metamorpherrat | 0fb64bfea5ade41124fdcf89e258c7f57bdd7b5481a5248f7c5356882a8a5243

General

Target

0fb64bfea5ade41124fdcf89e258c7f57bdd7b5481a5248f7c5356882a8a5243.exe
Size

78KB
MD5

1e0e24b8f1b13d94658ea28c5306f295
SHA1

c0e9acfe1125c646e347c80ecdc0d9b03b5628fe
SHA256

0fb64bfea5ade41124fdcf89e258c7f57bdd7b5481a5248f7c5356882a8a5243
SHA512

4518ad98b02c2b4f1e318436f30fe32bfba6cb7960f84e96ddee5b1b75e0c81d753c5bfb1338fccbec6fc59b57694c6b1f87d8fbd16663964efe609c16e92e6a
SSDEEP

1536:sc58eXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQts6R9/P1zf/:sc58WSyRxvhTzXPvCbW2UP9/5/

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2460	tmpB55B.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2148	0fb64bfea5ade41124fdcf89e258c7f57bdd7b5481a5248f7c5356882a8a5243.exe
2148	0fb64bfea5ade41124fdcf89e258c7f57bdd7b5481a5248f7c5356882a8a5243.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpB55B.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB55B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0fb64bfea5ade41124fdcf89e258c7f57bdd7b5481a5248f7c5356882a8a5243.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2148	0fb64bfea5ade41124fdcf89e258c7f57bdd7b5481a5248f7c5356882a8a5243.exe
Token: SeDebugPrivilege	2460	tmpB55B.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 2084	2148	0fb64bfea5ade41124fdcf89e258c7f57bdd7b5481a5248f7c5356882a8a5243.exe	30
PID 2148 wrote to memory of 2084	2148	0fb64bfea5ade41124fdcf89e258c7f57bdd7b5481a5248f7c5356882a8a5243.exe	30
PID 2148 wrote to memory of 2084	2148	0fb64bfea5ade41124fdcf89e258c7f57bdd7b5481a5248f7c5356882a8a5243.exe	30
PID 2148 wrote to memory of 2084	2148	0fb64bfea5ade41124fdcf89e258c7f57bdd7b5481a5248f7c5356882a8a5243.exe	30
PID 2084 wrote to memory of 2936	2084	vbc.exe	32
PID 2084 wrote to memory of 2936	2084	vbc.exe	32
PID 2084 wrote to memory of 2936	2084	vbc.exe	32
PID 2084 wrote to memory of 2936	2084	vbc.exe	32
PID 2148 wrote to memory of 2460	2148	0fb64bfea5ade41124fdcf89e258c7f57bdd7b5481a5248f7c5356882a8a5243.exe	33
PID 2148 wrote to memory of 2460	2148	0fb64bfea5ade41124fdcf89e258c7f57bdd7b5481a5248f7c5356882a8a5243.exe	33
PID 2148 wrote to memory of 2460	2148	0fb64bfea5ade41124fdcf89e258c7f57bdd7b5481a5248f7c5356882a8a5243.exe	33
PID 2148 wrote to memory of 2460	2148	0fb64bfea5ade41124fdcf89e258c7f57bdd7b5481a5248f7c5356882a8a5243.exe	33

C:\Users\Admin\AppData\Local\Temp\0fb64bfea5ade41124fdcf89e258c7f57bdd7b5481a5248f7c5356882a8a5243.exe
"C:\Users\Admin\AppData\Local\Temp\0fb64bfea5ade41124fdcf89e258c7f57bdd7b5481a5248f7c5356882a8a5243.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m_yv1d9y.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB684.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB683.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2936
- C:\Users\Admin\AppData\Local\Temp\tmpB55B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB55B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0fb64bfea5ade41124fdcf89e258c7f57bdd7b5481a5248f7c5356882a8a5243.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB684.tmp

Filesize
1KB

MD5
d893abdf38c7329d5f2fd67aa13a2f83

SHA1
d2e0b4d8ad7329980fdc3caedf49a6a01098c64b

SHA256
077fb513fc8ad6760afde7a8e1215038d47783340ff697f93766cd64cef2720d

SHA512
72cb21519a7ea07f66acf9071da4e1338f640fa465a3d46e918e89038bd98a2e994a813fbbf2790dfea00caa1c77b17cb138871b325bea98a54d5a74a37c86f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\m_yv1d9y.0.vb

Filesize
14KB

MD5
16828b18a3bb246cfc56d921b43d3d8d

SHA1
4bc77824daecc0ef17848126a064a77705c85b9c

SHA256
3811f1b951e312464ae7e2da4b1b033b755988d7d64cd02cdb1d976f0d95706d

SHA512
4175c0056662a0dfa30f6864c05657d9343c3a407e99721a1e116a3b6de47c3c5ffb112c56412bfc8da6db73b375b4b1555ec67713bb18509af2c534af14ec2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\m_yv1d9y.cmdline

Filesize
266B

MD5
a1afda3d813ebdfe80c7bb20259123e3

SHA1
dc3a0c8534b230f52fb2ba8a677858a8f644c9d4

SHA256
2950a5f624892526fedda4229fd2fd112d18e97cd1ce1d08146b6cde6582d468

SHA512
3720f17df475ee1462c199a868c59c5adb8efbfc61105d6f09a7c66b02f9269d25e6839835f5cfd429c78e53b1ce265e019b6de23ae6661ed459b37a4a848f9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB55B.tmp.exe

Filesize
78KB

MD5
e9609de08276f65e73b3aabe810c14c5

SHA1
9d245d6a0a7d747986c0dd539f1418e21794c61b

SHA256
babb15824500b6e8726b7aecc9fe4b78826f3dc83193fa9ccc5a8f41dabac081

SHA512
bac842c4f13eeb6c7bf4b175ea04c252f03a8a0c7e14af41a054141dd6c5b3469c79f3e01643fcca0ac64d35ae5a500458f5b50ce42132120dfaa119112306d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB683.tmp

Filesize
660B

MD5
515eca68dab3c76a8e1af10b1c528f16

SHA1
15db143d5bfaa105f47e8b656a0485b766e858aa

SHA256
3355335ed9ae09dd14bab2c1dec0b76f04e15123a6aa8df3a5879bb605cd25ff

SHA512
2498bd5120450ea05cf69bf6bdbd1183a5e88333486278538b39b182f4440463b173466524c4e7456d217f891b80630ae1d19fa98ebdd296c8f069cbd8725a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2084-8-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/2084-18-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/2148-0-0x0000000074371000-0x0000000074372000-memory.dmp

Filesize
4KB

Download
memory/2148-1-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/2148-2-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/2148-24-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads