metamorpherrat | 53b3fffc98b84d90844020607bd363aa8615d7a236fccdb8b4138de111e2cef2

General

Target

53b3fffc98b84d90844020607bd363aa8615d7a236fccdb8b4138de111e2cef2.exe
Size

78KB
MD5

b12baaddb7b59ca73b1b6b3c8b221da3
SHA1

66d88e761c4c42bf953f46fd83cd70438455b31d
SHA256

53b3fffc98b84d90844020607bd363aa8615d7a236fccdb8b4138de111e2cef2
SHA512

d3cbbc2bbdb5e2d9e5520ba09506eee5069513387539cf1bf200f72081b1a6812cdab2dad85313de50bc57f85cf0658077c03d3cc4ceb0058412104c103593c8
SSDEEP

1536:PuHY6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtR59/uE1Rz:PuHYnhASyRxvhTzXPvCbW2UR59/H

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2672	tmpE263.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1840	53b3fffc98b84d90844020607bd363aa8615d7a236fccdb8b4138de111e2cef2.exe
1840	53b3fffc98b84d90844020607bd363aa8615d7a236fccdb8b4138de111e2cef2.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpE263.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE263.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	53b3fffc98b84d90844020607bd363aa8615d7a236fccdb8b4138de111e2cef2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1840	53b3fffc98b84d90844020607bd363aa8615d7a236fccdb8b4138de111e2cef2.exe
Token: SeDebugPrivilege	2672	tmpE263.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 2968	1840	53b3fffc98b84d90844020607bd363aa8615d7a236fccdb8b4138de111e2cef2.exe	31
PID 1840 wrote to memory of 2968	1840	53b3fffc98b84d90844020607bd363aa8615d7a236fccdb8b4138de111e2cef2.exe	31
PID 1840 wrote to memory of 2968	1840	53b3fffc98b84d90844020607bd363aa8615d7a236fccdb8b4138de111e2cef2.exe	31
PID 1840 wrote to memory of 2968	1840	53b3fffc98b84d90844020607bd363aa8615d7a236fccdb8b4138de111e2cef2.exe	31
PID 2968 wrote to memory of 2716	2968	vbc.exe	33
PID 2968 wrote to memory of 2716	2968	vbc.exe	33
PID 2968 wrote to memory of 2716	2968	vbc.exe	33
PID 2968 wrote to memory of 2716	2968	vbc.exe	33
PID 1840 wrote to memory of 2672	1840	53b3fffc98b84d90844020607bd363aa8615d7a236fccdb8b4138de111e2cef2.exe	34
PID 1840 wrote to memory of 2672	1840	53b3fffc98b84d90844020607bd363aa8615d7a236fccdb8b4138de111e2cef2.exe	34
PID 1840 wrote to memory of 2672	1840	53b3fffc98b84d90844020607bd363aa8615d7a236fccdb8b4138de111e2cef2.exe	34
PID 1840 wrote to memory of 2672	1840	53b3fffc98b84d90844020607bd363aa8615d7a236fccdb8b4138de111e2cef2.exe	34

C:\Users\Admin\AppData\Local\Temp\53b3fffc98b84d90844020607bd363aa8615d7a236fccdb8b4138de111e2cef2.exe
"C:\Users\Admin\AppData\Local\Temp\53b3fffc98b84d90844020607bd363aa8615d7a236fccdb8b4138de111e2cef2.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rmpxrfyy.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE35E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE35D.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2716
- C:\Users\Admin\AppData\Local\Temp\tmpE263.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpE263.tmp.exe" C:\Users\Admin\AppData\Local\Temp\53b3fffc98b84d90844020607bd363aa8615d7a236fccdb8b4138de111e2cef2.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE35E.tmp

Filesize
1KB

MD5
e9bae90d2f3c1328c8dd01698dfa0e63

SHA1
14484840e4a270534a390d4ef9a9ab3cdb69d6a2

SHA256
200c3e94d44a137c1e3ed4ee052132a6980a1ba32caa6793d63fd0bae8f56944

SHA512
5c8ca220b07501d2e933bc5d614625cdd7ea615814ac5e8552c4adbca8e5dc335beb03bef0f2a5df63fa4529d46bb3bed29ba9cd301e3f33291d4f6074623847

Download Submit
C:\Users\Admin\AppData\Local\Temp\rmpxrfyy.0.vb

Filesize
15KB

MD5
0106700faeb9a0f45048726d5ec8e43d

SHA1
64ba0a92acef53460c7e85ed218b2d233c607eee

SHA256
2f9b1ddb9d33b8c259e24fc1cbf82395a8e7eae6109d69e971b384886a4f40a0

SHA512
abd7f23467a8a0888a4b7cfdeb8ca1b1323ffa7598d31c1e51697639eedb0239293bcc0ff43f0388ff823719f956e72ccb1cba3c4bcbcf5a2c0a17d9fe4fa740

Download Submit
C:\Users\Admin\AppData\Local\Temp\rmpxrfyy.cmdline

Filesize
266B

MD5
24fc2d0e8297d5fc55733ccdfd1214ae

SHA1
af77daa70ebdfd956a039ce993b04c412aac257f

SHA256
ae04abfca0af8b77508251e42a2c6501004771eed32acf3f621b596e523ab0ec

SHA512
07ebc1697f8d41fd3356cc96c13094f9b5655a54534aecf5b9f6af9ef6fd1bbe6386625e2eb38f845291541b957c04b92457fb2dc581fe9cb771100079eb35a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE263.tmp.exe

Filesize
78KB

MD5
de475dafd4ed39a5daeef53d8a21b4ad

SHA1
fd3e42acdc7a30c306da7148bec3e76dfb18ccaf

SHA256
ce6f2f895a7f6bc389595bf38c75e1c16f026c03a68afd5d5d1910edbd02724e

SHA512
99a7e42044cd18d36ad4c87e9e88b82e735211963a404859af9c9469459fb43dddbfe6003b66a1b9889eda9d6fb167729caef890f7df12fd9c99ba0ed514a0ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE35D.tmp

Filesize
660B

MD5
7d7b876375f4c364efd224378da4765b

SHA1
b20ed550119477c59b3caffb05b57714bedd32cc

SHA256
28448006cab73c95d06d21fafcc79d11fdf4ca990ac2d18aad837b5ee90dd388

SHA512
2df8511c0bc6638b24653ca410cd44a365b4260b15cb10dffb0f414826293a4e03a51e1eb3538880239b809a63825d2155bd13873ee834b8b29ffc45a0691e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1840-0-0x0000000074D21000-0x0000000074D22000-memory.dmp

Filesize
4KB

Download
memory/1840-1-0x0000000074D20000-0x00000000752CB000-memory.dmp

Filesize
5.7MB

Download
memory/1840-2-0x0000000074D20000-0x00000000752CB000-memory.dmp

Filesize
5.7MB

Download
memory/1840-24-0x0000000074D20000-0x00000000752CB000-memory.dmp

Filesize
5.7MB

Download
memory/2968-8-0x0000000074D20000-0x00000000752CB000-memory.dmp

Filesize
5.7MB

Download
memory/2968-18-0x0000000074D20000-0x00000000752CB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads