metamorpherrat | e487ec7bf8779743f7c733d6fb79c189f9fa84186a9782a2f1576b7a3e484243

General

Target

0002bcc0491b271edc25aff61de80f00N.exe
Size

78KB
MD5

0002bcc0491b271edc25aff61de80f00
SHA1

d9dcb3ade7946c494f6d41d374b5d994e24d2157
SHA256

e487ec7bf8779743f7c733d6fb79c189f9fa84186a9782a2f1576b7a3e484243
SHA512

af8e2cb5e2b37165e30d217d7c1c5b0a31d16ed9ee36df6309041ae33e832cee85268fc2f9d25e00c008a6f307d4acdb57e1406a036fb1c30ef2250219ede467
SSDEEP

1536:VCHF3M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtc9/U1WA:VCHF8hASyRxvhTzXPvCbW2Uc9/e

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0002bcc0491b271edc25aff61de80f00N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	0002bcc0491b271edc25aff61de80f00N.exe

Executes dropped EXE 1 IoCs

Processes:

tmpAFF7.tmp.exe

pid process

4924 tmpAFF7.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
4924	tmpAFF7.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpAFF7.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpAFF7.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0002bcc0491b271edc25aff61de80f00N.exetmpAFF7.tmp.exe

description pid process

Token: SeDebugPrivilege 744 0002bcc0491b271edc25aff61de80f00N.exe
Token: SeDebugPrivilege 4924 tmpAFF7.tmp.exe

description	pid	process
Token: SeDebugPrivilege	744	0002bcc0491b271edc25aff61de80f00N.exe
Token: SeDebugPrivilege	4924	tmpAFF7.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

0002bcc0491b271edc25aff61de80f00N.exevbc.exe

description	pid	process	target process
PID 744 wrote to memory of 5028	744	0002bcc0491b271edc25aff61de80f00N.exe	vbc.exe
PID 744 wrote to memory of 5028	744	0002bcc0491b271edc25aff61de80f00N.exe	vbc.exe
PID 744 wrote to memory of 5028	744	0002bcc0491b271edc25aff61de80f00N.exe	vbc.exe
PID 5028 wrote to memory of 2340	5028	vbc.exe	cvtres.exe
PID 5028 wrote to memory of 2340	5028	vbc.exe	cvtres.exe
PID 5028 wrote to memory of 2340	5028	vbc.exe	cvtres.exe
PID 744 wrote to memory of 4924	744	0002bcc0491b271edc25aff61de80f00N.exe	tmpAFF7.tmp.exe
PID 744 wrote to memory of 4924	744	0002bcc0491b271edc25aff61de80f00N.exe	tmpAFF7.tmp.exe
PID 744 wrote to memory of 4924	744	0002bcc0491b271edc25aff61de80f00N.exe	tmpAFF7.tmp.exe

C:\Users\Admin\AppData\Local\Temp\0002bcc0491b271edc25aff61de80f00N.exe
"C:\Users\Admin\AppData\Local\Temp\0002bcc0491b271edc25aff61de80f00N.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jnatxnye.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:5028

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB1CB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFB82D3E0314C4826858B71D84BA576E.TMP"
3⤵
PID:2340

C:\Users\Admin\AppData\Local\Temp\tmpAFF7.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpAFF7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0002bcc0491b271edc25aff61de80f00N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4924

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB1CB.tmp
Filesize
1KB

MD5
e6687c99d663575a61d4e8d7343d17a0

SHA1
22f108a1aa30b37a58281c7462f76d852495b7b3

SHA256
65a923b6e2587c9a13197d6d7f7fa3e762210639e46570e38c0892848daaabff

SHA512
bbe299be7d780d1a50f8fa16e6b4208d76508f6e3c50cc1c9c7da678b9092003a5ae1a0542330cac23944eaf890b808e3c0667ac289f4c7a2f089ba3c7599f28

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnatxnye.0.vb
Filesize
15KB

MD5
69945620ea1e15557ebb0778e108ea63

SHA1
36b8d9ffc5eab17ca0a3fd871886d1decf0c7a41

SHA256
6869fa6efcc4435dd74a0e82ba6c78a83e4ca25a94866394bfaa39b1fd0aa694

SHA512
661590ed792ef7e9288eb645d58ea4dea059df89ac1d61cd702cd09490ef868a0e170c4be28a686c90a5fc22a8f8bb6bb6c954022de6e032df065a84ae742fb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnatxnye.cmdline
Filesize
266B

MD5
cc0d94264e27f5094dd67c4632512fed

SHA1
a488f85222e864e7fd76eccb6981af6401a7a5f6

SHA256
970876d5bc12520663e1de7e0c8cba8e08348e752b8471ff09f9e7552e0f5ebd

SHA512
02db3ff41385cb7e745067f3accb38a3ee7763adce09a91476e61737b6e5cedbdc1a23bc92e7e9138a65df388b95f1267e25e2fe91cc515f0001536e8bbc16e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAFF7.tmp.exe
Filesize
78KB

MD5
5e6dbd2279c5bf4c61ff86a6a51e174a

SHA1
8aa30a1ab47d328cc07acfc08f24c8e0d82474c7

SHA256
9c826dcce1367aad0f268c9352a62892898531544106053b711c8c6b0cfee4bb

SHA512
301f22bac294c85812d99992ffbb66e0aa6a6436fefce8b61b64ec5e1b38a707a13d34714a1d8a4666c20eeee9343292aade897eb6bc460904f2bfb5200f81a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFB82D3E0314C4826858B71D84BA576E.TMP
Filesize
660B

MD5
e8ebb6656dd1155314dfeb21f1f2da6a

SHA1
e6efc86a051b1e9d03febfa6bfcd1ab3af58c60a

SHA256
1bf7141b67e993deb2101421dc3bfe8bbfc785f953871b81813df3095e8b0bf6

SHA512
1912a627e5c05ab4f3fa9767c1aad9c44211cde7d4dbcb28c502f383f63824e9a859f0cc35aed182ab198e68ed6b9654719a28eaf38d5bd1d4a87accad6ad455

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/744-1-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/744-2-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/744-0-0x0000000074C02000-0x0000000074C03000-memory.dmp

Filesize
4KB

Download
memory/744-22-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/4924-25-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/4924-23-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/4924-24-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/4924-27-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/4924-28-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/4924-29-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/5028-9-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/5028-18-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads