metamorpherrat | 1b1d5bf28e6cd68f4fc5e2daa13d844177151a9dc4ab35a9e7df980d843a6489

General

Target

225c0b4ed49f5896b45033ffcc1de010N.exe
Size

78KB
MD5

225c0b4ed49f5896b45033ffcc1de010
SHA1

bddecbf555997ca0124a86ea7be425c2b0040227
SHA256

1b1d5bf28e6cd68f4fc5e2daa13d844177151a9dc4ab35a9e7df980d843a6489
SHA512

218649e52649cdae274cc3813e1cb3a4f9412dc1b135fd24d583175b8d687a8bc4dc79ddb73c9eb06b11a5e1a7e4267ce766df107d4fbb04f7cdc159811295c0
SSDEEP

1536:U58fXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQty61h9/WG1FT:U58/SyRxvhTzXPvCbW2U9h9/N

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmpD671.tmp.exe

pid process

2772 tmpD671.tmp.exe
Loads dropped DLL 2 IoCs

Processes:

225c0b4ed49f5896b45033ffcc1de010N.exe

pid process

2420 225c0b4ed49f5896b45033ffcc1de010N.exe
2420 225c0b4ed49f5896b45033ffcc1de010N.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2772	tmpD671.tmp.exe

pid	process
2420	225c0b4ed49f5896b45033ffcc1de010N.exe
2420	225c0b4ed49f5896b45033ffcc1de010N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpD671.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpD671.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cvtres.exetmpD671.tmp.exe225c0b4ed49f5896b45033ffcc1de010N.exevbc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD671.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	225c0b4ed49f5896b45033ffcc1de010N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

225c0b4ed49f5896b45033ffcc1de010N.exetmpD671.tmp.exe

description pid process

Token: SeDebugPrivilege 2420 225c0b4ed49f5896b45033ffcc1de010N.exe
Token: SeDebugPrivilege 2772 tmpD671.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2420	225c0b4ed49f5896b45033ffcc1de010N.exe
Token: SeDebugPrivilege	2772	tmpD671.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

225c0b4ed49f5896b45033ffcc1de010N.exevbc.exe

description	pid	process	target process
PID 2420 wrote to memory of 2180	2420	225c0b4ed49f5896b45033ffcc1de010N.exe	vbc.exe
PID 2420 wrote to memory of 2180	2420	225c0b4ed49f5896b45033ffcc1de010N.exe	vbc.exe
PID 2420 wrote to memory of 2180	2420	225c0b4ed49f5896b45033ffcc1de010N.exe	vbc.exe
PID 2420 wrote to memory of 2180	2420	225c0b4ed49f5896b45033ffcc1de010N.exe	vbc.exe
PID 2180 wrote to memory of 2708	2180	vbc.exe	cvtres.exe
PID 2180 wrote to memory of 2708	2180	vbc.exe	cvtres.exe
PID 2180 wrote to memory of 2708	2180	vbc.exe	cvtres.exe
PID 2180 wrote to memory of 2708	2180	vbc.exe	cvtres.exe
PID 2420 wrote to memory of 2772	2420	225c0b4ed49f5896b45033ffcc1de010N.exe	tmpD671.tmp.exe
PID 2420 wrote to memory of 2772	2420	225c0b4ed49f5896b45033ffcc1de010N.exe	tmpD671.tmp.exe
PID 2420 wrote to memory of 2772	2420	225c0b4ed49f5896b45033ffcc1de010N.exe	tmpD671.tmp.exe
PID 2420 wrote to memory of 2772	2420	225c0b4ed49f5896b45033ffcc1de010N.exe	tmpD671.tmp.exe

C:\Users\Admin\AppData\Local\Temp\225c0b4ed49f5896b45033ffcc1de010N.exe
"C:\Users\Admin\AppData\Local\Temp\225c0b4ed49f5896b45033ffcc1de010N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6hff068k.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD866.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD865.tmp"
3⤵
- System Location Discovery: System Language Discovery
PID:2708

C:\Users\Admin\AppData\Local\Temp\tmpD671.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpD671.tmp.exe" C:\Users\Admin\AppData\Local\Temp\225c0b4ed49f5896b45033ffcc1de010N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2772

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6hff068k.0.vb
Filesize
14KB

MD5
bd3afaf0a9f42f1430f4fc5ac6f6bbbf

SHA1
0d752728bf01a9936d5cf0f8aa78dd3b288e1b7b

SHA256
6789788bb1ba0e397000b15545713b1468f7f749e581d1d670d7224d98a91694

SHA512
1be0f5fd0e0c705f4cc3b3d70bfd1a42abecd0a8d5add45e72c4a186ed027ca6d669000098dda61bffff5f8e3cdbe22b364f8186243f9ffa2d11f11859060749

Download Submit
C:\Users\Admin\AppData\Local\Temp\6hff068k.cmdline
Filesize
266B

MD5
5cb7fcf6be7ac3d4a6d7f9883b1ec9d6

SHA1
0d87c51ed359776a5d68e3c4ef3e28ec3eda7b4f

SHA256
70ef6c682890549a4e88d557ea5becac691bbf4999fe375a0339ed74ead9e210

SHA512
5b17528b4121f6d81000d261480d08d8f15fe3bbf9b29a48c849c576e09e7b14d065c1b75a2ad4d418dedfb19eb0286d2e0672c69d82df6057a455a3ce9c7a05

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD866.tmp
Filesize
1KB

MD5
aa940126e3b0c3088b66fb191d08326d

SHA1
859e54d8586371f378731eff787cc9a187338948

SHA256
c2964958035f6d3b1656b2a608f91f93792d6be3c5fbcddc1d4f9b31125e4043

SHA512
b50ed069c1d41524a946b45a2558d2645249a9797366987a1053c3f486c6ba955a24357c8c3875cca82934b6774d09c62f17e3024b79852d9ec7a5cae53782f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD671.tmp.exe
Filesize
78KB

MD5
252c6437159f9b694b8cc9a0b1f80700

SHA1
6372198ed621f00cd5a2bba62128802c33cfc52a

SHA256
0775ddd4cfcd8d421defca57a6ce47d2b8fc8bec6d17a58763ee16a94c5c6486

SHA512
217e5a3fe8028c1edbdeaa583ee878aa73d1b7c061091c24468c0ab4378e56a136bbb3b2d17c9ed57ff4a7368cb5d6cf6a548ef38dc18aba6ac0e402d0b85659

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD865.tmp
Filesize
660B

MD5
d94980952f12b3348f3e14c5e3d2048f

SHA1
ce16f015abefdc2b3cd56baad3e9afc64296355e

SHA256
d6ea1f4b57aa1e492d6240ce9e94aeb0fa985bdfb84e263dead920d7a091ec85

SHA512
81764961785f0a931d63f77f88ecd1b8951f6dc124dc00f9fc5df392c1c7b13e486b07755b95dcbca1288689dedd73926c4ada599f2cf49cd84f526734421f4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2180-8-0x0000000074910000-0x0000000074EBB000-memory.dmp

Filesize
5.7MB

Download
memory/2180-18-0x0000000074910000-0x0000000074EBB000-memory.dmp

Filesize
5.7MB

Download
memory/2420-0-0x0000000074911000-0x0000000074912000-memory.dmp

Filesize
4KB

Download
memory/2420-1-0x0000000074910000-0x0000000074EBB000-memory.dmp

Filesize
5.7MB

Download
memory/2420-2-0x0000000074910000-0x0000000074EBB000-memory.dmp

Filesize
5.7MB

Download
memory/2420-24-0x0000000074910000-0x0000000074EBB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads