metamorpherrat | 7d41267ca4da768a79c14e0fe77d18985917b4c42379df164d9b44465b6f2644

General

Target

7d41267ca4da768a79c14e0fe77d18985917b4c42379df164d9b44465b6f2644N.exe
Size

78KB
MD5

942c6e2dca86f59a02d3014d8c048e30
SHA1

4d6a2de7bc38b65e467a24bb2737412defb55223
SHA256

7d41267ca4da768a79c14e0fe77d18985917b4c42379df164d9b44465b6f2644
SHA512

23ea55ba719fb14914ee8e7309fa995ef145ff027ef996feb14aee080900fec1d4d300646066f37ce62356fcf8147695cd1fd4d1283b06903519ab77f957145e
SSDEEP

1536:QRWtHHM7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtRP9/k11q:QRWtHshASyRxvhTzXPvCbW2URP9/N

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2868	tmp77DE.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2316	7d41267ca4da768a79c14e0fe77d18985917b4c42379df164d9b44465b6f2644N.exe
2316	7d41267ca4da768a79c14e0fe77d18985917b4c42379df164d9b44465b6f2644N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp77DE.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7d41267ca4da768a79c14e0fe77d18985917b4c42379df164d9b44465b6f2644N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp77DE.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2316	7d41267ca4da768a79c14e0fe77d18985917b4c42379df164d9b44465b6f2644N.exe
Token: SeDebugPrivilege	2868	tmp77DE.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2836	2316	7d41267ca4da768a79c14e0fe77d18985917b4c42379df164d9b44465b6f2644N.exe	30
PID 2316 wrote to memory of 2836	2316	7d41267ca4da768a79c14e0fe77d18985917b4c42379df164d9b44465b6f2644N.exe	30
PID 2316 wrote to memory of 2836	2316	7d41267ca4da768a79c14e0fe77d18985917b4c42379df164d9b44465b6f2644N.exe	30
PID 2316 wrote to memory of 2836	2316	7d41267ca4da768a79c14e0fe77d18985917b4c42379df164d9b44465b6f2644N.exe	30
PID 2836 wrote to memory of 2684	2836	vbc.exe	32
PID 2836 wrote to memory of 2684	2836	vbc.exe	32
PID 2836 wrote to memory of 2684	2836	vbc.exe	32
PID 2836 wrote to memory of 2684	2836	vbc.exe	32
PID 2316 wrote to memory of 2868	2316	7d41267ca4da768a79c14e0fe77d18985917b4c42379df164d9b44465b6f2644N.exe	33
PID 2316 wrote to memory of 2868	2316	7d41267ca4da768a79c14e0fe77d18985917b4c42379df164d9b44465b6f2644N.exe	33
PID 2316 wrote to memory of 2868	2316	7d41267ca4da768a79c14e0fe77d18985917b4c42379df164d9b44465b6f2644N.exe	33
PID 2316 wrote to memory of 2868	2316	7d41267ca4da768a79c14e0fe77d18985917b4c42379df164d9b44465b6f2644N.exe	33

C:\Users\Admin\AppData\Local\Temp\7d41267ca4da768a79c14e0fe77d18985917b4c42379df164d9b44465b6f2644N.exe
"C:\Users\Admin\AppData\Local\Temp\7d41267ca4da768a79c14e0fe77d18985917b4c42379df164d9b44465b6f2644N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n3ervdlr.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES78C9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc78C8.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2684
- C:\Users\Admin\AppData\Local\Temp\tmp77DE.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp77DE.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7d41267ca4da768a79c14e0fe77d18985917b4c42379df164d9b44465b6f2644N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES78C9.tmp

Filesize
1KB

MD5
9cc05f3f535452bcf65e314faecd5fe3

SHA1
bed458a3783560e6de09c189cb6213613611c54e

SHA256
98d71bb66ff76b0486f9144c71d4131961f0142c7c0f23175789ba3ac859004b

SHA512
8171e2561d2e557f9f720ae44019a14ed444c789b6d8c95884e51daa63a77e60b6ffde7dab94f88f691c51b041641ec4edb12c17b93384490724c3afa7127755

Download Submit
C:\Users\Admin\AppData\Local\Temp\n3ervdlr.0.vb

Filesize
15KB

MD5
850f2a00ed0956f6e52cf54928a896cd

SHA1
2412bb2b325ed06fff599e7919d6327a3e67c4f1

SHA256
c531c079870f4cc5b7ccfb02f3dbb914d643ef38ece3a3bd1f2a140a903b9ab7

SHA512
860fece8fbb2a790dfeb4089a7943defba52aeb885b4a6c1368b26aa3eded1fcab72cc9082b879a406a50d7b9b4ca83eab2486a658b6557434f54b4850c9ac70

Download Submit
C:\Users\Admin\AppData\Local\Temp\n3ervdlr.cmdline

Filesize
266B

MD5
b820f04f7b6a19f59d8a520017e03ab8

SHA1
e1a068119b41224a7dd274fab68110c9f0845143

SHA256
bb7fb23725901093a0acb83bf25074cb8fab776344694d039626fc51d4f74118

SHA512
a2ae56984c43ea90d14a618c2e08bebacb4ea1e7882fa4db4d0df6f321bb2f538ce57c0c869033004351174a1c76d34ea9a37ed5d6ef6e1666585fb1dd06940d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp77DE.tmp.exe

Filesize
78KB

MD5
d79cf5002034653db4150f8635b13203

SHA1
6aedcd2fcc0ea85612b2eabd1400856d1e4ac487

SHA256
87aa61f2eefda953b4f42823fb40dd8bd0e29c8acfea170417e06c0cbaafa1f2

SHA512
ab0de848d7786dedb45792572362cd81d3028007bb52f318f0080d8dd9959041bbe1ec4b72eb4c5804ecd229d9b36a2de52bc4121cec2f79019b18d2bd0cbf99

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc78C8.tmp

Filesize
660B

MD5
f480ba74f3aa536439ac2b6ecdce6099

SHA1
9b2edf17505d83baa10a3034a7950897bc7045fe

SHA256
83701401819277da0710a8a42c2b15477df6c7cc8582bfe9a835b3bbd25066a0

SHA512
c71ae801ad764b2115c595d2931c6b8913d1324aba43ac66387e14bc3261367ac1825d81e87828fba675ff71e9f20c23f333aa167644bc62b4a70c512dedd5cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2316-0-0x00000000749D1000-0x00000000749D2000-memory.dmp

Filesize
4KB

Download
memory/2316-1-0x00000000749D0000-0x0000000074F7B000-memory.dmp

Filesize
5.7MB

Download
memory/2316-2-0x00000000749D0000-0x0000000074F7B000-memory.dmp

Filesize
5.7MB

Download
memory/2316-24-0x00000000749D0000-0x0000000074F7B000-memory.dmp

Filesize
5.7MB

Download
memory/2836-8-0x00000000749D0000-0x0000000074F7B000-memory.dmp

Filesize
5.7MB

Download
memory/2836-18-0x00000000749D0000-0x0000000074F7B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads