metamorpherrat | b44b6ba599e23f3bcc5cda7c98adfb3536e00bbe8190c4524cd491a77faf7882

General

Target

9fa3b28a1230bcfc29e1294ac1a2f320N.exe
Size

78KB
MD5

9fa3b28a1230bcfc29e1294ac1a2f320
SHA1

21c7b1eb189464546d42be239b38131b668f73f3
SHA256

b44b6ba599e23f3bcc5cda7c98adfb3536e00bbe8190c4524cd491a77faf7882
SHA512

7a5a65303f2feea367dbceb1343510b7b83f15d4c5faf28ce48a0bf67ff608732ec6eb488b86901e04771ca6451b2b21401494bcfd1b5f473317a23006e95343
SSDEEP

1536:Xe5jYXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQty6P9/r1JM:Xe5jgSyRxvhTzXPvCbW2U39/A

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2728	tmp278D.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1624	9fa3b28a1230bcfc29e1294ac1a2f320N.exe
1624	9fa3b28a1230bcfc29e1294ac1a2f320N.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp278D.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9fa3b28a1230bcfc29e1294ac1a2f320N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp278D.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1624	9fa3b28a1230bcfc29e1294ac1a2f320N.exe
Token: SeDebugPrivilege	2728	tmp278D.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 2440	1624	9fa3b28a1230bcfc29e1294ac1a2f320N.exe	30
PID 1624 wrote to memory of 2440	1624	9fa3b28a1230bcfc29e1294ac1a2f320N.exe	30
PID 1624 wrote to memory of 2440	1624	9fa3b28a1230bcfc29e1294ac1a2f320N.exe	30
PID 1624 wrote to memory of 2440	1624	9fa3b28a1230bcfc29e1294ac1a2f320N.exe	30
PID 2440 wrote to memory of 2216	2440	vbc.exe	32
PID 2440 wrote to memory of 2216	2440	vbc.exe	32
PID 2440 wrote to memory of 2216	2440	vbc.exe	32
PID 2440 wrote to memory of 2216	2440	vbc.exe	32
PID 1624 wrote to memory of 2728	1624	9fa3b28a1230bcfc29e1294ac1a2f320N.exe	33
PID 1624 wrote to memory of 2728	1624	9fa3b28a1230bcfc29e1294ac1a2f320N.exe	33
PID 1624 wrote to memory of 2728	1624	9fa3b28a1230bcfc29e1294ac1a2f320N.exe	33
PID 1624 wrote to memory of 2728	1624	9fa3b28a1230bcfc29e1294ac1a2f320N.exe	33

C:\Users\Admin\AppData\Local\Temp\9fa3b28a1230bcfc29e1294ac1a2f320N.exe
"C:\Users\Admin\AppData\Local\Temp\9fa3b28a1230bcfc29e1294ac1a2f320N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\k4epnzqm.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2AC9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2AC8.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2216
- C:\Users\Admin\AppData\Local\Temp\tmp278D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp278D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9fa3b28a1230bcfc29e1294ac1a2f320N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES2AC9.tmp

Filesize
1KB

MD5
b56a1e38d4c595f341beb8abdc6d1d1f

SHA1
0c40e6392a26e36e85c3104630ca87d59d239c61

SHA256
781c986828f50665e06d5ca72314f2c221a036b9df738a054c0a470ac497e694

SHA512
ddebdec8be26268898eedfcc34fb29f114de95ba418c0d9c9ae89df892112696780f80898ba2a25d333bb712cd31d93c473d8c45bb9879c5af7a5cdafaba855e

Download Submit
C:\Users\Admin\AppData\Local\Temp\k4epnzqm.0.vb

Filesize
14KB

MD5
0ca922c4d5d93ca98982291336f1f33e

SHA1
d989da6c0cf3b4f715d99fe27341e608eb9619c5

SHA256
c02d11397604dc487264cf57e2c3aeb2c96e53cd0c70a52c40a2df395f7fb3e1

SHA512
f8ddc2a45edad3dd553ec8d355c5510ce1a84b217ef163e0b5fa64eb4617d9a9dbebdbaf52e2824ed7433f8e6e78d496c9351fb36a362b54103d9e1ac1198f7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\k4epnzqm.cmdline

Filesize
266B

MD5
1a188c88eba4ad71e9f91c0d983228a2

SHA1
17732c13d8477a64014242ef5df0cd7133057294

SHA256
a9de12deb92fc9e1c88997a2e34a578ade416e85a686d1de768ec4b9f87b8200

SHA512
7ed667a5f33727ae470f41c54f7018869251330f2192ce3be5e6389f61f09e0953bb4dbe9aaecb7e39bedc9c2f3de7fed8f79cf5b6a02f525ee3b6931e142c53

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp278D.tmp.exe

Filesize
78KB

MD5
4d3f3a8f667533555394040cc2085e98

SHA1
0f1afe2044f48566c553a0c9233f221762337ba4

SHA256
acc9d71edc3a1303aa0eec2cb7033abdca5393105c7f619497c73ff5bc5a9153

SHA512
9c4f70162fc2bb96f49223fc6cb8569391a2ca8dbf91c6737dfbf1cc0e3c4fa411bc91085431e578f9457ece699a2cd16b45fcfadc648af3e20add677aef0e23

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2AC8.tmp

Filesize
660B

MD5
4cfb8347c8765046eb906c474ce78492

SHA1
6a84e023e5b75ad5d831a8acf853c9a787fc3999

SHA256
a9528190e935740c236889baaefe7e364fbfbc68a0a68efb11e42841d9c31b87

SHA512
6ace1121262b6c14c24eb420e6efe6cc7ae8026ad424eec37a71ec7e207dd58212ffe59fea15901624752590c6f95e525ccce4c5ecb64ad583121363cb43fea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1624-0-0x0000000074811000-0x0000000074812000-memory.dmp

Filesize
4KB

Download
memory/1624-1-0x0000000074810000-0x0000000074DBB000-memory.dmp

Filesize
5.7MB

Download
memory/1624-2-0x0000000074810000-0x0000000074DBB000-memory.dmp

Filesize
5.7MB

Download
memory/1624-24-0x0000000074810000-0x0000000074DBB000-memory.dmp

Filesize
5.7MB

Download
memory/2440-8-0x0000000074810000-0x0000000074DBB000-memory.dmp

Filesize
5.7MB

Download
memory/2440-18-0x0000000074810000-0x0000000074DBB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads