metamorpherrat | 9c373db0b3812e9263b3d00ebf738b68c950f5b1f1532282eb87d7a55069b803

General

Target

502b6140cbae19b1b29e6ffc5c2064b0N.exe
Size

78KB
MD5

502b6140cbae19b1b29e6ffc5c2064b0
SHA1

1bbe9fe922d3eb4a8bc55bd0549755af07b5708a
SHA256

9c373db0b3812e9263b3d00ebf738b68c950f5b1f1532282eb87d7a55069b803
SHA512

7bb8d5a37b3fd29ea09a64583e3ddb3ff1a7d8d09f633091bebf6f18cb333444f1f15816974463b769c59a2f72a4413a7cf76b876ed66f0f93ccf88ea29943cd
SSDEEP

1536:ePWtHF3M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtR9/G1W7:ePWtHF8hASyRxvhTzXPvCbW2UR9/n

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp5560.tmp.exe

pid process

796 tmp5560.tmp.exe
Loads dropped DLL 2 IoCs

Processes:

502b6140cbae19b1b29e6ffc5c2064b0N.exe

pid process

2644 502b6140cbae19b1b29e6ffc5c2064b0N.exe
2644 502b6140cbae19b1b29e6ffc5c2064b0N.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
796	tmp5560.tmp.exe

pid	process
2644	502b6140cbae19b1b29e6ffc5c2064b0N.exe
2644	502b6140cbae19b1b29e6ffc5c2064b0N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp5560.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp5560.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

502b6140cbae19b1b29e6ffc5c2064b0N.exevbc.execvtres.exetmp5560.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	502b6140cbae19b1b29e6ffc5c2064b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5560.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

502b6140cbae19b1b29e6ffc5c2064b0N.exetmp5560.tmp.exe

description pid process

Token: SeDebugPrivilege 2644 502b6140cbae19b1b29e6ffc5c2064b0N.exe
Token: SeDebugPrivilege 796 tmp5560.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2644	502b6140cbae19b1b29e6ffc5c2064b0N.exe
Token: SeDebugPrivilege	796	tmp5560.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

502b6140cbae19b1b29e6ffc5c2064b0N.exevbc.exe

description	pid	process	target process
PID 2644 wrote to memory of 2968	2644	502b6140cbae19b1b29e6ffc5c2064b0N.exe	vbc.exe
PID 2644 wrote to memory of 2968	2644	502b6140cbae19b1b29e6ffc5c2064b0N.exe	vbc.exe
PID 2644 wrote to memory of 2968	2644	502b6140cbae19b1b29e6ffc5c2064b0N.exe	vbc.exe
PID 2644 wrote to memory of 2968	2644	502b6140cbae19b1b29e6ffc5c2064b0N.exe	vbc.exe
PID 2968 wrote to memory of 2868	2968	vbc.exe	cvtres.exe
PID 2968 wrote to memory of 2868	2968	vbc.exe	cvtres.exe
PID 2968 wrote to memory of 2868	2968	vbc.exe	cvtres.exe
PID 2968 wrote to memory of 2868	2968	vbc.exe	cvtres.exe
PID 2644 wrote to memory of 796	2644	502b6140cbae19b1b29e6ffc5c2064b0N.exe	tmp5560.tmp.exe
PID 2644 wrote to memory of 796	2644	502b6140cbae19b1b29e6ffc5c2064b0N.exe	tmp5560.tmp.exe
PID 2644 wrote to memory of 796	2644	502b6140cbae19b1b29e6ffc5c2064b0N.exe	tmp5560.tmp.exe
PID 2644 wrote to memory of 796	2644	502b6140cbae19b1b29e6ffc5c2064b0N.exe	tmp5560.tmp.exe

C:\Users\Admin\AppData\Local\Temp\502b6140cbae19b1b29e6ffc5c2064b0N.exe
"C:\Users\Admin\AppData\Local\Temp\502b6140cbae19b1b29e6ffc5c2064b0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gaxztpzi.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2968

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5919.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5918.tmp"
3⤵
- System Location Discovery: System Language Discovery
PID:2868

C:\Users\Admin\AppData\Local\Temp\tmp5560.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp5560.tmp.exe" C:\Users\Admin\AppData\Local\Temp\502b6140cbae19b1b29e6ffc5c2064b0N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:796

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5919.tmp
Filesize
1KB

MD5
bc7573417280552900d019cecdc1605b

SHA1
d7de7e1bab5441ffd365fb54f774c1d440b76a18

SHA256
fad33ef5c3cd445e12ebe3102dc691cdffe7c1f199eec28640cc784d3f7b1117

SHA512
39771abcbd820d99568278160627178c27bc664021af4068518ed3edda33fa201684793791397e438252ffcc65b50000bc6d7abed40c91af23e14a4ed90242d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gaxztpzi.0.vb
Filesize
15KB

MD5
d0542b779b555f9541d3ec829a89598f

SHA1
bdf31ddd328e007dc1a3c5ace7914a557e8be149

SHA256
1559a6c6905edaa9cc41969e2cd126b7ca3c1317fb2144aa78aa9646906b1936

SHA512
1079f75d3f0867d159fca6f99f4476cfe90ada4a3d9ae728824645bfec0ae38414c5df46bb22c32149b2cd38b08e9161b95e315e10839fcc490ff6ee5009f64a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gaxztpzi.cmdline
Filesize
266B

MD5
01c98e9047a68fb6ac84b99f3e8e4ea4

SHA1
15b4572e7d9a51a3cc0c63f2e83612b07daff952

SHA256
e2d8c4c1124e5ce9f9ddc9ce4f92f6a448ea36113c24f2b17f5e1093bfb088fb

SHA512
24b9a6b45315f8aa6a81496aefa3ad38eac906db1a470440f2bd3bad1281d045e5c253ac0ebc604b412bbc1f6cade41bc6293377c80cccba894f2377393eebe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5560.tmp.exe
Filesize
78KB

MD5
d6b6e3e5f7051c091ff1de4414926687

SHA1
172366a92c1678e809193c20cdbcabfce64ddfd5

SHA256
eae555cd5f519762dec18c8395029e4faed2bb220aae46482d4d1b7a0aa39a9c

SHA512
76174c248db74c228d4c17882d56133eec14d899b542c39da9be1959ce9f10028b62833801f010d6d44b6cf4a4851cfcfc1b8dadf09231f21da82dbf32bd0365

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5918.tmp
Filesize
660B

MD5
22ceb94a3d7368e682e45a3c4d7fe485

SHA1
4ed0cb4c18eff375e1891d6545accea6523526a1

SHA256
4081ae78b2ff1c9f25e332f5fc16ea69db8c61beedfb97b3dcb4c303ad06ffa9

SHA512
8e8f74df31ebb6b11cb608d2d1169c6631db9f3d86e7faa45bd3e52ea6d631bcc4d110f1fd1da96e07c7861e2d9ec1e44b2730bb74fa4118d0637b6139a78caf

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2644-0-0x00000000741A1000-0x00000000741A2000-memory.dmp

Filesize
4KB

Download
memory/2644-1-0x00000000741A0000-0x000000007474B000-memory.dmp

Filesize
5.7MB

Download
memory/2644-2-0x00000000741A0000-0x000000007474B000-memory.dmp

Filesize
5.7MB

Download
memory/2644-24-0x00000000741A0000-0x000000007474B000-memory.dmp

Filesize
5.7MB

Download
memory/2968-8-0x00000000741A0000-0x000000007474B000-memory.dmp

Filesize
5.7MB

Download
memory/2968-18-0x00000000741A0000-0x000000007474B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads