metamorpherrat | 78963414172a74120cc5d8c2edcbc581be607a36b83d87d07dd15061ff9a5290

General

Target

78963414172a74120cc5d8c2edcbc581be607a36b83d87d07dd15061ff9a5290N.exe
Size

78KB
MD5

8f9c7a12d8590d6e45641f069629d9d0
SHA1

732eba194d82a5910ff956a40cd5924d8d3bd9c4
SHA256

78963414172a74120cc5d8c2edcbc581be607a36b83d87d07dd15061ff9a5290
SHA512

d923600ea137f94aee368de6d71f066f9dae6871b6e79e0150d496cbaadc37ab66fa584fc3e1c9e343955ab3e209b5b3df298857007821dda2b4a338cb722072
SSDEEP

1536:JRWV5jGXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtC6f9/gu1aa:JRWV5jOSyRxvhTzXPvCbW2Un9/T

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2996	tmp3B3C.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2800	78963414172a74120cc5d8c2edcbc581be607a36b83d87d07dd15061ff9a5290N.exe
2800	78963414172a74120cc5d8c2edcbc581be607a36b83d87d07dd15061ff9a5290N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp3B3C.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	78963414172a74120cc5d8c2edcbc581be607a36b83d87d07dd15061ff9a5290N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp3B3C.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2800	78963414172a74120cc5d8c2edcbc581be607a36b83d87d07dd15061ff9a5290N.exe
Token: SeDebugPrivilege	2996	tmp3B3C.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 2316	2800	78963414172a74120cc5d8c2edcbc581be607a36b83d87d07dd15061ff9a5290N.exe	30
PID 2800 wrote to memory of 2316	2800	78963414172a74120cc5d8c2edcbc581be607a36b83d87d07dd15061ff9a5290N.exe	30
PID 2800 wrote to memory of 2316	2800	78963414172a74120cc5d8c2edcbc581be607a36b83d87d07dd15061ff9a5290N.exe	30
PID 2800 wrote to memory of 2316	2800	78963414172a74120cc5d8c2edcbc581be607a36b83d87d07dd15061ff9a5290N.exe	30
PID 2316 wrote to memory of 1868	2316	vbc.exe	32
PID 2316 wrote to memory of 1868	2316	vbc.exe	32
PID 2316 wrote to memory of 1868	2316	vbc.exe	32
PID 2316 wrote to memory of 1868	2316	vbc.exe	32
PID 2800 wrote to memory of 2996	2800	78963414172a74120cc5d8c2edcbc581be607a36b83d87d07dd15061ff9a5290N.exe	33
PID 2800 wrote to memory of 2996	2800	78963414172a74120cc5d8c2edcbc581be607a36b83d87d07dd15061ff9a5290N.exe	33
PID 2800 wrote to memory of 2996	2800	78963414172a74120cc5d8c2edcbc581be607a36b83d87d07dd15061ff9a5290N.exe	33
PID 2800 wrote to memory of 2996	2800	78963414172a74120cc5d8c2edcbc581be607a36b83d87d07dd15061ff9a5290N.exe	33

C:\Users\Admin\AppData\Local\Temp\78963414172a74120cc5d8c2edcbc581be607a36b83d87d07dd15061ff9a5290N.exe
"C:\Users\Admin\AppData\Local\Temp\78963414172a74120cc5d8c2edcbc581be607a36b83d87d07dd15061ff9a5290N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ugphmxma.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3C37.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3C36.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1868
- C:\Users\Admin\AppData\Local\Temp\tmp3B3C.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp3B3C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\78963414172a74120cc5d8c2edcbc581be607a36b83d87d07dd15061ff9a5290N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES3C37.tmp

Filesize
1KB

MD5
70c8a01b9551db335b5c0a04c1cd615b

SHA1
f858703ccfc1fe01d5c1a9411465d20a578f29cb

SHA256
345d00199e959d3fa05fe01ececa4b59812b983beb0e7066cc8482218a744f46

SHA512
267a6c73a6546507bdec442c2872a16adcd7d3d03de89eda8f69a4cff9312a61088851ea376acbea80f5f406f4706ea27b2b95c7b5d9e79499fc69118afc029f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3B3C.tmp.exe

Filesize
78KB

MD5
94074a8358238d387f8b819619e1ca42

SHA1
41a370823ebf687446046243919bc563b1e566d0

SHA256
93da93d0ba7c9ad554d174e099b7d851f175da3fb7623817e5917b84895b2a30

SHA512
ef25b7be00e0bd37ac32df020991f9d8fae0c317cf40365671e1f7dff6e63a58c88243faa8ad659a84d8142138ff9dbde37c55cf9c2925ce30d2b70c7cd8b33d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugphmxma.0.vb

Filesize
14KB

MD5
67c67de16bd06585bea69b82e58ae340

SHA1
4d3ff8d962f136650f138c01bfd966bd4cd97a92

SHA256
6733737678d2b8bde90bd42b02e7f053887fe6856b80960716b0890e3dd8dbfd

SHA512
5be8eca74479a9f250f1fa9b4dd76b295f8b40e3a1ae875d2317191fcdd59f1521251e5b12e764a77d8ee8f86936c58e9b7c234683f5f3766abec67b8c5e7884

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugphmxma.cmdline

Filesize
266B

MD5
daf9b0b0268eb551cc26c95d7b596f46

SHA1
53032f0a34ecc327e3888728842ef1e0a440f398

SHA256
8535ff60cb3ae4c9e3296eb5c67f8b33c52fdd1fb0a76a843b1ccbc57df1776f

SHA512
abcd03a9fb3ae5acdcf521948fd9876d7fec989fe5f38d8e4d8855a840538cc5a7f778e88d1a91609a643a2793ca060d44a6472137f168b130338fcee9d127a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3C36.tmp

Filesize
660B

MD5
12169fd303e11898b2acc67d9afd264d

SHA1
a8893a1d026326109f987105d30538f761953be8

SHA256
d671057a1bf37b183dddc5fe6c80fef3aa973df78a3e11e1c2921d52ade1cd75

SHA512
7bc7eb5f4fb8531d5aa96c97706de8844a6d3b4bb8cacd1bc5e7d7fadc010e652131f70d26773f0791f4d32a2b6140d9fc33dcb0046ea2e8e9b7eb0144097422

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2316-8-0x0000000074C80000-0x000000007522B000-memory.dmp

Filesize
5.7MB

Download
memory/2316-18-0x0000000074C80000-0x000000007522B000-memory.dmp

Filesize
5.7MB

Download
memory/2800-0-0x0000000074C81000-0x0000000074C82000-memory.dmp

Filesize
4KB

Download
memory/2800-1-0x0000000074C80000-0x000000007522B000-memory.dmp

Filesize
5.7MB

Download
memory/2800-2-0x0000000074C80000-0x000000007522B000-memory.dmp

Filesize
5.7MB

Download
memory/2800-24-0x0000000074C80000-0x000000007522B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads