metamorpherrat | 41eea9d21d8f7d3c8b168fc1ec6387ee4c5686455a941559c82ad8c9f1e1730b

General

Target

11289a05fb5a3741bd4a83bbc083e210N.exe
Size

78KB
MD5

11289a05fb5a3741bd4a83bbc083e210
SHA1

ade9f086f15a970b8031cbd2d047b65b4ed7e844
SHA256

41eea9d21d8f7d3c8b168fc1ec6387ee4c5686455a941559c82ad8c9f1e1730b
SHA512

8bfbeab532958f35b6a0d57d17670a123b3c664a2112b3110150c16d64512d54cb9c5824d144599c215ca072fd45c8029fdf56a9dcde9ca9a0818f7da99a6da3
SSDEEP

1536:Hy5jYXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtU6D9/U1db:Hy5jgSyRxvhTzXPvCbW2Uh9/A

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmpE87B.tmp.exe

pid process

2796 tmpE87B.tmp.exe
Loads dropped DLL 2 IoCs

Processes:

11289a05fb5a3741bd4a83bbc083e210N.exe

pid process

3068 11289a05fb5a3741bd4a83bbc083e210N.exe
3068 11289a05fb5a3741bd4a83bbc083e210N.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2796	tmpE87B.tmp.exe

pid	process
3068	11289a05fb5a3741bd4a83bbc083e210N.exe
3068	11289a05fb5a3741bd4a83bbc083e210N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpE87B.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpE87B.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

11289a05fb5a3741bd4a83bbc083e210N.exevbc.execvtres.exetmpE87B.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11289a05fb5a3741bd4a83bbc083e210N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE87B.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

11289a05fb5a3741bd4a83bbc083e210N.exetmpE87B.tmp.exe

description pid process

Token: SeDebugPrivilege 3068 11289a05fb5a3741bd4a83bbc083e210N.exe
Token: SeDebugPrivilege 2796 tmpE87B.tmp.exe

description	pid	process
Token: SeDebugPrivilege	3068	11289a05fb5a3741bd4a83bbc083e210N.exe
Token: SeDebugPrivilege	2796	tmpE87B.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

11289a05fb5a3741bd4a83bbc083e210N.exevbc.exe

description	pid	process	target process
PID 3068 wrote to memory of 2372	3068	11289a05fb5a3741bd4a83bbc083e210N.exe	vbc.exe
PID 3068 wrote to memory of 2372	3068	11289a05fb5a3741bd4a83bbc083e210N.exe	vbc.exe
PID 3068 wrote to memory of 2372	3068	11289a05fb5a3741bd4a83bbc083e210N.exe	vbc.exe
PID 3068 wrote to memory of 2372	3068	11289a05fb5a3741bd4a83bbc083e210N.exe	vbc.exe
PID 2372 wrote to memory of 2572	2372	vbc.exe	cvtres.exe
PID 2372 wrote to memory of 2572	2372	vbc.exe	cvtres.exe
PID 2372 wrote to memory of 2572	2372	vbc.exe	cvtres.exe
PID 2372 wrote to memory of 2572	2372	vbc.exe	cvtres.exe
PID 3068 wrote to memory of 2796	3068	11289a05fb5a3741bd4a83bbc083e210N.exe	tmpE87B.tmp.exe
PID 3068 wrote to memory of 2796	3068	11289a05fb5a3741bd4a83bbc083e210N.exe	tmpE87B.tmp.exe
PID 3068 wrote to memory of 2796	3068	11289a05fb5a3741bd4a83bbc083e210N.exe	tmpE87B.tmp.exe
PID 3068 wrote to memory of 2796	3068	11289a05fb5a3741bd4a83bbc083e210N.exe	tmpE87B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\11289a05fb5a3741bd4a83bbc083e210N.exe
"C:\Users\Admin\AppData\Local\Temp\11289a05fb5a3741bd4a83bbc083e210N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1ofw1t6y.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA21.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEA20.tmp"
3⤵
- System Location Discovery: System Language Discovery
PID:2572

C:\Users\Admin\AppData\Local\Temp\tmpE87B.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpE87B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\11289a05fb5a3741bd4a83bbc083e210N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2796

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1ofw1t6y.0.vb
Filesize
14KB

MD5
dde582c16be7d143e1458d94dbefb5f4

SHA1
0f62e9f4f13b6d9de0828d1a956d8d72277965a6

SHA256
0d396c8d0b41abfe0b015f82271f50353635b73a10686c77ab4f0b7c58b73ba6

SHA512
89a2146f085ab01af6de42f178bd22e697030cbcd6aa4ca5dbe8536c4d1cdf5df4cb091546162698baae4a419abaa3e4c8bb551657e73fe4639d65eaec16cfe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ofw1t6y.cmdline
Filesize
266B

MD5
06e76e24eefc654968eeb836930bad6f

SHA1
fc9bcc2d34d5b7a4e8141feb4a39beaadae83130

SHA256
1b02e87ad61b4b12a5d2f6dc295957fa2798f612613a39cfa69a8fbc5c636407

SHA512
499d0d4e983d80f8591f2eb4fc32bb7b87079bbedf9c71188146c289d6f8f2de495752816820d2f189e9e12ab9f067db56afdd1b30f662f53584b31430060a1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEA21.tmp
Filesize
1KB

MD5
fee6c820d2afccb419f20890106614ab

SHA1
3fcc1d62f703dec71fd2c6869950bebfd1f31319

SHA256
3f47f33e3a684e7e4229b53d0fe5b0c64c01e103b03fdc4b7fd4986704602f41

SHA512
a69815c302cf3aa38e5fbc3b927778178a654c6d2b9be0a905bc0c36136135888999d29ef9c726b703a6c21fd96277d8134e9e6f2e754743e9101b41000c4acc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE87B.tmp.exe
Filesize
78KB

MD5
de8bf1069bd09832691cad91c110002e

SHA1
58fc29ece900ff3283227a40d3feca3ab04e3d71

SHA256
0d876352b5a0f4171cf549efae0241bb04d12ed2c17813b3d6ca564d48229e9c

SHA512
4a548145b653934a139d4bd045d0bfa8a33369c90b14b8ce9917685e1686b9e7f442d9ef957265ef7f8322ba5bbb5c1e70fdd36dff639a84921ff2c225b7f9fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEA20.tmp
Filesize
660B

MD5
7c6bb724802574f85253ae6353ee2b0e

SHA1
c99300557ebe1d34e77a03ac6bce29537fe3c320

SHA256
25eb343d34585794aa3152c9ba7d0d1d3e0ba00d557634f647844c25e52dbff6

SHA512
4b16d10dbfab0bafa0317862727847c4871d00b288491b9b5aab368b9552371b67fc31f03809d9343a31d1b674f63893e77421bd3e29166d2504ac035a82913e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2372-8-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2372-18-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/3068-0-0x0000000074571000-0x0000000074572000-memory.dmp

Filesize
4KB

Download
memory/3068-1-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/3068-2-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/3068-24-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads