metamorpherrat | 62fff19daf26f0eabeb7f64b8261ce206b5568478bf26e56d49b7c6ecec26feb

General

Target

86ef2a66c72c1d358578f09b15ae4dc0N.exe
Size

78KB
MD5

86ef2a66c72c1d358578f09b15ae4dc0
SHA1

b84d8932f011b1f3a2b923af8ae2a2359142a4a5
SHA256

62fff19daf26f0eabeb7f64b8261ce206b5568478bf26e56d49b7c6ecec26feb
SHA512

7ca899f0df1d3e605f2a7443e578fa382f091b0e5fd6f70f1287bd4315210a6373fae6283cd8da664e556a8d4f68332ce7d10be0214654f252f3833902547fe8
SSDEEP

1536:Yy58fXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt96b9/Qd1W2:Yy58/SyRxvhTzXPvCbW2UI9/8

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmpC3EB.tmp.exe

pid process

2904 tmpC3EB.tmp.exe
Loads dropped DLL 2 IoCs

Processes:

86ef2a66c72c1d358578f09b15ae4dc0N.exe

pid process

1964 86ef2a66c72c1d358578f09b15ae4dc0N.exe
1964 86ef2a66c72c1d358578f09b15ae4dc0N.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2904	tmpC3EB.tmp.exe

pid	process
1964	86ef2a66c72c1d358578f09b15ae4dc0N.exe
1964	86ef2a66c72c1d358578f09b15ae4dc0N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpC3EB.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpC3EB.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

vbc.execvtres.exetmpC3EB.tmp.exe86ef2a66c72c1d358578f09b15ae4dc0N.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC3EB.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	86ef2a66c72c1d358578f09b15ae4dc0N.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

86ef2a66c72c1d358578f09b15ae4dc0N.exetmpC3EB.tmp.exe

description pid process

Token: SeDebugPrivilege 1964 86ef2a66c72c1d358578f09b15ae4dc0N.exe
Token: SeDebugPrivilege 2904 tmpC3EB.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1964	86ef2a66c72c1d358578f09b15ae4dc0N.exe
Token: SeDebugPrivilege	2904	tmpC3EB.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

86ef2a66c72c1d358578f09b15ae4dc0N.exevbc.exe

description	pid	process	target process
PID 1964 wrote to memory of 2152	1964	86ef2a66c72c1d358578f09b15ae4dc0N.exe	vbc.exe
PID 1964 wrote to memory of 2152	1964	86ef2a66c72c1d358578f09b15ae4dc0N.exe	vbc.exe
PID 1964 wrote to memory of 2152	1964	86ef2a66c72c1d358578f09b15ae4dc0N.exe	vbc.exe
PID 1964 wrote to memory of 2152	1964	86ef2a66c72c1d358578f09b15ae4dc0N.exe	vbc.exe
PID 2152 wrote to memory of 2304	2152	vbc.exe	cvtres.exe
PID 2152 wrote to memory of 2304	2152	vbc.exe	cvtres.exe
PID 2152 wrote to memory of 2304	2152	vbc.exe	cvtres.exe
PID 2152 wrote to memory of 2304	2152	vbc.exe	cvtres.exe
PID 1964 wrote to memory of 2904	1964	86ef2a66c72c1d358578f09b15ae4dc0N.exe	tmpC3EB.tmp.exe
PID 1964 wrote to memory of 2904	1964	86ef2a66c72c1d358578f09b15ae4dc0N.exe	tmpC3EB.tmp.exe
PID 1964 wrote to memory of 2904	1964	86ef2a66c72c1d358578f09b15ae4dc0N.exe	tmpC3EB.tmp.exe
PID 1964 wrote to memory of 2904	1964	86ef2a66c72c1d358578f09b15ae4dc0N.exe	tmpC3EB.tmp.exe

C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe
"C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yoofl24i.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2152

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC4D6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC4D5.tmp"
3⤵
- System Location Discovery: System Language Discovery
PID:2304

C:\Users\Admin\AppData\Local\Temp\tmpC3EB.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpC3EB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2904

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC4D6.tmp
Filesize
1KB

MD5
a2cefd9235e3fa8442dfb857c31fc3f8

SHA1
de7c6b93cbea2f7fc6b79a60f9b0860bfc1e1670

SHA256
6f8af295f02ef972ff8790040f7676b78f04a0fda3b2284261b1c4294529587a

SHA512
f61316becb999514688c3c21e79bead2a86d4c0c9298b8d2e5e18b5e613adc7433ca68941d495a0d3923585998c9ede01afab3b2f46589888be0d01e6435c142

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC3EB.tmp.exe
Filesize
78KB

MD5
a9a1d1c1c9cf674304f76d56adf1df64

SHA1
ffc93cae555fe3b054f05aecbeba5694c32d353f

SHA256
e5a6bc460b8e9d60d62626d49c4172589a85af84986fbc1a1ad179c55ba35bd8

SHA512
2487f81e227327f98ffb701682dfda7d019cc82e877d8a11424955c86e5cd8a618c0dfa92a4ccdb266e305b4a8fd019b702e927f2e2b68071144ccbcbaa512f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC4D5.tmp
Filesize
660B

MD5
1b497b29fd75560f11ea0d01594e8fa5

SHA1
fe038da1ca9abc592f2b8481e44d58737f3c8ac9

SHA256
db291966b9a3f83aadb65872fbd9f0bb812a9c64042dd4ab3f1fdb0ecef8f7c6

SHA512
5e6789429ce5484255e0c763f7bf271fcaeec66f0aa82fde62dc583e6e85f438716c4db25aefa174efd250c8eec581a377a3f507f426b356935d3653e6c5a916

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoofl24i.0.vb
Filesize
14KB

MD5
02eab4d5534f75e03c25ce769b100846

SHA1
e328c8ca26752f4cc9d6ac7bb9299f159796f0b7

SHA256
87ab032143d3e666acb3179eca11b907632fcd2895ae9e31a4c39cd95a76dbfc

SHA512
8f60f28f1fe188a7d0770e3a895e0e442650e347f122ac77689b22dcf2879335f9f3a1621c24151a679d2fe02937d24d57d56175e42ada24de3ba286d48565f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoofl24i.cmdline
Filesize
266B

MD5
d58c2d85b3221aba35a70e6dbb2d3556

SHA1
59d542f8e6f18ee83164ce70b2c665c61f5fb3c1

SHA256
da77c78aba9d5bd4c7477f2cc580081510372d021509c512cb9a1597902c81cc

SHA512
ea280e7977f39b8d6be0b270b8f788db7041a4003c0f56aa59dab59adce4506475fb970448e45f07d4b407b70cc378bf1162ac08f4d8303da5a118019dd73d9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1964-0-0x0000000074B41000-0x0000000074B42000-memory.dmp

Filesize
4KB

Download
memory/1964-1-0x0000000074B40000-0x00000000750EB000-memory.dmp

Filesize
5.7MB

Download
memory/1964-2-0x0000000074B40000-0x00000000750EB000-memory.dmp

Filesize
5.7MB

Download
memory/1964-24-0x0000000074B40000-0x00000000750EB000-memory.dmp

Filesize
5.7MB

Download
memory/2152-8-0x0000000074B40000-0x00000000750EB000-memory.dmp

Filesize
5.7MB

Download
memory/2152-18-0x0000000074B40000-0x00000000750EB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads