metamorpherrat | 6ea273d6ad80b5408e1dcc62bd272160101aa68f1379bc7251b8de6b96ede5a7

General

Target

5e33b6299facd682436d9b0d84ad2730N.exe
Size

78KB
MD5

5e33b6299facd682436d9b0d84ad2730
SHA1

d009e6006dcc2d0581f691c7ed8a0d28fef0014e
SHA256

6ea273d6ad80b5408e1dcc62bd272160101aa68f1379bc7251b8de6b96ede5a7
SHA512

69551cbedee43567919cf761e0aead9c9f9147ec2ff9ed451c7e04829e0432cfae13d4a771ba30a5724e0a45f0927c3168d5892345501e62418b701cc0b0982a
SSDEEP

1536:VHY6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtRq9/YD1Si:VHYnhASyRxvhTzXPvCbW2URq9/K

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmpE7D0.tmp.exe

pid process

3028 tmpE7D0.tmp.exe
Loads dropped DLL 2 IoCs

Processes:

5e33b6299facd682436d9b0d84ad2730N.exe

pid process

2996 5e33b6299facd682436d9b0d84ad2730N.exe
2996 5e33b6299facd682436d9b0d84ad2730N.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
3028	tmpE7D0.tmp.exe

pid	process
2996	5e33b6299facd682436d9b0d84ad2730N.exe
2996	5e33b6299facd682436d9b0d84ad2730N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpE7D0.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpE7D0.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cvtres.exetmpE7D0.tmp.exe5e33b6299facd682436d9b0d84ad2730N.exevbc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE7D0.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5e33b6299facd682436d9b0d84ad2730N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

5e33b6299facd682436d9b0d84ad2730N.exetmpE7D0.tmp.exe

description pid process

Token: SeDebugPrivilege 2996 5e33b6299facd682436d9b0d84ad2730N.exe
Token: SeDebugPrivilege 3028 tmpE7D0.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2996	5e33b6299facd682436d9b0d84ad2730N.exe
Token: SeDebugPrivilege	3028	tmpE7D0.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5e33b6299facd682436d9b0d84ad2730N.exevbc.exe

description	pid	process	target process
PID 2996 wrote to memory of 2072	2996	5e33b6299facd682436d9b0d84ad2730N.exe	vbc.exe
PID 2996 wrote to memory of 2072	2996	5e33b6299facd682436d9b0d84ad2730N.exe	vbc.exe
PID 2996 wrote to memory of 2072	2996	5e33b6299facd682436d9b0d84ad2730N.exe	vbc.exe
PID 2996 wrote to memory of 2072	2996	5e33b6299facd682436d9b0d84ad2730N.exe	vbc.exe
PID 2072 wrote to memory of 2004	2072	vbc.exe	cvtres.exe
PID 2072 wrote to memory of 2004	2072	vbc.exe	cvtres.exe
PID 2072 wrote to memory of 2004	2072	vbc.exe	cvtres.exe
PID 2072 wrote to memory of 2004	2072	vbc.exe	cvtres.exe
PID 2996 wrote to memory of 3028	2996	5e33b6299facd682436d9b0d84ad2730N.exe	tmpE7D0.tmp.exe
PID 2996 wrote to memory of 3028	2996	5e33b6299facd682436d9b0d84ad2730N.exe	tmpE7D0.tmp.exe
PID 2996 wrote to memory of 3028	2996	5e33b6299facd682436d9b0d84ad2730N.exe	tmpE7D0.tmp.exe
PID 2996 wrote to memory of 3028	2996	5e33b6299facd682436d9b0d84ad2730N.exe	tmpE7D0.tmp.exe

C:\Users\Admin\AppData\Local\Temp\5e33b6299facd682436d9b0d84ad2730N.exe
"C:\Users\Admin\AppData\Local\Temp\5e33b6299facd682436d9b0d84ad2730N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dnbfiz66.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE8DA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE8D9.tmp"
3⤵
- System Location Discovery: System Language Discovery
PID:2004

C:\Users\Admin\AppData\Local\Temp\tmpE7D0.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpE7D0.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5e33b6299facd682436d9b0d84ad2730N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3028

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE8DA.tmp
Filesize
1KB

MD5
b55da29f61f2bd14d2fcdacae545486b

SHA1
fbac7618dd2b1f78fdb05bff9f6a2685d62378dc

SHA256
7f7378f5c354c294ead0e0e1cff77536e1841b94cfdf54cee4fda01257c88724

SHA512
2edf153d24f827411ae3b1839dac5f055dc07db6a6667a38ac799cf9c16eae8ea45d3b973a0afd6ff4d5a27a3b01b15240da4c7ce2fa07290b9af72cc5df1c4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dnbfiz66.0.vb
Filesize
15KB

MD5
200224afc4551840ab039259a1ca1d19

SHA1
6c6666e4d3c71ed35f69959beb7c0eecb9cfadc9

SHA256
5c7cdfa85ab57890040cb44c0e047ebba917c9d0b8214e8311684ddbab09d1d5

SHA512
2ac20ba569a20992f0652b3566295ad887bf96426b15a2eb173fc07bc79b8729357e7cb50aaaefe55e2dced354b04a388c665c2a9fe5f6a8b8dfd962fd68aab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\dnbfiz66.cmdline
Filesize
266B

MD5
a2adfe8b0a1340d941ef52661d410ea1

SHA1
3750916d5ee840eeb4d71610492b017de1b4afaa

SHA256
64a496fa7eac6321c6729c4020dfce3ff96834a18572c4b8b942ef95289afb37

SHA512
781c5b9048fa10267dcf45d79132b43614795a0683efb2f0da8d563c6cd638030a3282f5ca28ca45b01281c5c8d8a7a1c045940b768c8c481820d610477b76a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE7D0.tmp.exe
Filesize
78KB

MD5
916935bae129c6a455339f510d7b3dcb

SHA1
d82bc14bb25ccc6b3a020ad85a861f2754e63d1c

SHA256
961a80321e2d200f47b35deca044c1ea8746504b78995576021b77554aa84438

SHA512
18da3dadf3126f9cb75109dc292b71094111432a9b81aa0f1fbdc2a0b38eb032ed2d51469659a452fb443b6eaeeca2e3a2ae46ddd1d8903ab2057ae380ea18fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE8D9.tmp
Filesize
660B

MD5
b302d62d43d996b7d82cb7f58bcae392

SHA1
c07717723f70117bd89db4ca14592aa3f8d4027e

SHA256
54b381c18fc9128636cb4a6c0d155971089bf40fe489c772899060f34cd12c69

SHA512
5054c8bc1300570016fcae5ef9ce1908d0889025e513e72a302dba06e140661fdd4d4ddff37ffe9c35d21971da2aa8c94d26642f22071fe2ea8542c122a11281

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2072-8-0x00000000741F0000-0x000000007479B000-memory.dmp

Filesize
5.7MB

Download
memory/2072-18-0x00000000741F0000-0x000000007479B000-memory.dmp

Filesize
5.7MB

Download
memory/2996-0-0x00000000741F1000-0x00000000741F2000-memory.dmp

Filesize
4KB

Download
memory/2996-1-0x00000000741F0000-0x000000007479B000-memory.dmp

Filesize
5.7MB

Download
memory/2996-2-0x00000000741F0000-0x000000007479B000-memory.dmp

Filesize
5.7MB

Download
memory/2996-24-0x00000000741F0000-0x000000007479B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads