metamorpherrat | f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467

General

Target

f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe
Size

78KB
MD5

17890bed103398d6ec4b31c1b1fec255
SHA1

0e318c585a2612df55b9990d3aae0a519222558c
SHA256

f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467
SHA512

10b1c592be924f98473344d54ff6fabaa3ac76ca88bb886038975dc775e47c84b65fb9e144340b0f52d63dbc7e013eae9575f0ceaba19070096817f18b5044e9
SSDEEP

1536:nuHFo6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtRb9/eR1ac:nuHFonhASyRxvhTzXPvCbW2URb9/e/

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp84F8.tmp.exe

pid process

2568 tmp84F8.tmp.exe

pid	process
2568	tmp84F8.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe

pid	process
2292	f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe
2292	f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp84F8.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp84F8.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exevbc.execvtres.exetmp84F8.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp84F8.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exetmp84F8.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2292	f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe
Token: SeDebugPrivilege	2568	tmp84F8.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exevbc.exe

description	pid	process	target process
PID 2292 wrote to memory of 2028	2292	f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe	vbc.exe
PID 2292 wrote to memory of 2028	2292	f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe	vbc.exe
PID 2292 wrote to memory of 2028	2292	f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe	vbc.exe
PID 2292 wrote to memory of 2028	2292	f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe	vbc.exe
PID 2028 wrote to memory of 2420	2028	vbc.exe	cvtres.exe
PID 2028 wrote to memory of 2420	2028	vbc.exe	cvtres.exe
PID 2028 wrote to memory of 2420	2028	vbc.exe	cvtres.exe
PID 2028 wrote to memory of 2420	2028	vbc.exe	cvtres.exe
PID 2292 wrote to memory of 2568	2292	f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe	tmp84F8.tmp.exe
PID 2292 wrote to memory of 2568	2292	f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe	tmp84F8.tmp.exe
PID 2292 wrote to memory of 2568	2292	f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe	tmp84F8.tmp.exe
PID 2292 wrote to memory of 2568	2292	f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe	tmp84F8.tmp.exe

C:\Users\Admin\AppData\Local\Temp\f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe
"C:\Users\Admin\AppData\Local\Temp\f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\e0qqtwzi.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES85C4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc85C3.tmp"
3⤵
- System Location Discovery: System Language Discovery
PID:2420

C:\Users\Admin\AppData\Local\Temp\tmp84F8.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp84F8.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2568

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES85C4.tmp
Filesize
1KB

MD5
43ad80d9fa151dc5c45670292716a978

SHA1
cabf1471edccc46896718f56aa98d57a25b05afd

SHA256
76cc545b92eaf377091783fd3e1ee6afd86ca7709101c5bd3cdf76a993667394

SHA512
00e4d125ebbad6d0fddd18c595ec3b0df6eb388f29606a7426f548571d06a605e0833ca57627e96b48104fbefd570afa14512c27eaa32a6e132109b0fcf7fec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0qqtwzi.0.vb
Filesize
15KB

MD5
1ca3476e4efc13f7b53965797e787524

SHA1
538326ed3a32f4565e020a8d76e15c66694e9dc4

SHA256
0f7302d1cae82915188c062d6e1df39fa43706d9ba2bd8bc1aec48d55424bcda

SHA512
e9c54f32c1f21e6ead0a8a896c964565730ee7602ae10f58540a91e1100293ebe415eb84eeefb88cba325f5a5109f555ff418d65537c208dc55c8309fffc0329

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0qqtwzi.cmdline
Filesize
266B

MD5
9555af1825a65d10df262dcca1031a09

SHA1
55f25e84e2124cdcc0f08d40eea43f19f2c32b40

SHA256
6cb7b7b16cab2470783dab32c437a31769a9c007a51a02f1825ea95e88d5448b

SHA512
e0f57341505ae619af16fe8fac820721b43830dd1436e4e63e23c9fb2d798149930646dee14b737b40beb803b672d71e54afae007de17412f6080e169d2e849e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp84F8.tmp.exe
Filesize
78KB

MD5
d8a6b140ac58b9bf47b426128ad86b88

SHA1
c7dd924e95ebc1e416028e9531e8ff635ab39df8

SHA256
f261740d7aae03c4d7e6a8689ac2e65ff2c035cbdef3988d7acd37b1af02fe58

SHA512
880168cf2e47ae75b352a4f860c26bfe4861c1d942aea3a93c4c7c6af03189e50f72b3225646b6fdae13f9b93861d54853b34b604e6ca54d84468c5958466bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc85C3.tmp
Filesize
660B

MD5
e5d126c748adde3523500e4b57f180a0

SHA1
692e4f03d10fa0ba6a9b900b5e1c57b6ec50939a

SHA256
5cee9f1b73fa5797690d30f448c2be6548e8234caddfa438d94e2058034db8ad

SHA512
b3cca473edc8cc0e8b225a6c4a9b3d0386228a6aba3696d1d6c9d0d894e28233989eba3641c41e2b1d00d906f64fe2e9631aee01b8da665afb10b22da514d37f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2028-9-0x00000000745A0000-0x0000000074B4B000-memory.dmp

Filesize
5.7MB

Download
memory/2028-18-0x00000000745A0000-0x0000000074B4B000-memory.dmp

Filesize
5.7MB

Download
memory/2292-0-0x00000000745A1000-0x00000000745A2000-memory.dmp

Filesize
4KB

Download
memory/2292-1-0x00000000745A0000-0x0000000074B4B000-memory.dmp

Filesize
5.7MB

Download
memory/2292-2-0x00000000745A0000-0x0000000074B4B000-memory.dmp

Filesize
5.7MB

Download
memory/2292-24-0x00000000745A0000-0x0000000074B4B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads