metamorpherrat | 1d2e0833776f95677f9fd242ca134693877762efd11e801f03030c506e4fde19

General

Target

1d2e0833776f95677f9fd242ca134693877762efd11e801f03030c506e4fde19.exe
Size

78KB
MD5

0c541636c90447f84b405665a7cbe1cf
SHA1

158060e809d81ec5157c0046d1ffbe49d831fef2
SHA256

1d2e0833776f95677f9fd242ca134693877762efd11e801f03030c506e4fde19
SHA512

4c7f7950905160646a35c41f1b61e8f7176da98f9b8eb98eef09bb4bbac7ff3dae0ad68246a3c8a8260f9216de102de091ad81478096de99213b7830815b2688
SSDEEP

1536:+c585XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt96r9/lpL1Gh:+c58pSyRxvhTzXPvCbW2Uk9//s

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2208	tmpA7B4.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1860	1d2e0833776f95677f9fd242ca134693877762efd11e801f03030c506e4fde19.exe
1860	1d2e0833776f95677f9fd242ca134693877762efd11e801f03030c506e4fde19.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpA7B4.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1d2e0833776f95677f9fd242ca134693877762efd11e801f03030c506e4fde19.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA7B4.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1860	1d2e0833776f95677f9fd242ca134693877762efd11e801f03030c506e4fde19.exe
Token: SeDebugPrivilege	2208	tmpA7B4.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 2544	1860	1d2e0833776f95677f9fd242ca134693877762efd11e801f03030c506e4fde19.exe	30
PID 1860 wrote to memory of 2544	1860	1d2e0833776f95677f9fd242ca134693877762efd11e801f03030c506e4fde19.exe	30
PID 1860 wrote to memory of 2544	1860	1d2e0833776f95677f9fd242ca134693877762efd11e801f03030c506e4fde19.exe	30
PID 1860 wrote to memory of 2544	1860	1d2e0833776f95677f9fd242ca134693877762efd11e801f03030c506e4fde19.exe	30
PID 2544 wrote to memory of 1252	2544	vbc.exe	32
PID 2544 wrote to memory of 1252	2544	vbc.exe	32
PID 2544 wrote to memory of 1252	2544	vbc.exe	32
PID 2544 wrote to memory of 1252	2544	vbc.exe	32
PID 1860 wrote to memory of 2208	1860	1d2e0833776f95677f9fd242ca134693877762efd11e801f03030c506e4fde19.exe	33
PID 1860 wrote to memory of 2208	1860	1d2e0833776f95677f9fd242ca134693877762efd11e801f03030c506e4fde19.exe	33
PID 1860 wrote to memory of 2208	1860	1d2e0833776f95677f9fd242ca134693877762efd11e801f03030c506e4fde19.exe	33
PID 1860 wrote to memory of 2208	1860	1d2e0833776f95677f9fd242ca134693877762efd11e801f03030c506e4fde19.exe	33

C:\Users\Admin\AppData\Local\Temp\1d2e0833776f95677f9fd242ca134693877762efd11e801f03030c506e4fde19.exe
"C:\Users\Admin\AppData\Local\Temp\1d2e0833776f95677f9fd242ca134693877762efd11e801f03030c506e4fde19.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d3dyehj7.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA890.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA88F.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1252
- C:\Users\Admin\AppData\Local\Temp\tmpA7B4.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA7B4.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1d2e0833776f95677f9fd242ca134693877762efd11e801f03030c506e4fde19.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA890.tmp

Filesize
1KB

MD5
0a221db33b614fdc3874d70126fa2b6d

SHA1
7930e6ec5153b033290985ca8598e41f73c88929

SHA256
3c50680ad7c5ea15e8d880432cf2b9d82189570cf67a66071e351a774e4110aa

SHA512
3f722ed38e097a9716e5123a47eee61430b145ba8f7d83c9c9a0c5cb8e3cb21653eb138d5c204cbb3c136a86a5f877cfb47503a74fd8f65ff0a2b031c31d2df0

Download Submit
C:\Users\Admin\AppData\Local\Temp\d3dyehj7.0.vb

Filesize
14KB

MD5
d7408db436930466bec2a944f085cae9

SHA1
171c47216a06a37bbdc1867308b94300e5aefd49

SHA256
259420c66bab2d4dcb35e00912dfacdf17281ed45cf883a9e2c802bc481d2260

SHA512
2c427fb89e44ff01c6c13ca5d4a72c422852476224ed2dce6f8e85d0676bdfec0be2b6ab52eb742df45a941e094643ab3afcf3be89406593c61c0ccaa53b2a6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d3dyehj7.cmdline

Filesize
266B

MD5
9f934656ad907231608ba43d0355fcba

SHA1
c79b4dd5cc6f8b8392190e7eeedb673be644a5db

SHA256
18af54eb4cec48e753ffac4c5ac006d46778d9629a5ec5a128619413fcba97a2

SHA512
4a8db05773204a6f0fbdee5e5687a246b40f814a8d7f7bff282bb282af91541556167134435bb37fbd2229bad73e196daca7090cbbfb8e188b81102ff3c08f8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA7B4.tmp.exe

Filesize
78KB

MD5
f9549ca3847196833a7d1a978753579e

SHA1
c414ed267fbda0f2641087ed8f2333ea8fd1ff43

SHA256
70bd8520610bee79715417c0885f49a9d58997c0a2a684e02d10a419420d8c41

SHA512
b1d5ed886f9bfa9a5d97aa539e44be8e4bff3efb824db2ef2d82f1c9963caee63cc3d90ba8d34814a35d808062b1e29ef3630036e1f6e39459e45ade109d517c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA88F.tmp

Filesize
660B

MD5
278da3e858dbeba2a2888e7780201ae4

SHA1
f702948273fe7d7ad61d02510386597dc109263b

SHA256
116f09d4fc07cca0ae454a9b4def5b8073022ff74d9cdafebd4daa90801e943e

SHA512
cfa20951023600c75d85030f02e7c5a434ab99851553feaffdd3bbe4fee1165a1361d590a564ef56bc5c2a617c29f907251c827eae3bbfd6bbb4ee5be0a5f1c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1860-0-0x00000000748B1000-0x00000000748B2000-memory.dmp

Filesize
4KB

Download
memory/1860-1-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/1860-6-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/1860-24-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/2544-8-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/2544-18-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads