metamorpherrat | 4d0b294e486697445d33f5b49f764be42d7872903c7c58008d56effadbb37469

General

Target

4d0b294e486697445d33f5b49f764be42d7872903c7c58008d56effadbb37469.exe
Size

78KB
MD5

f8fdd74feaefcb78be46039b2d1c8ef7
SHA1

3662f57522fec40ba02abf47cab8d78a19d08730
SHA256

4d0b294e486697445d33f5b49f764be42d7872903c7c58008d56effadbb37469
SHA512

84c22a7781c7f309107d7b5b5fe8b0a69951c6bd3a65843bdad35a14509d46b688259ab712f1adcd5e31b25d4f7661196ee34da5a298e1441284f4be88cc37e3
SSDEEP

1536:tWtHF3M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtRj9/P1Z+:tWtHF8hASyRxvhTzXPvCbW2URj9/O

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2252	tmpA8DD.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2656	4d0b294e486697445d33f5b49f764be42d7872903c7c58008d56effadbb37469.exe
2656	4d0b294e486697445d33f5b49f764be42d7872903c7c58008d56effadbb37469.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpA8DD.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA8DD.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4d0b294e486697445d33f5b49f764be42d7872903c7c58008d56effadbb37469.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2656	4d0b294e486697445d33f5b49f764be42d7872903c7c58008d56effadbb37469.exe
Token: SeDebugPrivilege	2252	tmpA8DD.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2608	2656	4d0b294e486697445d33f5b49f764be42d7872903c7c58008d56effadbb37469.exe	30
PID 2656 wrote to memory of 2608	2656	4d0b294e486697445d33f5b49f764be42d7872903c7c58008d56effadbb37469.exe	30
PID 2656 wrote to memory of 2608	2656	4d0b294e486697445d33f5b49f764be42d7872903c7c58008d56effadbb37469.exe	30
PID 2656 wrote to memory of 2608	2656	4d0b294e486697445d33f5b49f764be42d7872903c7c58008d56effadbb37469.exe	30
PID 2608 wrote to memory of 2304	2608	vbc.exe	32
PID 2608 wrote to memory of 2304	2608	vbc.exe	32
PID 2608 wrote to memory of 2304	2608	vbc.exe	32
PID 2608 wrote to memory of 2304	2608	vbc.exe	32
PID 2656 wrote to memory of 2252	2656	4d0b294e486697445d33f5b49f764be42d7872903c7c58008d56effadbb37469.exe	33
PID 2656 wrote to memory of 2252	2656	4d0b294e486697445d33f5b49f764be42d7872903c7c58008d56effadbb37469.exe	33
PID 2656 wrote to memory of 2252	2656	4d0b294e486697445d33f5b49f764be42d7872903c7c58008d56effadbb37469.exe	33
PID 2656 wrote to memory of 2252	2656	4d0b294e486697445d33f5b49f764be42d7872903c7c58008d56effadbb37469.exe	33

C:\Users\Admin\AppData\Local\Temp\4d0b294e486697445d33f5b49f764be42d7872903c7c58008d56effadbb37469.exe
"C:\Users\Admin\AppData\Local\Temp\4d0b294e486697445d33f5b49f764be42d7872903c7c58008d56effadbb37469.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4fm4yl8t.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAA54.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAA53.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2304
- C:\Users\Admin\AppData\Local\Temp\tmpA8DD.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA8DD.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4d0b294e486697445d33f5b49f764be42d7872903c7c58008d56effadbb37469.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4fm4yl8t.0.vb

Filesize
15KB

MD5
b27cecc4c15ea457aa54533720155c19

SHA1
14c797177b4de547dcbf6a86c27f90dadf14ae42

SHA256
08f33102e416f0c0ff0d4cc55a0c58886641d807a4ecb2af81db1778ddd828fd

SHA512
4529e2c7e963726b0f293bab2a2f7534e5a2372c88593311765b58a237490db51c4afc81d9c42b2aab27144edad973a68aa28be81e278b3ed437b4131cefc1da

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fm4yl8t.cmdline

Filesize
266B

MD5
4fded430f01dc94b2d001a90540d828f

SHA1
a32e2ee1b00b693f1fc91c629f30d53de382e2ba

SHA256
a2eb691b3b7fb739639254d8117d525be510b04d84604e3844366fc88142d049

SHA512
c16b09891ddc12edc37838d5f33de3ed20ca662c6121b530e896378c731f360abbffb804112393e8166361fd7fd4abe06d59f35c4b46e3e64e0eb8adbc020b44

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAA54.tmp

Filesize
1KB

MD5
0abb7c7d85c0a8bfb4f5ecc0fbf5aa2d

SHA1
6278029e629d305045414be4674075a46c392a8c

SHA256
3dd419e7868e5b66534b336ea1878aa7042ee6d31482f63b0db6ac39f8ee886a

SHA512
4f2b825d82b9f8237f96461691779b7c696088f70c43db5c039f52ed1f757ee19280575873482739228329ebc4735a43d10bd621cc9a23953b3f94e755e0226c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA8DD.tmp.exe

Filesize
78KB

MD5
6de5175b22417d50f624e55582a38665

SHA1
90b7360fc93ae28cb84f27294f97ecb4699bd2ee

SHA256
16d0490d53fbdee793dc6d04d1178ba5569fb664bcdbc90a44b14c2cf660d8a5

SHA512
0871ddfbd56175d533d2a34b671e75d262271fa099bb472485202a4352680178bd5a28a358ec33af883a5a5da4bf01e75f030fc78d7a78d5d0a74dba58d1cfea

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAA53.tmp

Filesize
660B

MD5
3669876441431e027b5e5ddc0f8b2794

SHA1
2d3ef7788e874670ae0fbcd975483791e2f9ad91

SHA256
f8cb226152fdd999fa747bf30d0ec2669067a86e660c0881e5397a3b620ad34a

SHA512
c367a18afefaa58d6735afdb37d41efda83674e3bbb173ad91279e15ae0a47931ccce2a393c86973d2570fa2bc3ddb230a45c637458619a32d49ce4315d2d303

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2608-8-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/2608-18-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/2656-0-0x00000000747E1000-0x00000000747E2000-memory.dmp

Filesize
4KB

Download
memory/2656-1-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/2656-2-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/2656-24-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads