metamorpherrat | 81b4c5615d3839a6cbd9e466823cbfb0d98acc45ee92113e1c6a88c56b5640e1

General

Target

81b4c5615d3839a6cbd9e466823cbfb0d98acc45ee92113e1c6a88c56b5640e1N.exe
Size

78KB
MD5

dfad94f5f6303cfb3de527afd835de60
SHA1

a9ec98e8a304341523c957947ba95dbe4672503b
SHA256

81b4c5615d3839a6cbd9e466823cbfb0d98acc45ee92113e1c6a88c56b5640e1
SHA512

4dac95d80f8fd285ec931ce4e9e4740bab795311b2c22dfecb95f66f36c0013a4cd31364468d3639e7340bd4fe44c95a7b80040798cc840c14d5ffe6b8a403be
SSDEEP

1536:OPy5jqXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQty699//+1xx:OPy5jSSyRxvhTzXPvCbW2UV9//0

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Deletes itself 1 IoCs

pid	Process
2796	tmpF24B.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2796	tmpF24B.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2736	81b4c5615d3839a6cbd9e466823cbfb0d98acc45ee92113e1c6a88c56b5640e1N.exe
2736	81b4c5615d3839a6cbd9e466823cbfb0d98acc45ee92113e1c6a88c56b5640e1N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpF24B.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	81b4c5615d3839a6cbd9e466823cbfb0d98acc45ee92113e1c6a88c56b5640e1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpF24B.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	81b4c5615d3839a6cbd9e466823cbfb0d98acc45ee92113e1c6a88c56b5640e1N.exe
Token: SeDebugPrivilege	2796	tmpF24B.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2812	2736	81b4c5615d3839a6cbd9e466823cbfb0d98acc45ee92113e1c6a88c56b5640e1N.exe	30
PID 2736 wrote to memory of 2812	2736	81b4c5615d3839a6cbd9e466823cbfb0d98acc45ee92113e1c6a88c56b5640e1N.exe	30
PID 2736 wrote to memory of 2812	2736	81b4c5615d3839a6cbd9e466823cbfb0d98acc45ee92113e1c6a88c56b5640e1N.exe	30
PID 2736 wrote to memory of 2812	2736	81b4c5615d3839a6cbd9e466823cbfb0d98acc45ee92113e1c6a88c56b5640e1N.exe	30
PID 2812 wrote to memory of 2572	2812	vbc.exe	32
PID 2812 wrote to memory of 2572	2812	vbc.exe	32
PID 2812 wrote to memory of 2572	2812	vbc.exe	32
PID 2812 wrote to memory of 2572	2812	vbc.exe	32
PID 2736 wrote to memory of 2796	2736	81b4c5615d3839a6cbd9e466823cbfb0d98acc45ee92113e1c6a88c56b5640e1N.exe	33
PID 2736 wrote to memory of 2796	2736	81b4c5615d3839a6cbd9e466823cbfb0d98acc45ee92113e1c6a88c56b5640e1N.exe	33
PID 2736 wrote to memory of 2796	2736	81b4c5615d3839a6cbd9e466823cbfb0d98acc45ee92113e1c6a88c56b5640e1N.exe	33
PID 2736 wrote to memory of 2796	2736	81b4c5615d3839a6cbd9e466823cbfb0d98acc45ee92113e1c6a88c56b5640e1N.exe	33

C:\Users\Admin\AppData\Local\Temp\81b4c5615d3839a6cbd9e466823cbfb0d98acc45ee92113e1c6a88c56b5640e1N.exe
"C:\Users\Admin\AppData\Local\Temp\81b4c5615d3839a6cbd9e466823cbfb0d98acc45ee92113e1c6a88c56b5640e1N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8j3np74m.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF2F7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF2F6.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2572
- C:\Users\Admin\AppData\Local\Temp\tmpF24B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpF24B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\81b4c5615d3839a6cbd9e466823cbfb0d98acc45ee92113e1c6a88c56b5640e1N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8j3np74m.0.vb

Filesize
14KB

MD5
be47043df3fecd7b0937fcbd63bd3aae

SHA1
a0fa66da4fe0f59d7bea7fc3859fc597998b031f

SHA256
9c44c110ed679b6de3673484293f513abe7781902855816980a08c2de9d42344

SHA512
2d861730b0e1119c13257ce007b612cdc95dc78228c3421cd5cc421a4a96fb686222b05c2c61adc824f54f64ae61ff055e45912bce5abf4a6ed0052801048bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\8j3np74m.cmdline

Filesize
266B

MD5
7c144917b08a60673a9f8fa33c0878cf

SHA1
96ff166452228de91838a65629a203b1276597fe

SHA256
ebc39e713d44e4eb6241370859b620478a6fe32f7dc91c5c050ee63e7d99b426

SHA512
8a4debc3162ff47065ce6f51e055a512017e351f6d7a2214d65baf43698cafd1cc87bfa7056b24ba6eb6967d3c7a91080545ac1f11b2fda22cd1c67f7d05bcbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF2F7.tmp

Filesize
1KB

MD5
b24e62f4ead2eeba2e4329607ef0fe36

SHA1
f8e0e9b1d79baac39a1f32843324560cf740aaa1

SHA256
cab6d5cc97a190ba9cb8f2a08338817b5c4e9551b7dc472fc11a6ebda5872ee6

SHA512
690d2b6e9a4190b67e374a17c8d548e0dc1c8dd10ff3332c52236d1b486e16df775f60f008b1d2ac932c5c7ba5c93bda80d74a0ff14be72c06a0a44ddc1331f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF24B.tmp.exe

Filesize
78KB

MD5
707c77bb394f2dc8bffafd2922837313

SHA1
3ddf82614cbad3ad54bc0f0edff387fdb096081c

SHA256
055874bd0a6879b48db3876482a960eedb78ae57035c7e8d128d130d34de2add

SHA512
df226d2470be850234a1b8042462ee8d78db7f4119d0ab7d869c709874525efc499e85ed1cfce6cf704222e817358a51499f193cc953343cf5fa522b21c49613

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF2F6.tmp

Filesize
660B

MD5
efb79d54a31175648ea515dbb5b5b4d4

SHA1
7f86e8171caf6a4528db9a016b9887537c8862d6

SHA256
451009655a870e1dd493a36d0582a7d22b11bd8c8d54e47668bafdcf2eaa7ec4

SHA512
322e08679fe5b8579f2767272073a286c3032afb3aca8a3860c29e1a2e0821432da8b073eca1339322c757aa8ed8d4d816934cad75bfe01761d5b56b0245b6d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2736-0-0x0000000074791000-0x0000000074792000-memory.dmp

Filesize
4KB

Download
memory/2736-1-0x0000000074790000-0x0000000074D3B000-memory.dmp

Filesize
5.7MB

Download
memory/2736-2-0x0000000074790000-0x0000000074D3B000-memory.dmp

Filesize
5.7MB

Download
memory/2736-24-0x0000000074790000-0x0000000074D3B000-memory.dmp

Filesize
5.7MB

Download
memory/2812-9-0x0000000074790000-0x0000000074D3B000-memory.dmp

Filesize
5.7MB

Download
memory/2812-18-0x0000000074790000-0x0000000074D3B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads