metamorpherrat | a2287523477ae7d89d7c4ef21380cfd6031bf94eb068883f842ed37d21acd855

General

Target

a2287523477ae7d89d7c4ef21380cfd6031bf94eb068883f842ed37d21acd855.exe
Size

78KB
MD5

592c6d0266b3496ba78464569efa9e7b
SHA1

8d70b2a061c3d987b27ea42ecb798cdce8314d6d
SHA256

a2287523477ae7d89d7c4ef21380cfd6031bf94eb068883f842ed37d21acd855
SHA512

ff0402a4dc81575cc9cc02696669579aa93af31d88743aa87a43756a5ab0f907f6287ef7cbfb196712f2739c9a9a31fec9e8780ad3a7311a2fa165b5bb50840f
SSDEEP

1536:HHHM7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQto9/C18u:HHshASyRxvhTzXPvCbW2Uo9/E

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2904	tmpA9B7.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2056	a2287523477ae7d89d7c4ef21380cfd6031bf94eb068883f842ed37d21acd855.exe
2056	a2287523477ae7d89d7c4ef21380cfd6031bf94eb068883f842ed37d21acd855.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpA9B7.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2287523477ae7d89d7c4ef21380cfd6031bf94eb068883f842ed37d21acd855.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA9B7.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2056	a2287523477ae7d89d7c4ef21380cfd6031bf94eb068883f842ed37d21acd855.exe
Token: SeDebugPrivilege	2904	tmpA9B7.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2560	2056	a2287523477ae7d89d7c4ef21380cfd6031bf94eb068883f842ed37d21acd855.exe	30
PID 2056 wrote to memory of 2560	2056	a2287523477ae7d89d7c4ef21380cfd6031bf94eb068883f842ed37d21acd855.exe	30
PID 2056 wrote to memory of 2560	2056	a2287523477ae7d89d7c4ef21380cfd6031bf94eb068883f842ed37d21acd855.exe	30
PID 2056 wrote to memory of 2560	2056	a2287523477ae7d89d7c4ef21380cfd6031bf94eb068883f842ed37d21acd855.exe	30
PID 2560 wrote to memory of 2344	2560	vbc.exe	32
PID 2560 wrote to memory of 2344	2560	vbc.exe	32
PID 2560 wrote to memory of 2344	2560	vbc.exe	32
PID 2560 wrote to memory of 2344	2560	vbc.exe	32
PID 2056 wrote to memory of 2904	2056	a2287523477ae7d89d7c4ef21380cfd6031bf94eb068883f842ed37d21acd855.exe	33
PID 2056 wrote to memory of 2904	2056	a2287523477ae7d89d7c4ef21380cfd6031bf94eb068883f842ed37d21acd855.exe	33
PID 2056 wrote to memory of 2904	2056	a2287523477ae7d89d7c4ef21380cfd6031bf94eb068883f842ed37d21acd855.exe	33
PID 2056 wrote to memory of 2904	2056	a2287523477ae7d89d7c4ef21380cfd6031bf94eb068883f842ed37d21acd855.exe	33

C:\Users\Admin\AppData\Local\Temp\a2287523477ae7d89d7c4ef21380cfd6031bf94eb068883f842ed37d21acd855.exe
"C:\Users\Admin\AppData\Local\Temp\a2287523477ae7d89d7c4ef21380cfd6031bf94eb068883f842ed37d21acd855.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w0w0gprt.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAA92.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAA91.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2344
- C:\Users\Admin\AppData\Local\Temp\tmpA9B7.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA9B7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a2287523477ae7d89d7c4ef21380cfd6031bf94eb068883f842ed37d21acd855.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESAA92.tmp

Filesize
1KB

MD5
0dbe67639b7f2592565ae949d391398a

SHA1
27c2fa2d68ae3feecefe40bf682ba70bd79db274

SHA256
8bb9bd4d5a08ec537b0e86eaf6a78ca913f7656a768c2111246c13d99adc6781

SHA512
88e2d685a8ee6339718e3078a6307c41b9462fae485a776235f08f2ae96bc4bbca559e1604b1b580b5f225b360aa0694e4db648b6310031530913f20c4a52c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA9B7.tmp.exe

Filesize
78KB

MD5
a2fe4d7c1f47e90bf9ca6a45fb61a7e8

SHA1
84fc713b733dd85b3ee4372403446a1710d6802c

SHA256
35b6650380d2b68e17a017153b90e40e83e7762b29f120885a9a12bd94ea1bb9

SHA512
9566b4bd85259cd10f65b34da355a38cad4f6ac87cc64f73005721188da27d1e1f5c481d0ed44b4f41129f1d8b41cae17a46964832ec799c9bd187312ae401be

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAA91.tmp

Filesize
660B

MD5
b580ceb585d5b92c95c8f8d43ba3f0e9

SHA1
b5bb14583a27f215cde0a9239953bfa1637ed79c

SHA256
9ddd49b410332bffc414fc02c4ff0108146069dc0dd0a7670dac7c57a0384663

SHA512
6dbc13b6017423504e40fe27e053bf5356d6b173e48e7df0070ec564ccea82d89e692687755cd9c0a67386126fa9663f2d81496f0b5f315f93725eeb0b72e132

Download Submit
C:\Users\Admin\AppData\Local\Temp\w0w0gprt.0.vb

Filesize
15KB

MD5
12af92c020902d583b9209254acae9cc

SHA1
701bfc55db981cd8a3cfae74d289c70819f35732

SHA256
081186578d52f50e2eb6864233507be3f8cc0e3270f1f69ab26a4f1a25f294e4

SHA512
7c5ef53b6953383a17e657233041b7147b9f7952d8926f465fd669cfc9453b42cc96d5b94b2990704065acbe39fd79ccc9e633e54aa4dc8a6b07e8acf456eee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\w0w0gprt.cmdline

Filesize
266B

MD5
1f15a8d502ee69a27b85db2e45920839

SHA1
a2dc3e0ae739ba64ec94af00bb305195dda14d24

SHA256
e000517a61fad158cf37e506cedc0547c6685bcb4c6194ef33f109421a673dcd

SHA512
2e0b70258b389030bb211b7635113f33560712c6a02fc47e8cdb06a864c1eed39d237df7c3df893819a4cd6b4273eeb7e6fe20f2f8220c931a2fd95d549af45a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2056-0-0x0000000074FB1000-0x0000000074FB2000-memory.dmp

Filesize
4KB

Download
memory/2056-1-0x0000000074FB0000-0x000000007555B000-memory.dmp

Filesize
5.7MB

Download
memory/2056-2-0x0000000074FB0000-0x000000007555B000-memory.dmp

Filesize
5.7MB

Download
memory/2056-24-0x0000000074FB0000-0x000000007555B000-memory.dmp

Filesize
5.7MB

Download
memory/2560-8-0x0000000074FB0000-0x000000007555B000-memory.dmp

Filesize
5.7MB

Download
memory/2560-18-0x0000000074FB0000-0x000000007555B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads