metamorpherrat | fff67b4277184dc59c7e3a50bd32b4f686051eca486addcc688543fc4e40fdc6

General

Target

fff67b4277184dc59c7e3a50bd32b4f686051eca486addcc688543fc4e40fdc6N.exe
Size

78KB
MD5

e817e7ee4b503cc2a7b73df0d94496d0
SHA1

821e17a6ff362c647197c4e52996ba2111de836f
SHA256

fff67b4277184dc59c7e3a50bd32b4f686051eca486addcc688543fc4e40fdc6
SHA512

32f5fd92ec5d86e1996b4b879276ad2ac6d2e2981819363e64a7cf3323862ee4948273865adae27f94904faf2b9ff82a193abb7e931cf6b4b445d55f10a1ec83
SSDEEP

1536:NB58eXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtN6Z9/IT15V:X58WSyRxvhTzXPvCbW2U29/m

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2008	tmp871A.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2508	fff67b4277184dc59c7e3a50bd32b4f686051eca486addcc688543fc4e40fdc6N.exe
2508	fff67b4277184dc59c7e3a50bd32b4f686051eca486addcc688543fc4e40fdc6N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp871A.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fff67b4277184dc59c7e3a50bd32b4f686051eca486addcc688543fc4e40fdc6N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp871A.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2508	fff67b4277184dc59c7e3a50bd32b4f686051eca486addcc688543fc4e40fdc6N.exe
Token: SeDebugPrivilege	2008	tmp871A.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2400	2508	fff67b4277184dc59c7e3a50bd32b4f686051eca486addcc688543fc4e40fdc6N.exe	30
PID 2508 wrote to memory of 2400	2508	fff67b4277184dc59c7e3a50bd32b4f686051eca486addcc688543fc4e40fdc6N.exe	30
PID 2508 wrote to memory of 2400	2508	fff67b4277184dc59c7e3a50bd32b4f686051eca486addcc688543fc4e40fdc6N.exe	30
PID 2508 wrote to memory of 2400	2508	fff67b4277184dc59c7e3a50bd32b4f686051eca486addcc688543fc4e40fdc6N.exe	30
PID 2400 wrote to memory of 2108	2400	vbc.exe	32
PID 2400 wrote to memory of 2108	2400	vbc.exe	32
PID 2400 wrote to memory of 2108	2400	vbc.exe	32
PID 2400 wrote to memory of 2108	2400	vbc.exe	32
PID 2508 wrote to memory of 2008	2508	fff67b4277184dc59c7e3a50bd32b4f686051eca486addcc688543fc4e40fdc6N.exe	33
PID 2508 wrote to memory of 2008	2508	fff67b4277184dc59c7e3a50bd32b4f686051eca486addcc688543fc4e40fdc6N.exe	33
PID 2508 wrote to memory of 2008	2508	fff67b4277184dc59c7e3a50bd32b4f686051eca486addcc688543fc4e40fdc6N.exe	33
PID 2508 wrote to memory of 2008	2508	fff67b4277184dc59c7e3a50bd32b4f686051eca486addcc688543fc4e40fdc6N.exe	33

C:\Users\Admin\AppData\Local\Temp\fff67b4277184dc59c7e3a50bd32b4f686051eca486addcc688543fc4e40fdc6N.exe
"C:\Users\Admin\AppData\Local\Temp\fff67b4277184dc59c7e3a50bd32b4f686051eca486addcc688543fc4e40fdc6N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gnomsf3o.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES88C0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc88BF.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2108
- C:\Users\Admin\AppData\Local\Temp\tmp871A.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp871A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\fff67b4277184dc59c7e3a50bd32b4f686051eca486addcc688543fc4e40fdc6N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES88C0.tmp

Filesize
1KB

MD5
bc4a369e553fa0dd879abb6ced549965

SHA1
48601e8591b1053ac78974de8b23fc35802ddec4

SHA256
57ca5a9af430fb87d61f752c90f7755ed1353840f3a8dadb289ce386f9200349

SHA512
964489be73f0371649c11540747baa01f84cc12f54315e883ee9af003c8357fce18f22c3014407673882c8ad1491540c888c4f88173a458d9716de92f381aafb

Download Submit
C:\Users\Admin\AppData\Local\Temp\gnomsf3o.0.vb

Filesize
14KB

MD5
8f3ae679b9b75c6ee40d2d945841ae4b

SHA1
8c51049b5480c425fff5d30cb2d079c67c568c7b

SHA256
d2ec5f0cbd56ad641429e4e8a7687cf898aa5ca9176ba11eed4b01ed416659df

SHA512
b30f163ca4556f87319f30c8581fd295f4e7ce105e90e0d31de3e6e30c99e8edd251c1af7d4be55a365505fd15a8d700c0ab2c1ba6fba2c83c4a01a48d6114c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\gnomsf3o.cmdline

Filesize
266B

MD5
0fa5c09ae79560efe196d48703e7e2e0

SHA1
ad42ecdd293da004f0cec4b25b6d807b00f3002b

SHA256
dfbdf49fc51040bb31e0596440566fc0a386a46278e9fd8c0e96cfaa620bdd5b

SHA512
1f4fa5e29ef23f6c5fc9a99c8a3d6b055babe6d97c6596f6b9909133ec7e92c4966ce6420b9159ac3c88a1b79299bfeac9b32690cbc2dcabea3a40413fa51936

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp871A.tmp.exe

Filesize
78KB

MD5
5c2524e113a171863c07b825a01c3525

SHA1
a08452daf635c734589d18b80508df35826c0f8a

SHA256
aedc5d99261e5abefe8e37f9a9a5f9d2cd5f2e90fa35b559b1f3d68eca42c08f

SHA512
2a8cd4e10de4459152ddd751d5e67ab52add16329146329a77edf980a067465425454740d19f0a32f453e809a66a641b86dde22a5e30be5fa25ecff821cbda3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc88BF.tmp

Filesize
660B

MD5
268b875a9b066eb8d0bec5e4593dacad

SHA1
66384ae25df337a5e18b19ddc9c02d118afa07c2

SHA256
43c34b5a039f220419ee6823e3dd90204747857570883f3f7cd70b8c3fdd5066

SHA512
65296b9bf8c3ca43e0acade98feffb2cbcd6701baa3fc4ca0176c290ea80845060c9735e8fe93dd5f04c08e326ca67876dd8579a09eb73b214ffdc853207ba80

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2400-8-0x0000000073E40000-0x00000000743EB000-memory.dmp

Filesize
5.7MB

Download
memory/2400-18-0x0000000073E40000-0x00000000743EB000-memory.dmp

Filesize
5.7MB

Download
memory/2508-0-0x0000000073E41000-0x0000000073E42000-memory.dmp

Filesize
4KB

Download
memory/2508-1-0x0000000073E40000-0x00000000743EB000-memory.dmp

Filesize
5.7MB

Download
memory/2508-5-0x0000000073E40000-0x00000000743EB000-memory.dmp

Filesize
5.7MB

Download
memory/2508-24-0x0000000073E40000-0x00000000743EB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads