metamorpherrat | 477d6ea4bbe43bfd961db598ce52eec26c469ea96b9870a48f0efa42313c7e4c

General

Target

7aee1b5ade10a773442eabcf9e3a81c0N.exe
Size

78KB
MD5

7aee1b5ade10a773442eabcf9e3a81c0
SHA1

10108aa79dc556af1d219d86024a4e7dfb4d0b53
SHA256

477d6ea4bbe43bfd961db598ce52eec26c469ea96b9870a48f0efa42313c7e4c
SHA512

b4cbf642d28c2b1cfe185a94fc43880930a89e6632da3adf09b1578973eddde22f82d8dd508acdde09f705f214bcf4f644377a939e93fd24130fe1c381591605
SSDEEP

1536:kPCHY6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQth9/y129:kPCHYnhASyRxvhTzXPvCbW2Uh9/J

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
1872	tmpDF48.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1900	7aee1b5ade10a773442eabcf9e3a81c0N.exe
1900	7aee1b5ade10a773442eabcf9e3a81c0N.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpDF48.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7aee1b5ade10a773442eabcf9e3a81c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpDF48.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1900	7aee1b5ade10a773442eabcf9e3a81c0N.exe
Token: SeDebugPrivilege	1872	tmpDF48.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2460	1900	7aee1b5ade10a773442eabcf9e3a81c0N.exe	31
PID 1900 wrote to memory of 2460	1900	7aee1b5ade10a773442eabcf9e3a81c0N.exe	31
PID 1900 wrote to memory of 2460	1900	7aee1b5ade10a773442eabcf9e3a81c0N.exe	31
PID 1900 wrote to memory of 2460	1900	7aee1b5ade10a773442eabcf9e3a81c0N.exe	31
PID 2460 wrote to memory of 1704	2460	vbc.exe	33
PID 2460 wrote to memory of 1704	2460	vbc.exe	33
PID 2460 wrote to memory of 1704	2460	vbc.exe	33
PID 2460 wrote to memory of 1704	2460	vbc.exe	33
PID 1900 wrote to memory of 1872	1900	7aee1b5ade10a773442eabcf9e3a81c0N.exe	34
PID 1900 wrote to memory of 1872	1900	7aee1b5ade10a773442eabcf9e3a81c0N.exe	34
PID 1900 wrote to memory of 1872	1900	7aee1b5ade10a773442eabcf9e3a81c0N.exe	34
PID 1900 wrote to memory of 1872	1900	7aee1b5ade10a773442eabcf9e3a81c0N.exe	34

C:\Users\Admin\AppData\Local\Temp\7aee1b5ade10a773442eabcf9e3a81c0N.exe
"C:\Users\Admin\AppData\Local\Temp\7aee1b5ade10a773442eabcf9e3a81c0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ntikypys.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE004.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE003.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1704
- C:\Users\Admin\AppData\Local\Temp\tmpDF48.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpDF48.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7aee1b5ade10a773442eabcf9e3a81c0N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE004.tmp

Filesize
1KB

MD5
d341bb1b9d5ea06c2e6188c6e7c93999

SHA1
af9d04acdfa79843b48f9eaed27fa98354ef5eda

SHA256
b86bf4fd962749be0796df54d355c69c880753445802914045bf0ea1cbbdd689

SHA512
bc7024480eb3c0fad7fb0af5f755c8c58f341d1bd28ba0fe57ff7dfb05f9572fd36d0f71177a9d3540547ce23b682f8ac4265adab806df467bffe5d516568375

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntikypys.0.vb

Filesize
15KB

MD5
a97d4719d600145952c116c1f9d9bd7b

SHA1
f3d5ffabea06d3da11315fae6cc670927bfc2418

SHA256
806782b7d84751a0a050c9c161cdc16f96c13c4e6345ed5f8e23471af1e650ea

SHA512
a0cb5f2a7cdf8db5e6ba46711498825d7f1d26d295f55404633e846824913d1568fb53328ecc7788c149e746fd4857acb5578778542e3aa115c3601ff0c81be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntikypys.cmdline

Filesize
266B

MD5
61eea1f85672ce08fd902338a79266ab

SHA1
c27c113f36248c98c95321d97c57b6bb3165db9e

SHA256
3cd138af84fcf026ff8c154f890ff4df8d3cf6964b5643d2e161dc48b6baeacd

SHA512
79931d87650901ccad9a3b9121605b433866d68ede4152010f4525ab88453f6f4164a5d2f93d7d806daab749f58391433233235c511ebaca8a7690abb5ffcb89

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDF48.tmp.exe

Filesize
78KB

MD5
ce71dd7d2e92cbf7369ec3af4d8ed33c

SHA1
2b8b6dd75d3801765b0a30471e8f6db7f31cf628

SHA256
cc0e8f190daf53492a1734b5c0c5a223057b345dfc1e6d2956c4c1731c832a6c

SHA512
0c13f803f2a39ca905d8fe96c7b9eee2529aa67fe7f00c151702f2691e3ed48a7f0077bad61830241fdee6e466244bf8078754d6912b4a33cfbe085511d76e91

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE003.tmp

Filesize
660B

MD5
e89aff1157ecf89b0576664951761cc5

SHA1
6757a7e532de6c38083fa187f082d1085ac323b6

SHA256
e11008056b4a302cd7169c43f6066375f536bab734157cd1c91f66c788417131

SHA512
395e10708bc9c52dcb8fe9744c9aab0ec30c89b1b00406b4b7bf19ac7e679d3435d5ca76be40a9803deedb41fe27efdcd859013a74d782d47369e60bd23ac2d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1900-0-0x00000000741D1000-0x00000000741D2000-memory.dmp

Filesize
4KB

Download
memory/1900-1-0x00000000741D0000-0x000000007477B000-memory.dmp

Filesize
5.7MB

Download
memory/1900-2-0x00000000741D0000-0x000000007477B000-memory.dmp

Filesize
5.7MB

Download
memory/1900-24-0x00000000741D0000-0x000000007477B000-memory.dmp

Filesize
5.7MB

Download
memory/2460-8-0x00000000741D0000-0x000000007477B000-memory.dmp

Filesize
5.7MB

Download
memory/2460-18-0x00000000741D0000-0x000000007477B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads