metamorpherrat | 0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc

General

Target

0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe
Size

78KB
MD5

0df3110a86b2ad893c527cf4cf89cfc8
SHA1

c2742c7fff7c3203a89fbf462ac7f15a1a8b0fde
SHA256

0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc
SHA512

2849e5b61120f8f90e7ec17be598bfb8308442a2c073e0cc7fd461649732c86cb7b411fb162230c7674390ad320954ef153b82a6d6688c7e0f31826799979ee8
SSDEEP

1536:GHHM7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtS9/V1evZ3:GHshASyRxvhTzXPvCbW2US9/M3

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
1832	tmpA035.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1316	0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe
1316	0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpA035.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA035.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1316	0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe
Token: SeDebugPrivilege	1832	tmpA035.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 1324	1316	0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe	28
PID 1316 wrote to memory of 1324	1316	0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe	28
PID 1316 wrote to memory of 1324	1316	0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe	28
PID 1316 wrote to memory of 1324	1316	0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe	28
PID 1324 wrote to memory of 3052	1324	vbc.exe	30
PID 1324 wrote to memory of 3052	1324	vbc.exe	30
PID 1324 wrote to memory of 3052	1324	vbc.exe	30
PID 1324 wrote to memory of 3052	1324	vbc.exe	30
PID 1316 wrote to memory of 1832	1316	0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe	31
PID 1316 wrote to memory of 1832	1316	0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe	31
PID 1316 wrote to memory of 1832	1316	0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe	31
PID 1316 wrote to memory of 1832	1316	0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe	31

C:\Users\Admin\AppData\Local\Temp\0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe
"C:\Users\Admin\AppData\Local\Temp\0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r7soaayb.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA20A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA209.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3052
- C:\Users\Admin\AppData\Local\Temp\tmpA035.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA035.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA20A.tmp

Filesize
1KB

MD5
f7419db5fa8ada032dcdfd1777aa8f1f

SHA1
fba4117a2a399423c7163f33aef3f3b35124c135

SHA256
81b9ef61b7ca48edbad5c61301f2745cdd0cb96a47a9da5b62eca4d12e5d1701

SHA512
d7d6911b5f29bfae3ad5b85325002791279755ca5e4bdcfe495ed909c323e1364823c6c7e06ecde285136687ee38278698de0e5d27948900dd895bb3bb47dc5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\r7soaayb.0.vb

Filesize
15KB

MD5
8663d09596fd08b324b50a3c2baa1cc2

SHA1
575b5546465556e564c3ea5ae8d1dc66d01ef8c4

SHA256
829d76ba594138dfaa2b770d4deefe16d634bcbbe4614c01c22c6179a7f9cce7

SHA512
c045b91cfb585f61d2d74ed9c57c60c6472635b60eba09f32bca2707950ab17fc20e37fad9286fdb3c2ebbc5bde95c3a582ca830122c879672bb77cbf4da0bf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\r7soaayb.cmdline

Filesize
266B

MD5
0a02d1ed14d3f0dd698a3d2804bba1cb

SHA1
2800ae5cba74901042c95da2cae4ac9a011cb3a1

SHA256
e2206c2a68d55b1dfdbbfec472ff0c3d9aabf7b6a02104f961b225f79c6ecb78

SHA512
ae4de91b827ef454eb95c33f29b1c245df765f970e86fb9730c1cac2f3fe05d3bb024204e313a46d148892c25c0641a69e36e2f18d074c47741901295483b46e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA035.tmp.exe

Filesize
78KB

MD5
7b1ca6160570d3dd369ea08ba9288d6f

SHA1
38f6d4234b6b2f36c46769c18e42ecb1ecc4033e

SHA256
3698060c7679b14ec7b6ee9e3e9037e6dbab63d8c1e4fcc3f3b9361a8458f7b9

SHA512
8203c8d74c3ca57ddf16cd9bafe10f24501607b95bdc6a60b0528040e491476316b106e42b79a0f7c27161ea991d03c00bc0d02e29ef1c901836452a85c7bce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA209.tmp

Filesize
660B

MD5
fc5d88d1ea9356afc6e9512d4b2c29f0

SHA1
e1a3ee879846cbdf2564ce07f52b7e16b7dcef55

SHA256
59af5c4977dbf9d92da7d68296c64287ca3313bfbb6000f9affeb2138f172fe8

SHA512
5ca4fc84377f7c1902e5a5da34258d3cc74813b9fa2bd9f3239b98a82446e6ac503f51c13b57f3802f9e99ba3a2c39470f2f297ea3b5c4665dfb6437498e90fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1316-0-0x0000000074F41000-0x0000000074F42000-memory.dmp

Filesize
4KB

Download
memory/1316-1-0x0000000074F40000-0x00000000754EB000-memory.dmp

Filesize
5.7MB

Download
memory/1316-2-0x0000000074F40000-0x00000000754EB000-memory.dmp

Filesize
5.7MB

Download
memory/1316-24-0x0000000074F40000-0x00000000754EB000-memory.dmp

Filesize
5.7MB

Download
memory/1324-8-0x0000000074F40000-0x00000000754EB000-memory.dmp

Filesize
5.7MB

Download
memory/1324-18-0x0000000074F40000-0x00000000754EB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads