metamorpherrat | d6d9cd872338e7af5bf61c831373d849b34498439e9fb7be2e7efab762012f5a

General

Target

d6d9cd872338e7af5bf61c831373d849b34498439e9fb7be2e7efab762012f5a.exe
Size

78KB
MD5

95667e1d6487c7b60fd3b30d743b3bc0
SHA1

fb049542851b604b3f21b2b6d5fdff6ff32acba6
SHA256

d6d9cd872338e7af5bf61c831373d849b34498439e9fb7be2e7efab762012f5a
SHA512

09cfd80b049ec312f0bbc64a9d53a6212e82bf70a24feb680860e58a7ac9e80ba699a44cc37a189d82d06ff9038ccab85435a5623c2c38566d7b86739dbc05f8
SSDEEP

1536:UuHFo6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtea9/v7g1ya:UuHFonhASyRxvhTzXPvCbW2Uea9/v7s

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2068	tmpC330.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2136	d6d9cd872338e7af5bf61c831373d849b34498439e9fb7be2e7efab762012f5a.exe
2136	d6d9cd872338e7af5bf61c831373d849b34498439e9fb7be2e7efab762012f5a.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpC330.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC330.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6d9cd872338e7af5bf61c831373d849b34498439e9fb7be2e7efab762012f5a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2136	d6d9cd872338e7af5bf61c831373d849b34498439e9fb7be2e7efab762012f5a.exe
Token: SeDebugPrivilege	2068	tmpC330.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 1684	2136	d6d9cd872338e7af5bf61c831373d849b34498439e9fb7be2e7efab762012f5a.exe	30
PID 2136 wrote to memory of 1684	2136	d6d9cd872338e7af5bf61c831373d849b34498439e9fb7be2e7efab762012f5a.exe	30
PID 2136 wrote to memory of 1684	2136	d6d9cd872338e7af5bf61c831373d849b34498439e9fb7be2e7efab762012f5a.exe	30
PID 2136 wrote to memory of 1684	2136	d6d9cd872338e7af5bf61c831373d849b34498439e9fb7be2e7efab762012f5a.exe	30
PID 1684 wrote to memory of 2428	1684	vbc.exe	32
PID 1684 wrote to memory of 2428	1684	vbc.exe	32
PID 1684 wrote to memory of 2428	1684	vbc.exe	32
PID 1684 wrote to memory of 2428	1684	vbc.exe	32
PID 2136 wrote to memory of 2068	2136	d6d9cd872338e7af5bf61c831373d849b34498439e9fb7be2e7efab762012f5a.exe	33
PID 2136 wrote to memory of 2068	2136	d6d9cd872338e7af5bf61c831373d849b34498439e9fb7be2e7efab762012f5a.exe	33
PID 2136 wrote to memory of 2068	2136	d6d9cd872338e7af5bf61c831373d849b34498439e9fb7be2e7efab762012f5a.exe	33
PID 2136 wrote to memory of 2068	2136	d6d9cd872338e7af5bf61c831373d849b34498439e9fb7be2e7efab762012f5a.exe	33

C:\Users\Admin\AppData\Local\Temp\d6d9cd872338e7af5bf61c831373d849b34498439e9fb7be2e7efab762012f5a.exe
"C:\Users\Admin\AppData\Local\Temp\d6d9cd872338e7af5bf61c831373d849b34498439e9fb7be2e7efab762012f5a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fxmv85yp.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC3CD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC3CC.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2428
- C:\Users\Admin\AppData\Local\Temp\tmpC330.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpC330.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d6d9cd872338e7af5bf61c831373d849b34498439e9fb7be2e7efab762012f5a.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC3CD.tmp

Filesize
1KB

MD5
e02a1f7ec8408e9770f7739cc6572ee5

SHA1
b7a9c29bd14f03734420092069e61db32c7b726c

SHA256
bb8bdc973801a9f4bb9ddad4665bc1761c14985926b31059d81f50be355d5128

SHA512
46f6acad1938afa42a9196eee204d241172b5a876abc1f05424c0b406bbaba45a119145f24a74383b63bb9e5fe48fc01ebbb24775bd9d087b3365e7b101b909a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fxmv85yp.0.vb

Filesize
15KB

MD5
559a31a7d079b8fc108c53ee049a3b55

SHA1
7b69816bbfe506beb984a133afbc7b219076d822

SHA256
860a80d2b98632022f1e3dbf47110d4b47f611889399c7ac1efed00182a970e7

SHA512
abc2c3ce52628ec55efdf7bb6a288ae7616ab0b3470a633311b64151f857caa5c51ec42b9761a8f5144936aafebc56846c0a25b82213ee236f239621901e00e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\fxmv85yp.cmdline

Filesize
266B

MD5
a00c7d81bf3c7ad364a641ab6841b519

SHA1
b40aac8e7c683238baf23f17072fd4f83c4a30a5

SHA256
2954ca0db081a898862ffa2ef9afdf694de6194b39a8b9b6e9bb817dc9eda35d

SHA512
846d0ac6b3076ff545d3cc0b9870029df81636fb57fe7d2f334f6c37452bce7450aca44562dae2772b651471ce0b28e9acebeb1ac021f9cf6625731dee552ece

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC330.tmp.exe

Filesize
78KB

MD5
7122f6b739a33c148adb8e4cf78ee455

SHA1
d43856f781085b0d91b3fbca9559ce3bf726c4bc

SHA256
931f00d0592634cd894a5331e08e2e29842b572aaef2c3eaf38f747feca3be38

SHA512
a3f719ed16aec44417349b4aa47e9b2b34bb71522d38985165e4323efb0d59dd3bb731954e879b19706088b321ed79cddd52320cbe6aa4c32951a91c99908d99

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC3CC.tmp

Filesize
660B

MD5
6fc368987cdf73cc6025694b86798b9b

SHA1
5bc513a4d55bf9c98fd156d90e50a047a3ec6e5b

SHA256
b120031634cb579d04ab2f4a32d67c22b8812b8cdd96fe233294a229b978a7c3

SHA512
c65326cda25647d6e0c510e93db796961e3d8805ef2bddc13e8e72bab4cca1792f2fb7b437888e9c984144bfb160cf3e23c8def8a06f8cd173418acac215ae51

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1684-8-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/1684-18-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/2136-0-0x0000000074E71000-0x0000000074E72000-memory.dmp

Filesize
4KB

Download
memory/2136-1-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/2136-2-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/2136-24-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads