metamorpherrat | 965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd

General

Target

965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe
Size

78KB
MD5

b209d0f39e8ccfe218225108100664d1
SHA1

6a0896294a8d9e1442b5a7b70e1c8ef30844ff2e
SHA256

965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd
SHA512

9c52f9a7656905baf1173b59a18ab5bf9de8cf09013f2468bc99b573f24cb34eb155439be50e09d010f7286cfc3c9e58d4df781f9c146f954d2e52ca3aa3335d
SSDEEP

1536:NB58eXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtN6Z9/IT15VP:X58WSyRxvhTzXPvCbW2U29/mP

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2248	tmpB339.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
3060	965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe
3060	965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpB339.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB339.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3060	965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe
Token: SeDebugPrivilege	2248	tmpB339.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 2236	3060	965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe	30
PID 3060 wrote to memory of 2236	3060	965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe	30
PID 3060 wrote to memory of 2236	3060	965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe	30
PID 3060 wrote to memory of 2236	3060	965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe	30
PID 2236 wrote to memory of 2472	2236	vbc.exe	32
PID 2236 wrote to memory of 2472	2236	vbc.exe	32
PID 2236 wrote to memory of 2472	2236	vbc.exe	32
PID 2236 wrote to memory of 2472	2236	vbc.exe	32
PID 3060 wrote to memory of 2248	3060	965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe	33
PID 3060 wrote to memory of 2248	3060	965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe	33
PID 3060 wrote to memory of 2248	3060	965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe	33
PID 3060 wrote to memory of 2248	3060	965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe	33

C:\Users\Admin\AppData\Local\Temp\965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe
"C:\Users\Admin\AppData\Local\Temp\965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_epajvy3.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB443.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB442.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2472
- C:\Users\Admin\AppData\Local\Temp\tmpB339.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB339.tmp.exe" C:\Users\Admin\AppData\Local\Temp\965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB443.tmp

Filesize
1KB

MD5
fa1c38c0efde3e5f932b4e7e1dd82798

SHA1
9f98f27deceb4bd1a1b09edc09fbb7e1e51c0bec

SHA256
40e12a7a78c5f9985a6d15a8ebf7693f1d51323b7fd1666465721a668a0485ce

SHA512
c45e4faf98d112fefe0b908372a68fb6d997027e9bea66e3260327e62b38a3137ea151c633b3806ba090518a65a0f0897bd83c1f7dcb795fb33e5b563f6e06fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_epajvy3.0.vb

Filesize
14KB

MD5
794f1df52215298c590f65ee1deca549

SHA1
d778deea6dfe344b854e889aa849ebe92c1508bb

SHA256
01f588b3a53a2da95c9e2c337ef80c8704cd0ac24976ba4e2c275325f0793a2e

SHA512
9e1c9a43aee64ed224d091e28ae0e19fe9b273c4d140b37808091ebac3f6b6c6763f1e6bfa7a716ce68a133a81de1743662c7494fb3ef1e07d4b4c3ad338613a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_epajvy3.cmdline

Filesize
266B

MD5
283ddaba694cd79e7e3bf5ca226b8a90

SHA1
8ccbb38d1343be5c44b79dfee356d4071fc96fe0

SHA256
21e70ae88a997bb740a446be65e3fb5c4ea3b025f8183a9c22a79327a04b7e92

SHA512
7863b4a291c29f7993954feb2d0adb7ff01f66a645a9387ab6291983c397414536489d9f1ce3228a112ab3ae5a9beb04c58d55c1f03f277a49ee2a17bf08b84e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB339.tmp.exe

Filesize
78KB

MD5
09a5df89a7e64b1486e0122031020a02

SHA1
6abb636bdd58e99091da607c07ea487e1285eee7

SHA256
b5780e3446fe0ea1b39f963f73fb5b0843670683e80b0908d5647d6efb52b930

SHA512
54bb7c9e678d4546a5218a7b8099356f99d1669749dade9d37167ed65654b94c04bd24ca7314ff6279b45583a8035d466270d7ed93bb453deced16d69dc570eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB442.tmp

Filesize
660B

MD5
b3c0f08fcaf55dbd80011714c01a62f8

SHA1
abe5e5e304b6f6704e04fc3328c9a3cda0d8c15d

SHA256
6e865e4e26ed96a7e9dc4935ca6bd5fd3f1bd466da7dea1b44c4c76d580b631b

SHA512
18c7014c479fdf461d4fd884499c21af13843b5bafdf7f0747cdbb5c3e4a298ecfd14114ae70a6050debef2b9211f4963ecd02a70167200dab664ea430f27cd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2236-8-0x00000000741F0000-0x000000007479B000-memory.dmp

Filesize
5.7MB

Download
memory/2236-18-0x00000000741F0000-0x000000007479B000-memory.dmp

Filesize
5.7MB

Download
memory/3060-0-0x00000000741F1000-0x00000000741F2000-memory.dmp

Filesize
4KB

Download
memory/3060-1-0x00000000741F0000-0x000000007479B000-memory.dmp

Filesize
5.7MB

Download
memory/3060-2-0x00000000741F0000-0x000000007479B000-memory.dmp

Filesize
5.7MB

Download
memory/3060-24-0x00000000741F0000-0x000000007479B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads