metamorpherrat | cc63856466a7bc3187c29e03d52344c92de361eb776290fce937e36075df70ac

General

Target

f2167a17e7bf4bc26e38a563c40d6179023978091d9407a3429645b943370e3d.exe
Size

78KB
MD5

5a0e73710ba67f3fee26ca0974b30c9b
SHA1

3ec0cb651838e32577d213fbb4c620cf8e496b5e
SHA256

f2167a17e7bf4bc26e38a563c40d6179023978091d9407a3429645b943370e3d
SHA512

d9d7e2df2d684fdcccc6cc0e002f8020ca4aa39fef63512b526f3c3db04be6f1d4e46e617ada493a7037c205a64ae500191044efc33d004d4d204c2b4868fad0
SSDEEP

1536:DPWtHHM7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt69/81EP:DPWtHshASyRxvhTzXPvCbW2U69/7

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2448	tmpB56A.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2408	f2167a17e7bf4bc26e38a563c40d6179023978091d9407a3429645b943370e3d.exe
2408	f2167a17e7bf4bc26e38a563c40d6179023978091d9407a3429645b943370e3d.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpB56A.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB56A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2167a17e7bf4bc26e38a563c40d6179023978091d9407a3429645b943370e3d.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2408	f2167a17e7bf4bc26e38a563c40d6179023978091d9407a3429645b943370e3d.exe
Token: SeDebugPrivilege	2448	tmpB56A.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 1944	2408	f2167a17e7bf4bc26e38a563c40d6179023978091d9407a3429645b943370e3d.exe	30
PID 2408 wrote to memory of 1944	2408	f2167a17e7bf4bc26e38a563c40d6179023978091d9407a3429645b943370e3d.exe	30
PID 2408 wrote to memory of 1944	2408	f2167a17e7bf4bc26e38a563c40d6179023978091d9407a3429645b943370e3d.exe	30
PID 2408 wrote to memory of 1944	2408	f2167a17e7bf4bc26e38a563c40d6179023978091d9407a3429645b943370e3d.exe	30
PID 1944 wrote to memory of 2852	1944	vbc.exe	32
PID 1944 wrote to memory of 2852	1944	vbc.exe	32
PID 1944 wrote to memory of 2852	1944	vbc.exe	32
PID 1944 wrote to memory of 2852	1944	vbc.exe	32
PID 2408 wrote to memory of 2448	2408	f2167a17e7bf4bc26e38a563c40d6179023978091d9407a3429645b943370e3d.exe	33
PID 2408 wrote to memory of 2448	2408	f2167a17e7bf4bc26e38a563c40d6179023978091d9407a3429645b943370e3d.exe	33
PID 2408 wrote to memory of 2448	2408	f2167a17e7bf4bc26e38a563c40d6179023978091d9407a3429645b943370e3d.exe	33
PID 2408 wrote to memory of 2448	2408	f2167a17e7bf4bc26e38a563c40d6179023978091d9407a3429645b943370e3d.exe	33

C:\Users\Admin\AppData\Local\Temp\f2167a17e7bf4bc26e38a563c40d6179023978091d9407a3429645b943370e3d.exe
"C:\Users\Admin\AppData\Local\Temp\f2167a17e7bf4bc26e38a563c40d6179023978091d9407a3429645b943370e3d.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hdxp8y3v.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB636.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB635.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2852
- C:\Users\Admin\AppData\Local\Temp\tmpB56A.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB56A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f2167a17e7bf4bc26e38a563c40d6179023978091d9407a3429645b943370e3d.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB636.tmp

Filesize
1KB

MD5
b4fb9fca3e80ea4e716fe7abb6c618e2

SHA1
18a72abd170ec1cfa2419661df2393051a26928a

SHA256
788bc889e7a5075fbacb2e9e474607e9c6205a2014e222ffcf7a87c6eb7cac07

SHA512
03b4d5393f9ac346065610397aedfa40ae29c818aeed5b440f8680b87fb5cc1198a0c18ec132af7cedf7733d7fb5c513581c81d876ce8b3898bfb6a06f7fb871

Download Submit
C:\Users\Admin\AppData\Local\Temp\hdxp8y3v.0.vb

Filesize
15KB

MD5
ff68e53d5cef3c895424910e35185194

SHA1
d2577fbf03ac44f080bb100794bb91e52e00cbcf

SHA256
23992dba225a5cedc1dc85a4d99e395e41ce7a9fca9349aff2bee667face0f15

SHA512
491832480d059aba8ebb9070b2f984b79f2a29e6250df879b35adc57ac13bd493955d5e04823698f109211f87151247026c4ab6f0293beb7b1f163187995bf51

Download Submit
C:\Users\Admin\AppData\Local\Temp\hdxp8y3v.cmdline

Filesize
266B

MD5
4e31ad0c4861da7b134689871563dfa4

SHA1
01e60d87cb7ec6dd24f00f67eb2a54a420b55e93

SHA256
08ec2ef8ea3312655fc9e3c3907095cf15af31adc0fcbf9f850c4fa4dbc3cda3

SHA512
eb92d9a49e954b5411afe6bbe84c724fe9e437e2cf3591f547b1f881b31b29c3eb809998e7b628c133ab121c023a14b58ce731452b693b3bc7a1aae61ac924c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB56A.tmp.exe

Filesize
78KB

MD5
354c5958d7526235cea6fb0f92c6576b

SHA1
ea87a4253037c0d9869a0ca912fa42ee0dcc64bd

SHA256
d0514b3f0f51ee34c3e7d0f53a3c8c358e22383f8bc32c3f79c44d4662a04b22

SHA512
e02e99f6c0f150d247f78079dc9dd14c3627eea7ed979734aa592cee2a32136cebb68f93fd91351230ebafc39bb89c577ef593be56d744faa541bac50c9f84bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB635.tmp

Filesize
660B

MD5
f5b2a101ba082da078c5ba2c84febba2

SHA1
369bda5325065ab2017f2a10a8be4a567cdcefe7

SHA256
a02bb774232318f6e0de468526ad31e1b7c5db8d601ba06fc64a11b3b4e6f114

SHA512
15f1cd7e96fed01e968d0ef2b446118168ae1d09fe3d4fbcd2ff666a0e86b989df50e65c644d61bbe5716708cd2a0a7170d53fdf63448375ca28a6043449df5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1944-9-0x0000000074410000-0x00000000749BB000-memory.dmp

Filesize
5.7MB

Download
memory/1944-18-0x0000000074410000-0x00000000749BB000-memory.dmp

Filesize
5.7MB

Download
memory/2408-0-0x0000000074411000-0x0000000074412000-memory.dmp

Filesize
4KB

Download
memory/2408-1-0x0000000074410000-0x00000000749BB000-memory.dmp

Filesize
5.7MB

Download
memory/2408-2-0x0000000074410000-0x00000000749BB000-memory.dmp

Filesize
5.7MB

Download
memory/2408-24-0x0000000074410000-0x00000000749BB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads