metamorpherrat | 1f2af881da90a27d9ffd6acb1e6ebe296bd5f81a8af07a949a8ca83dfe671fea

General

Target

c12812502364fd0d08e8fe1167f3b1f0N.exe
Size

78KB
MD5

c12812502364fd0d08e8fe1167f3b1f0
SHA1

961b634447da2824d49e8fe9b8a0e146a9b09379
SHA256

1f2af881da90a27d9ffd6acb1e6ebe296bd5f81a8af07a949a8ca83dfe671fea
SHA512

87acfc0908dbb37da6f07c3f049b75b5bf1f518173cb39ac21f8bade11529e42a8da86ae144a499090e82c2e58cbe7cf6f0c18f7be469d7e215a8369a31c2738
SSDEEP

1536:bWV5jSAXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtC67X9/p1H1:bWV5jS4SyRxvhTzXPvCbW2UjX9/5

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2628	tmp42AB.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2716	c12812502364fd0d08e8fe1167f3b1f0N.exe
2716	c12812502364fd0d08e8fe1167f3b1f0N.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp42AB.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c12812502364fd0d08e8fe1167f3b1f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp42AB.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2716	c12812502364fd0d08e8fe1167f3b1f0N.exe
Token: SeDebugPrivilege	2628	tmp42AB.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 2668	2716	c12812502364fd0d08e8fe1167f3b1f0N.exe	30
PID 2716 wrote to memory of 2668	2716	c12812502364fd0d08e8fe1167f3b1f0N.exe	30
PID 2716 wrote to memory of 2668	2716	c12812502364fd0d08e8fe1167f3b1f0N.exe	30
PID 2716 wrote to memory of 2668	2716	c12812502364fd0d08e8fe1167f3b1f0N.exe	30
PID 2668 wrote to memory of 2684	2668	vbc.exe	32
PID 2668 wrote to memory of 2684	2668	vbc.exe	32
PID 2668 wrote to memory of 2684	2668	vbc.exe	32
PID 2668 wrote to memory of 2684	2668	vbc.exe	32
PID 2716 wrote to memory of 2628	2716	c12812502364fd0d08e8fe1167f3b1f0N.exe	33
PID 2716 wrote to memory of 2628	2716	c12812502364fd0d08e8fe1167f3b1f0N.exe	33
PID 2716 wrote to memory of 2628	2716	c12812502364fd0d08e8fe1167f3b1f0N.exe	33
PID 2716 wrote to memory of 2628	2716	c12812502364fd0d08e8fe1167f3b1f0N.exe	33

C:\Users\Admin\AppData\Local\Temp\c12812502364fd0d08e8fe1167f3b1f0N.exe
"C:\Users\Admin\AppData\Local\Temp\c12812502364fd0d08e8fe1167f3b1f0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pegkvntk.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4348.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4347.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2684
- C:\Users\Admin\AppData\Local\Temp\tmp42AB.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp42AB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c12812502364fd0d08e8fe1167f3b1f0N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4348.tmp

Filesize
1KB

MD5
611fd0308ba78fbc497c85ce19094f9c

SHA1
0f1718f0f38a14639bcd62a542fb300f5c813f63

SHA256
fd45b01a2cf11227ec88b9ae20f03b2010402234346fd06c8d8c36a0e19a9f66

SHA512
d15bf52478a478bb2474db3b9f8987e0c9e4ac224c1ee3dd07d1f962b3f06cb2571b3b87434ac843d7f2212e2cde070d4935434e3db22e200891d8a0d93e821d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pegkvntk.0.vb

Filesize
14KB

MD5
93699678b71eea7d1ac12e376d2d9897

SHA1
1447b0a832ac74f3b3507896d32f7475a93f8d8d

SHA256
e99c2b744136f49ceef1f018627c70f8b2bdd163c53ee0c58f0bfc6515586e07

SHA512
1c6f3a02f33f0b27541794ab4fe445ae65ec727855c2189a7de8206a33a8a647c57e2c112ba3b5a9d27504dff16c143f2945d7dee986b9ba33e448d49ead55ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\pegkvntk.cmdline

Filesize
266B

MD5
faf323dbaaed16468f9ef3c02b197eef

SHA1
c5bdf03a71ea78f267f20a41ad7a2574c9fd24ac

SHA256
6808ca728e661c324fb296dc129aa375892a75dbf816609947b7a9561d1f3556

SHA512
d12e2b3be64fb50bfe34d604cc2b5ad197c5d0981b1db8cf315481be44771ebc43291a181cbd6015c20bf51cc43afebfee0cdf80e5b705f8bb864352610ef239

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp42AB.tmp.exe

Filesize
78KB

MD5
0c8f770d4ba3e98eb69d84606d0e108a

SHA1
6c3f73e6a134b08fbad49daa923416ec24391adc

SHA256
ff11e4e93cb420839deb1cd475dc1532aced529f1f7ade55841d78011ee006bd

SHA512
15d6c370ce2a5960ec41e61abf002729758bc615b7dafecc34f3bb3565d8b90bcd1850813b176b0cd6131ca61c99f9faf3227e3a3108a2da84f3473ae33ecc62

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4347.tmp

Filesize
660B

MD5
428945a778cf2c54bab85ebe51f4609d

SHA1
901765d0253268333cba4dfe497827d004e20e41

SHA256
afd6bd5aeff6680afc72ab3a74606514128505e59fa3528ae38a37cd6ac903ac

SHA512
0341f49de62f58553649de8f013379cbe44cd3264e1e9c0ca470524f55e6dbd4ecf4a6a3e7565f63ce7e3636dad740ee42c3adc4a6e890c6aa09afec2213c2e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2668-18-0x00000000749C0000-0x0000000074F6B000-memory.dmp

Filesize
5.7MB

Download
memory/2668-8-0x00000000749C0000-0x0000000074F6B000-memory.dmp

Filesize
5.7MB

Download
memory/2716-0-0x00000000749C1000-0x00000000749C2000-memory.dmp

Filesize
4KB

Download
memory/2716-1-0x00000000749C0000-0x0000000074F6B000-memory.dmp

Filesize
5.7MB

Download
memory/2716-24-0x00000000749C0000-0x0000000074F6B000-memory.dmp

Filesize
5.7MB

Download
memory/2716-2-0x00000000749C0000-0x0000000074F6B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads