metamorpherrat | 9c352ce735a518535e87d668536489d314cce09890367cd30ddc9c59800c0a4b

General

Target

2165e81e47591004b13a82cbbb7cbde0N.exe
Size

78KB
MD5

2165e81e47591004b13a82cbbb7cbde0
SHA1

9d60b3e8a87966be1abda58f975d72b1c93bfc12
SHA256

9c352ce735a518535e87d668536489d314cce09890367cd30ddc9c59800c0a4b
SHA512

dd7f0b6f68349b661fe433568715c8c8a863b613c61d66bdd029989644290371aba9fafba9c92a50632591bbcdbbbeadd75e05d0689b105345bed6e7e788cde4
SSDEEP

1536:0V5jSpXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQty6U9/mG1ko:0V5jSZSyRxvhTzXPvCbW2UM9/x

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2672	tmp1989.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2624	2165e81e47591004b13a82cbbb7cbde0N.exe
2624	2165e81e47591004b13a82cbbb7cbde0N.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp1989.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp1989.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2165e81e47591004b13a82cbbb7cbde0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2624	2165e81e47591004b13a82cbbb7cbde0N.exe
Token: SeDebugPrivilege	2672	tmp1989.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 2388	2624	2165e81e47591004b13a82cbbb7cbde0N.exe	30
PID 2624 wrote to memory of 2388	2624	2165e81e47591004b13a82cbbb7cbde0N.exe	30
PID 2624 wrote to memory of 2388	2624	2165e81e47591004b13a82cbbb7cbde0N.exe	30
PID 2624 wrote to memory of 2388	2624	2165e81e47591004b13a82cbbb7cbde0N.exe	30
PID 2388 wrote to memory of 2824	2388	vbc.exe	32
PID 2388 wrote to memory of 2824	2388	vbc.exe	32
PID 2388 wrote to memory of 2824	2388	vbc.exe	32
PID 2388 wrote to memory of 2824	2388	vbc.exe	32
PID 2624 wrote to memory of 2672	2624	2165e81e47591004b13a82cbbb7cbde0N.exe	33
PID 2624 wrote to memory of 2672	2624	2165e81e47591004b13a82cbbb7cbde0N.exe	33
PID 2624 wrote to memory of 2672	2624	2165e81e47591004b13a82cbbb7cbde0N.exe	33
PID 2624 wrote to memory of 2672	2624	2165e81e47591004b13a82cbbb7cbde0N.exe	33

C:\Users\Admin\AppData\Local\Temp\2165e81e47591004b13a82cbbb7cbde0N.exe
"C:\Users\Admin\AppData\Local\Temp\2165e81e47591004b13a82cbbb7cbde0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qhimacqp.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B10.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1B0F.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2824
- C:\Users\Admin\AppData\Local\Temp\tmp1989.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp1989.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2165e81e47591004b13a82cbbb7cbde0N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1B10.tmp

Filesize
1KB

MD5
6a7ff22b261003686c2454cf05b97ca3

SHA1
f82f05541fed56217b58fefd7bd8d26e9786699a

SHA256
897da110c3aaada845a12c49dbca5e5ad8ebfada3d8d0f64233fb58bc7ad7a33

SHA512
317faa910c624e1db0922ac7e5b02dbfde616beffad067c7654eb17cec0d1cd1fbc6a9497c091d53170a52c2f3c1727e0166536e87a8f8dbde7db520cc568393

Download Submit
C:\Users\Admin\AppData\Local\Temp\qhimacqp.0.vb

Filesize
14KB

MD5
853d7cdf5ad17492d34b490137e5bf42

SHA1
fff3cf721bfdc20c863e1dd7c880158bf6cdc1e7

SHA256
84086bfec5edba99ac8f1e41179c30edcaffd36f44c23f9bf4db8e547a411e0a

SHA512
334a75d39e5f5c4f96cfa6aa211456535b71438d93f68e918337664190c97aaddb44a61ba6fb69d66243b66dab81e1f60d3c7a4c7b178793205ebe623474eef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\qhimacqp.cmdline

Filesize
266B

MD5
437b367c86887f8a5580783b4dec997d

SHA1
2d38a91b291273d753bfd4ced3175f81ffd1e864

SHA256
365e1fb3a74606dab79fc5a67f0b56bdc65e3d213fef35fbe2dcbc5b45b4cccf

SHA512
68eab65af7ad3d56ae618782aa04e966f667999453a28333fc448f220e9853f1e4fbc15e7026bc9f1ca305deb44cc5e1a9b5cd5da36bb1be8d03a0da26769fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1B0F.tmp

Filesize
660B

MD5
23a3bdb47fa3c692a6da00040f8d1afc

SHA1
4fec367763b475d1c6ab43fabcd5ba434aa7615e

SHA256
9c8177acfc0d35be58cfd844eab501f0e48f0bb7bdecffd2272b5e041e059691

SHA512
887360cdf407161705d068ebdd6daa4eaa5ea7ea2e65d81d5dd50c60a49c536d5992755377f484b9112096fdb5de60e8b9cc5ae6abcd66ed26916b5f54816bfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
\Users\Admin\AppData\Local\Temp\tmp1989.tmp.exe

Filesize
78KB

MD5
592fe1b0daf9551d460c4f0423e3437e

SHA1
ff518a90142f335bad4a5e27e5e95f9421483d2c

SHA256
d76fc6a07e498b25c7992e4ec2300b4c69665f24ede1e7078132f40bd6fc91fe

SHA512
70269d81c680717c972b5ac5405281c4cc660cef432008336b3b6efac36a91b71bf51364170b61e09b797b3595daa376b4af1d64221e3f6ea6a6868e756235be

Download Submit
memory/2388-18-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2388-8-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2624-24-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2624-2-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2624-1-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2624-0-0x0000000074C01000-0x0000000074C02000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads