metamorpherrat | 839095c13600f439f062b01bc8d10fd9ef2aedbda53c269a345d65a95a77fdba

General

Target

839095c13600f439f062b01bc8d10fd9ef2aedbda53c269a345d65a95a77fdba.exe
Size

78KB
MD5

c021a736bee71fc4ba1c46a45d61f79b
SHA1

b2646767cfde9523540ccf4f21e0f9c8ded2cd3c
SHA256

839095c13600f439f062b01bc8d10fd9ef2aedbda53c269a345d65a95a77fdba
SHA512

f8c71912bf7e570048e18858915a45a4ee4983a3803303bd5ecda6a82a6e7baf98d87a4e28c7a980f4f65b9e96f98e4cb045d54ea1779b6ae25f8ce2cad66a4c
SSDEEP

1536:BHFo6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQteN9/01pPp:BHFonhASyRxvhTzXPvCbW2UeN9/0p

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
3024	tmpB5C8.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
816	839095c13600f439f062b01bc8d10fd9ef2aedbda53c269a345d65a95a77fdba.exe
816	839095c13600f439f062b01bc8d10fd9ef2aedbda53c269a345d65a95a77fdba.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpB5C8.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	839095c13600f439f062b01bc8d10fd9ef2aedbda53c269a345d65a95a77fdba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB5C8.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	816	839095c13600f439f062b01bc8d10fd9ef2aedbda53c269a345d65a95a77fdba.exe
Token: SeDebugPrivilege	3024	tmpB5C8.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 2472	816	839095c13600f439f062b01bc8d10fd9ef2aedbda53c269a345d65a95a77fdba.exe	30
PID 816 wrote to memory of 2472	816	839095c13600f439f062b01bc8d10fd9ef2aedbda53c269a345d65a95a77fdba.exe	30
PID 816 wrote to memory of 2472	816	839095c13600f439f062b01bc8d10fd9ef2aedbda53c269a345d65a95a77fdba.exe	30
PID 816 wrote to memory of 2472	816	839095c13600f439f062b01bc8d10fd9ef2aedbda53c269a345d65a95a77fdba.exe	30
PID 2472 wrote to memory of 2888	2472	vbc.exe	32
PID 2472 wrote to memory of 2888	2472	vbc.exe	32
PID 2472 wrote to memory of 2888	2472	vbc.exe	32
PID 2472 wrote to memory of 2888	2472	vbc.exe	32
PID 816 wrote to memory of 3024	816	839095c13600f439f062b01bc8d10fd9ef2aedbda53c269a345d65a95a77fdba.exe	33
PID 816 wrote to memory of 3024	816	839095c13600f439f062b01bc8d10fd9ef2aedbda53c269a345d65a95a77fdba.exe	33
PID 816 wrote to memory of 3024	816	839095c13600f439f062b01bc8d10fd9ef2aedbda53c269a345d65a95a77fdba.exe	33
PID 816 wrote to memory of 3024	816	839095c13600f439f062b01bc8d10fd9ef2aedbda53c269a345d65a95a77fdba.exe	33

C:\Users\Admin\AppData\Local\Temp\839095c13600f439f062b01bc8d10fd9ef2aedbda53c269a345d65a95a77fdba.exe
"C:\Users\Admin\AppData\Local\Temp\839095c13600f439f062b01bc8d10fd9ef2aedbda53c269a345d65a95a77fdba.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:816
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kdn77pyh.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB80A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB809.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2888
- C:\Users\Admin\AppData\Local\Temp\tmpB5C8.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB5C8.tmp.exe" C:\Users\Admin\AppData\Local\Temp\839095c13600f439f062b01bc8d10fd9ef2aedbda53c269a345d65a95a77fdba.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB80A.tmp

Filesize
1KB

MD5
575427df40902be0bfe1f44904ae441c

SHA1
0988abb017cc060afed05627e811d76a3633c373

SHA256
9c937417a0ee8d539af715bb7bd293ab4f3ee4af13156a5eb3e63faf4d5b4c3a

SHA512
d631484118dcfc8be7481ebc1c9006778e766b9c87e99fcab9d7a43cc01bee22bab657e28d56df6dbdba6b0d82ed1d1d73433ba8e18844e7d39321dcaa073b2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdn77pyh.0.vb

Filesize
15KB

MD5
b6dd635b3b3d52c3f8abc4155cc6c748

SHA1
456ee480ccd907186c70957dd2cfcd5944cf107f

SHA256
edc3fa3f59a17210621a9391d02c0cac9438e3892495ca60089daacd1b24666f

SHA512
9d2e47db0c519f5ab86c47c496bb5c083bc59c2e87729b50127322f27704c7dd48b90704e41a85fc14713607b462b3e7e4558cf2682ab0439323162c272af703

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdn77pyh.cmdline

Filesize
266B

MD5
87596d3b2ccb8eae9d556b2f1bcf992e

SHA1
aa403f6d6132c7fe64aa8f3465fdecd9909dca5e

SHA256
1828e83ed669eacbde8daec199c0511c4b210d9a2e2e989fc0fa7b2e9949858b

SHA512
13f2d9c16b15d53c30c1957654ca0cdcf829716815bf0cb5c2fd6533abc841ac399c37713fcbe8ef925a6731dc82ecef61c2e05394b93a43aa9f87e489e1a45a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB5C8.tmp.exe

Filesize
78KB

MD5
ee09baed49d97f5dd04a919668f038a8

SHA1
25b05e958df4019ff912bf3436262c70a45b095c

SHA256
c7a751ba6228ba3e271e7bb8ba9d361b0e77e243a92fb17f012567e4843a00fc

SHA512
bcce7d6bbdd577f93458ca7f5a14e701985082f38283522808483555b4b856520b9ca402357645de4442a278008ceb4d8ab73e03059fbe3dbd48a9104bf356c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB809.tmp

Filesize
660B

MD5
c62e8e43a48c38da44894887068e5a5c

SHA1
30503ea637bd5fc938bfeec9ecff1fe648d9cfc0

SHA256
1eb6c76a1dd806cb6447cd4d2837d8b94a211f297a3cb3c1356a1f1c1728910d

SHA512
a821d61056f2881be8c0ba6fa4e5d77e3f0e042dbc087c30d5cb4522215553e6cb468d7f540f0e6c3b16415bab636a123e2b59be6b2694ac5b5edf695206775c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/816-0-0x0000000074621000-0x0000000074622000-memory.dmp

Filesize
4KB

Download
memory/816-1-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/816-2-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/816-24-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/2472-8-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/2472-18-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads