0900552c423eaa0258d556887edbd290b015ee0d827aaaac8dec5956a24b587d6b28655126ca4253dec207

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC9B5.tmp

Filesize
660B

MD5
d548c1f050c277a0c399776d170bfd8a

SHA1
cd964bce4b99fbb30b24257630b4fccbef52f11b

SHA256
ba6bcd9dc55af92c9da53d1325bd07228c16f2c045cf1ece712c3ab6180e9521

SHA512
cd072bb5fab10e030be5aa88e25ddd42f771a0d55d40d7dc24d82ccf83faaad11290ef1b168d0259afd8ec0189d0544c24edd3fa9899554e88202af4006e8d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\w5sx9hog.0.vb

Filesize
14KB

MD5
c9a2d1c40365738ca0d6691a09b0b3ec

SHA1
d095acd3f8c0480ea419e73214687e42d4f7e9fa

SHA256
f199fbd319a97e06ab17b1b54c327682c61e4f06abd5a0085d1ff665b78573c1

SHA512
eb3e1c7b11217fce7f1338039c5ea24ad971cad70bbd3ec8b08194a101ac7e80a628b3e987a53bbfe6078ca4928a9f2a043db7c74f1dfd075d044d6f6e3dd93d

Download Submit
C:\Users\Admin\AppData\Local\Temp\w5sx9hog.cmdline

Filesize
266B

MD5
4ee451d2a532fc636e11e8dd8d00d47a

SHA1
fe04b537fde3c31bfda652c0575dc13b297d6315

SHA256
9ecbdabc9a2bb501520a29b349249465a6ec18ae9227e6df72fd4f0599a8ff48

SHA512
48d77ee5a8164a324493f944ccf6f84f68b2525c0a6b7fb75a549b7227bc7c12e7a56412c60c357565cecb19ab0dbdb847b611e709a03e7f2b6c45b040771efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1284-8-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/1284-18-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/2356-0-0x0000000074B31000-0x0000000074B32000-memory.dmp

Filesize
4KB

Download
memory/2356-1-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/2356-2-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/2356-24-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads