metamorpherrat | e36fa70a6012d67d2c14393d1261f99a51683a726f8f0cf2e99cf7d053a930b2

General

Target

7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe
Size

78KB
MD5

7f8d9f9b10b2dd136c2703db3c2bf6c0
SHA1

f007132a9fb91d4ca34bc43576a9358fa98e9c41
SHA256

e36fa70a6012d67d2c14393d1261f99a51683a726f8f0cf2e99cf7d053a930b2
SHA512

a2471f982ecee25f36539c6298b7f65e67bc5030765cf3197759288b006020bb15feaf406dfe7b741d5dd280a603d372514548f31d58e2a7dd1e2dbd08400b27
SSDEEP

1536:dRWV5jGXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtN6e9/OO1cd:dRWV5jOSyRxvhTzXPvCbW2Ux9/w

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp76C5.tmp.exe

pid process

2720 tmp76C5.tmp.exe
Loads dropped DLL 2 IoCs

Processes:

7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe

pid process

2856 7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe
2856 7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2720	tmp76C5.tmp.exe

pid	process
2856	7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe
2856	7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp76C5.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp76C5.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

7f8d9f9b10b2dd136c2703db3c2bf6c0N.exevbc.execvtres.exetmp76C5.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp76C5.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

7f8d9f9b10b2dd136c2703db3c2bf6c0N.exetmp76C5.tmp.exe

description pid process

Token: SeDebugPrivilege 2856 7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe
Token: SeDebugPrivilege 2720 tmp76C5.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2856	7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe
Token: SeDebugPrivilege	2720	tmp76C5.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

7f8d9f9b10b2dd136c2703db3c2bf6c0N.exevbc.exe

description	pid	process	target process
PID 2856 wrote to memory of 2616	2856	7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe	vbc.exe
PID 2856 wrote to memory of 2616	2856	7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe	vbc.exe
PID 2856 wrote to memory of 2616	2856	7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe	vbc.exe
PID 2856 wrote to memory of 2616	2856	7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe	vbc.exe
PID 2616 wrote to memory of 2436	2616	vbc.exe	cvtres.exe
PID 2616 wrote to memory of 2436	2616	vbc.exe	cvtres.exe
PID 2616 wrote to memory of 2436	2616	vbc.exe	cvtres.exe
PID 2616 wrote to memory of 2436	2616	vbc.exe	cvtres.exe
PID 2856 wrote to memory of 2720	2856	7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe	tmp76C5.tmp.exe
PID 2856 wrote to memory of 2720	2856	7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe	tmp76C5.tmp.exe
PID 2856 wrote to memory of 2720	2856	7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe	tmp76C5.tmp.exe
PID 2856 wrote to memory of 2720	2856	7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe	tmp76C5.tmp.exe

C:\Users\Admin\AppData\Local\Temp\7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe
"C:\Users\Admin\AppData\Local\Temp\7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oxmuw0ku.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES781E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc781D.tmp"
3⤵
- System Location Discovery: System Language Discovery
PID:2436

C:\Users\Admin\AppData\Local\Temp\tmp76C5.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp76C5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2720

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES781E.tmp
Filesize
1KB

MD5
7221d7228f1d169770a220487d1dca65

SHA1
cf71ed2e7f4b74ac872ba45fd3a9735731932dcc

SHA256
bf4cbf3155bf36ecf7c8f91d6952dd15e7676f14c295552b4ea8a3bbe7a0f71d

SHA512
4773801b99fd03bab56c305727a8f1935f45616778d65bef0a91186da323ff35c4c443f836f8b2063673e8fd9c1dbe1e81646594236badbf68f1adc3936e1310

Download Submit
C:\Users\Admin\AppData\Local\Temp\oxmuw0ku.0.vb
Filesize
14KB

MD5
3fefff7a57c0303a17ebefdd3dc4d58f

SHA1
0d69fccc9ac782e2f043401f86d9ddeb800e7ff4

SHA256
b7d609c11934a0b1f8728384882a26734a48963c2f2ee00315edc256f20d4f69

SHA512
cb826888fb1ebf40b40c04baeb66aa0de1a42940ec9967a868f9fa195d92fd4541d11f6adb93a4f8be954253f2b30448ce20cb47d6e153e175b16d8775bd46b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\oxmuw0ku.cmdline
Filesize
266B

MD5
b17b5a3591570807496a42ce2f846c7c

SHA1
7885406db7828da190b7252c06621b7fb87c1066

SHA256
f986f3ec24325e786bfb23f8ced9881cebc8ba75f8886415e7724b353cefab65

SHA512
903fdb3440c0745c2f7af7f30ec88a2de096812c0d0483e6cffe9adc9b7629b13ffadceb6f122f14fad0b890b91fb850dcc6a1d544127ee369d921984081c2cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp76C5.tmp.exe
Filesize
78KB

MD5
9525851641851bb0c01e9fe0f66ff610

SHA1
2274d171ee72cfaeae93861095ed26e10ce8449d

SHA256
e435a93fca9bae08cd49f87309077f6e2eeea6ac32cd1841e44023aa05c7e0cf

SHA512
23d17ba6020290deb7e742109aa006f753a8c922dc79deabb6ff8813944ba9589d629154f0ea8947bcf5237cc7424841576f447d036b74544513eadb39698daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc781D.tmp
Filesize
660B

MD5
56c3a360e2852e62cb83dfb3e4a0898f

SHA1
244cfdf53f4ba1aed4191a2aebd586c6d36a7200

SHA256
86a753ddb447fa5ba7766c1fb2748536439c9e03a3db114069576397f7c4d3a2

SHA512
02ded8278ea36cc67fbc0dcd3b97a0bc8acc33841e176202cb2b508d51153d2849b17b5f6ea1567ef81d846f3d49e18c11d882b4b14bf7faca1f205804d47883

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2616-9-0x0000000074700000-0x0000000074CAB000-memory.dmp

Filesize
5.7MB

Download
memory/2616-18-0x0000000074700000-0x0000000074CAB000-memory.dmp

Filesize
5.7MB

Download
memory/2856-0-0x0000000074701000-0x0000000074702000-memory.dmp

Filesize
4KB

Download
memory/2856-1-0x0000000074700000-0x0000000074CAB000-memory.dmp

Filesize
5.7MB

Download
memory/2856-2-0x0000000074700000-0x0000000074CAB000-memory.dmp

Filesize
5.7MB

Download
memory/2856-24-0x0000000074700000-0x0000000074CAB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads