metamorpherrat | 940a7f6537f64099c318566bb1d0d412b1d58c1299d80d8585a087f9418ae430

General

Target

27a4615602f6aaea504ee7b0734ef8f0N.exe
Size

78KB
MD5

27a4615602f6aaea504ee7b0734ef8f0
SHA1

326d5b586102be24375fed648f4a4e3b3a784d27
SHA256

940a7f6537f64099c318566bb1d0d412b1d58c1299d80d8585a087f9418ae430
SHA512

db4526d19f450cad2fbd6730a7b82cd3693d8391db17df4e6943cd5df478dd189d63636e71fc76aa72450a008358c4b440fc34a20da2a040ef98cf7d5a56fb3d
SSDEEP

1536:muHY6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtRb9/L1g1:muHYnhASyRxvhTzXPvCbW2URb9/m

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2460	tmpB210.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2536	27a4615602f6aaea504ee7b0734ef8f0N.exe
2536	27a4615602f6aaea504ee7b0734ef8f0N.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpB210.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB210.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	27a4615602f6aaea504ee7b0734ef8f0N.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2536	27a4615602f6aaea504ee7b0734ef8f0N.exe
Token: SeDebugPrivilege	2460	tmpB210.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2692	2536	27a4615602f6aaea504ee7b0734ef8f0N.exe	30
PID 2536 wrote to memory of 2692	2536	27a4615602f6aaea504ee7b0734ef8f0N.exe	30
PID 2536 wrote to memory of 2692	2536	27a4615602f6aaea504ee7b0734ef8f0N.exe	30
PID 2536 wrote to memory of 2692	2536	27a4615602f6aaea504ee7b0734ef8f0N.exe	30
PID 2692 wrote to memory of 2016	2692	vbc.exe	32
PID 2692 wrote to memory of 2016	2692	vbc.exe	32
PID 2692 wrote to memory of 2016	2692	vbc.exe	32
PID 2692 wrote to memory of 2016	2692	vbc.exe	32
PID 2536 wrote to memory of 2460	2536	27a4615602f6aaea504ee7b0734ef8f0N.exe	33
PID 2536 wrote to memory of 2460	2536	27a4615602f6aaea504ee7b0734ef8f0N.exe	33
PID 2536 wrote to memory of 2460	2536	27a4615602f6aaea504ee7b0734ef8f0N.exe	33
PID 2536 wrote to memory of 2460	2536	27a4615602f6aaea504ee7b0734ef8f0N.exe	33

C:\Users\Admin\AppData\Local\Temp\27a4615602f6aaea504ee7b0734ef8f0N.exe
"C:\Users\Admin\AppData\Local\Temp\27a4615602f6aaea504ee7b0734ef8f0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gn8quata.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB368.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB367.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2016
- C:\Users\Admin\AppData\Local\Temp\tmpB210.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB210.tmp.exe" C:\Users\Admin\AppData\Local\Temp\27a4615602f6aaea504ee7b0734ef8f0N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB368.tmp

Filesize
1KB

MD5
d8bfa32292a50d24429dc68ef393cd9a

SHA1
8ec599b08da0e1a6eb32186604ac06ea4865b124

SHA256
bb9e9f9287a5d25f051d592232e191e4c3417cdda7322253d3334712c24f3609

SHA512
0e71939d87f96ffd5582eb3ee1a8de9d88309cf0c390159b74d1c205d7f830e31444c4f19b683fe176870a8113bc1f7ad63b7aee14f9b65f5145165e8e58bca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\gn8quata.0.vb

Filesize
15KB

MD5
d72efd7efc51a633e6667f4ddca4387a

SHA1
d4f9af6fc48c59877929f3f54d0210b70012800c

SHA256
8f5333e51b7906dad155523a62253a910345d769d8ac993701f5105c33545601

SHA512
8b32bb67313547cc132b642b811386abedecdeb763440027efeccd17b7973f54f40ced0e832dba342a0c5a4a77b66e5de332d46d0c3e6ed7844272cde5c2ab67

Download Submit
C:\Users\Admin\AppData\Local\Temp\gn8quata.cmdline

Filesize
266B

MD5
ab0c6dc87775ddf1c52666174f9239d1

SHA1
2bb0e1216f44d71ca015b83f86255d13f6c9a0a8

SHA256
e9d0c832e43f1b2fbd896b206739406d5b1437c75250d67dc019285b48605b4e

SHA512
2ff13d312917e9a9494cb9538454eb22c87e15aa4dee557a725157d99f8b6737d8b028e41226b7a514c2b4de8b7c4364aecee3bd5523c75ae092122a8468d40e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB210.tmp.exe

Filesize
78KB

MD5
f012f0c0435ec2909ad6d1f5662aa1f7

SHA1
e0ff9eb8ae17ae09186e91089e3c6aa4d5e0d22a

SHA256
04a0ca8db4fcf26a37299191213a8b108f9e98c33bd4dd309fc0f135d358a9a8

SHA512
e81997726a5e0dcafe508d4e6777cc4149e5c480283079957c2adc0c4996c5a5c0df3767a0fd94835eabe770fb123a226858140ae494eda2e12c66205884ee2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB367.tmp

Filesize
660B

MD5
2ec13b2b7452612fd0257a3b79aaaaeb

SHA1
3c06f2090a69f91fa7a4971bbfa595f9e6bcdc11

SHA256
a97490e45dc2dc5bd2d02fc543f752548b3b04ae20aea6275027c19837f9ef59

SHA512
0e942b76e36a2bd3a0a1d24b0f1d99c0525b37a1aea2c0bcc31ba215395818199e62d1598b11cf63bf66344bf2c207ba85b4cff31b145d05ec93cf77f460d5d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2536-0-0x00000000742A1000-0x00000000742A2000-memory.dmp

Filesize
4KB

Download
memory/2536-1-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/2536-2-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/2536-24-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/2692-8-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/2692-18-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads