metamorpherrat | e6d918158a2e4ae801fab31c3372829b85f3b52e68bfc8017d9c3b880b84845e

General

Target

e6d918158a2e4ae801fab31c3372829b85f3b52e68bfc8017d9c3b880b84845e.exe
Size

78KB
MD5

6c5ba3841c33f959898afe862fb00e32
SHA1

8923ca1d9dfba6fc985ce8d5200ed00de57a0da3
SHA256

e6d918158a2e4ae801fab31c3372829b85f3b52e68bfc8017d9c3b880b84845e
SHA512

2d37960bfeb868cd30c9a76d8c39aa36b1fd45c08f00dcac224373f47f36240881502c17ab5a31948887f65f9a82493324dc37116076afb7a62e125d4792a79d
SSDEEP

1536:QRWtHHM7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtRP9/k11qc:QRWtHshASyRxvhTzXPvCbW2URP9/Nc

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Deletes itself 1 IoCs

pid	Process
1792	tmpD44F.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
1792	tmpD44F.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2848	e6d918158a2e4ae801fab31c3372829b85f3b52e68bfc8017d9c3b880b84845e.exe
2848	e6d918158a2e4ae801fab31c3372829b85f3b52e68bfc8017d9c3b880b84845e.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpD44F.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD44F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e6d918158a2e4ae801fab31c3372829b85f3b52e68bfc8017d9c3b880b84845e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2848	e6d918158a2e4ae801fab31c3372829b85f3b52e68bfc8017d9c3b880b84845e.exe
Token: SeDebugPrivilege	1792	tmpD44F.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2256	2848	e6d918158a2e4ae801fab31c3372829b85f3b52e68bfc8017d9c3b880b84845e.exe	31
PID 2848 wrote to memory of 2256	2848	e6d918158a2e4ae801fab31c3372829b85f3b52e68bfc8017d9c3b880b84845e.exe	31
PID 2848 wrote to memory of 2256	2848	e6d918158a2e4ae801fab31c3372829b85f3b52e68bfc8017d9c3b880b84845e.exe	31
PID 2848 wrote to memory of 2256	2848	e6d918158a2e4ae801fab31c3372829b85f3b52e68bfc8017d9c3b880b84845e.exe	31
PID 2256 wrote to memory of 2496	2256	vbc.exe	33
PID 2256 wrote to memory of 2496	2256	vbc.exe	33
PID 2256 wrote to memory of 2496	2256	vbc.exe	33
PID 2256 wrote to memory of 2496	2256	vbc.exe	33
PID 2848 wrote to memory of 1792	2848	e6d918158a2e4ae801fab31c3372829b85f3b52e68bfc8017d9c3b880b84845e.exe	34
PID 2848 wrote to memory of 1792	2848	e6d918158a2e4ae801fab31c3372829b85f3b52e68bfc8017d9c3b880b84845e.exe	34
PID 2848 wrote to memory of 1792	2848	e6d918158a2e4ae801fab31c3372829b85f3b52e68bfc8017d9c3b880b84845e.exe	34
PID 2848 wrote to memory of 1792	2848	e6d918158a2e4ae801fab31c3372829b85f3b52e68bfc8017d9c3b880b84845e.exe	34

C:\Users\Admin\AppData\Local\Temp\e6d918158a2e4ae801fab31c3372829b85f3b52e68bfc8017d9c3b880b84845e.exe
"C:\Users\Admin\AppData\Local\Temp\e6d918158a2e4ae801fab31c3372829b85f3b52e68bfc8017d9c3b880b84845e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dop7ftul.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD54A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD549.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2496
- C:\Users\Admin\AppData\Local\Temp\tmpD44F.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpD44F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e6d918158a2e4ae801fab31c3372829b85f3b52e68bfc8017d9c3b880b84845e.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD54A.tmp

Filesize
1KB

MD5
af6a583cce5f35390dc99faccff971c5

SHA1
aa59668324f6f6493ad09c5adb638e8b91f3a4e2

SHA256
b85ca858c27d2d2925f7d95bd2907d1b6e31df99a5def30e61cef3e5bc6b6162

SHA512
eb09e38a3e7bfe8fce675ff05d66009484a276f8cc746bd55e9acbf5f48117c7d39770a882a7d0e69377e2c99fec67f388ca8a5c61145ad0428f087b8d2ed392

Download Submit
C:\Users\Admin\AppData\Local\Temp\dop7ftul.0.vb

Filesize
15KB

MD5
e5f347513506506f180f98779a1f1b7e

SHA1
6795198309695d3701fa0a5aa931ad4239a20313

SHA256
59d6f84ef63069aed04111955b7b72b4686ff1b0ebb7f395b2543984dee6beff

SHA512
a4e901e1a88a5fadb356d306e32e9145c082bfe15e5b7eb1fb4e3d27a4745f6cc95560738283c08780a32219d57bb32bd1b867119ab522420bdc2ba64178cb14

Download Submit
C:\Users\Admin\AppData\Local\Temp\dop7ftul.cmdline

Filesize
266B

MD5
680c778d795bd99dfa328811bc8357a3

SHA1
03224103762e710e960767f1209bbaf100d494b2

SHA256
58f4fe2e6146a53b3a308db0157b0e8e2cf29f51220a96ac92c34c4496454632

SHA512
02f910d8c69b971b2e0b944122f4884d27af6cd5f2e859cf05685573d3dfc0b81ff5d3a4dcb2fbc465ccf15b0ce76f7f0921cdcc2d34a056ef92bc24d9a84506

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD44F.tmp.exe

Filesize
78KB

MD5
b0b93bfef5190f31e7a8cbc053fca8f4

SHA1
475b4bf97833042ac7c4515f2a4a414c5c4654af

SHA256
a817851f6837ef4abee7864fd6e7e4e61ee3bc1e70b7508a06b122fa34991b71

SHA512
dbbda8c63f321db344f64b85e5619b014d99ab51548aa8d04db25355f5fb3a6db1b1d07c4dcad6fde0187c665f5000d41001f1d943f9c87a379b8515e98c1ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD549.tmp

Filesize
660B

MD5
9129929fcde569b1e1e43f368a632210

SHA1
f6dee10c0075578c614132a28b5fd20d533f0c39

SHA256
1e4a5b9647b636d6336ce1924280d2af9aa51a1bcdb019663fd7621eeb44211a

SHA512
b06e0e92d7ed2e3b7b73b7c2603c7726b09759ec3d2d6e9a88026592a92d95cf42d781f11963c11133c1d4e48d90e6557523af2e374e96fa88b5bb6673d3a9fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2256-8-0x0000000074B50000-0x00000000750FB000-memory.dmp

Filesize
5.7MB

Download
memory/2256-18-0x0000000074B50000-0x00000000750FB000-memory.dmp

Filesize
5.7MB

Download
memory/2848-0-0x0000000074B51000-0x0000000074B52000-memory.dmp

Filesize
4KB

Download
memory/2848-1-0x0000000074B50000-0x00000000750FB000-memory.dmp

Filesize
5.7MB

Download
memory/2848-2-0x0000000074B50000-0x00000000750FB000-memory.dmp

Filesize
5.7MB

Download
memory/2848-24-0x0000000074B50000-0x00000000750FB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads