metamorpherrat | 3904483b7cbc7a44401580060fd5486d89c92056eea829165526e500a8fc4205

General

Target

3904483b7cbc7a44401580060fd5486d89c92056eea829165526e500a8fc4205.exe
Size

78KB
MD5

b673e63504b1ea364898ce0486725ec0
SHA1

b41bb7ae4d2385100d088aa3700571d0f047fc5f
SHA256

3904483b7cbc7a44401580060fd5486d89c92056eea829165526e500a8fc4205
SHA512

aa568842f31ba09b94e3756c9fc4698aedc4e4c77eef41d2b91ead471dfef786144230f1582dbd3607ccc11f9f7c7347a5148b7233d077fbe5cf5e8e389e59fc
SSDEEP

1536:4WV52XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt96s9/EtW1uyc:4WV5+SyRxvhTzXPvCbW2UP9/2Gc

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2208	tmp9BB3.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2384	3904483b7cbc7a44401580060fd5486d89c92056eea829165526e500a8fc4205.exe
2384	3904483b7cbc7a44401580060fd5486d89c92056eea829165526e500a8fc4205.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp9BB3.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3904483b7cbc7a44401580060fd5486d89c92056eea829165526e500a8fc4205.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9BB3.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2384	3904483b7cbc7a44401580060fd5486d89c92056eea829165526e500a8fc4205.exe
Token: SeDebugPrivilege	2208	tmp9BB3.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2388	2384	3904483b7cbc7a44401580060fd5486d89c92056eea829165526e500a8fc4205.exe	30
PID 2384 wrote to memory of 2388	2384	3904483b7cbc7a44401580060fd5486d89c92056eea829165526e500a8fc4205.exe	30
PID 2384 wrote to memory of 2388	2384	3904483b7cbc7a44401580060fd5486d89c92056eea829165526e500a8fc4205.exe	30
PID 2384 wrote to memory of 2388	2384	3904483b7cbc7a44401580060fd5486d89c92056eea829165526e500a8fc4205.exe	30
PID 2388 wrote to memory of 2060	2388	vbc.exe	32
PID 2388 wrote to memory of 2060	2388	vbc.exe	32
PID 2388 wrote to memory of 2060	2388	vbc.exe	32
PID 2388 wrote to memory of 2060	2388	vbc.exe	32
PID 2384 wrote to memory of 2208	2384	3904483b7cbc7a44401580060fd5486d89c92056eea829165526e500a8fc4205.exe	33
PID 2384 wrote to memory of 2208	2384	3904483b7cbc7a44401580060fd5486d89c92056eea829165526e500a8fc4205.exe	33
PID 2384 wrote to memory of 2208	2384	3904483b7cbc7a44401580060fd5486d89c92056eea829165526e500a8fc4205.exe	33
PID 2384 wrote to memory of 2208	2384	3904483b7cbc7a44401580060fd5486d89c92056eea829165526e500a8fc4205.exe	33

C:\Users\Admin\AppData\Local\Temp\3904483b7cbc7a44401580060fd5486d89c92056eea829165526e500a8fc4205.exe
"C:\Users\Admin\AppData\Local\Temp\3904483b7cbc7a44401580060fd5486d89c92056eea829165526e500a8fc4205.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\84jb1fsq.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9C60.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9C5F.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2060
- C:\Users\Admin\AppData\Local\Temp\tmp9BB3.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9BB3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3904483b7cbc7a44401580060fd5486d89c92056eea829165526e500a8fc4205.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\84jb1fsq.0.vb

Filesize
14KB

MD5
4d70029670c7fce5a7c00f8616ef91f9

SHA1
cc9a33250fb1d43aa3896160fc5bab87a3339c49

SHA256
71844191262e31c89cabe814c46d0f3eaae4522bf69adda3e4554d3cbb9eda86

SHA512
38c6917b933e9394be19a6ee1ac987d05de46ecd03bb6a760d45a314e1a80f4f5154bef0f6590fafde0c1a0ef583c1977d4bdab0e58cc4f2a81983ce30cac5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\84jb1fsq.cmdline

Filesize
266B

MD5
a356f171734be110d475c0e37c1b01b7

SHA1
9ef2b13bcdbb6e1b289c0d0aa928ad053a871ae1

SHA256
83ef2badec45102db794d4d95fb249bfc03cec4fe27a2f45d88dec3917d33bac

SHA512
1848ab5116d73be9cc4a6c01f51ea3b9d710777f4453004604cccc01f31c0d70a6a2c0cb66320a4d3f5694798b5353f27c31d00cd03b6db295c5198f7647fb23

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9C60.tmp

Filesize
1KB

MD5
083007e223304326eadb72fcb961273b

SHA1
8189ea3fe2fae8b8c3f683b3f674df004c96b36a

SHA256
bd13dbe07f80ccd68e68f2024f5efdb282e497642c1320f8566a2c9219852bdd

SHA512
1a6b5a3b0e33c3d1894ac8d89347cb41ea273841c87088cce4a5b6038a443b1de462433d4b56ba8f58a66ad6df8a5e1878e022896f4498dae3c740351130a967

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9BB3.tmp.exe

Filesize
78KB

MD5
5f7be4d81727f341c14d58cb33e80090

SHA1
a1d2961d2dd64c66803c91b7e0cc89d822e8a337

SHA256
0a8359ce471848aa7928108a7403525efeefcacb039b2ed91e83c66a4fab92f4

SHA512
0fcdfc76c6e94e088778bb7feb009aa0759323624b7e9eca9db52141beb6c745f52481ddf6965bc557cb123631b0736d136fae7662bb7f808a0fc2e72e504f52

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9C5F.tmp

Filesize
660B

MD5
f839f8dcb67201eec58777e937a799d1

SHA1
0e36b973fb22cffdc272c54ab352ec4c2c9f4d07

SHA256
8211781eb56c6680649276d467c2c5c6aebdca75f13bf06f59cab1a3fc01a7c4

SHA512
31a4b075fe88293fcd15265b0b21214b7cc33ec7cbbfd6861b285811841ab828f9f81fa80ae5b7636ea3e802f8042f1fcc3c8cb50cd1621ffa58fc5aab35abd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2384-0-0x00000000743B1000-0x00000000743B2000-memory.dmp

Filesize
4KB

Download
memory/2384-1-0x00000000743B0000-0x000000007495B000-memory.dmp

Filesize
5.7MB

Download
memory/2384-2-0x00000000743B0000-0x000000007495B000-memory.dmp

Filesize
5.7MB

Download
memory/2384-24-0x00000000743B0000-0x000000007495B000-memory.dmp

Filesize
5.7MB

Download
memory/2388-8-0x00000000743B0000-0x000000007495B000-memory.dmp

Filesize
5.7MB

Download
memory/2388-18-0x00000000743B0000-0x000000007495B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads