metamorpherrat | 4c6ed28e287ed16e01cedfe119043f79f83ff366ab5d00d36d36ca894025ed4d

General

Target

909f89bd3fc549425a97a8fb9d405790N.exe
Size

78KB
MD5

909f89bd3fc549425a97a8fb9d405790
SHA1

26bf3117c4ac55413d96e2e09381f3d0d1021e65
SHA256

4c6ed28e287ed16e01cedfe119043f79f83ff366ab5d00d36d36ca894025ed4d
SHA512

7d475ffcd5f9a264aba2d9a7595577d8dd524f24345b2caa14bb3cf0878c91c73b7766f7318c85393a51fb103595cbd8efb797cc3d9b409b8bfb9f0385fa6889
SSDEEP

1536:D5jSpXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt961G9/c13g:D5jSZSyRxvhTzXPvCbW2UGG9/h

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Deletes itself 1 IoCs

pid	Process
2740	tmp560C.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2740	tmp560C.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2636	909f89bd3fc549425a97a8fb9d405790N.exe
2636	909f89bd3fc549425a97a8fb9d405790N.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp560C.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp560C.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	909f89bd3fc549425a97a8fb9d405790N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2636	909f89bd3fc549425a97a8fb9d405790N.exe
Token: SeDebugPrivilege	2740	tmp560C.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 2820	2636	909f89bd3fc549425a97a8fb9d405790N.exe	30
PID 2636 wrote to memory of 2820	2636	909f89bd3fc549425a97a8fb9d405790N.exe	30
PID 2636 wrote to memory of 2820	2636	909f89bd3fc549425a97a8fb9d405790N.exe	30
PID 2636 wrote to memory of 2820	2636	909f89bd3fc549425a97a8fb9d405790N.exe	30
PID 2820 wrote to memory of 2536	2820	vbc.exe	32
PID 2820 wrote to memory of 2536	2820	vbc.exe	32
PID 2820 wrote to memory of 2536	2820	vbc.exe	32
PID 2820 wrote to memory of 2536	2820	vbc.exe	32
PID 2636 wrote to memory of 2740	2636	909f89bd3fc549425a97a8fb9d405790N.exe	33
PID 2636 wrote to memory of 2740	2636	909f89bd3fc549425a97a8fb9d405790N.exe	33
PID 2636 wrote to memory of 2740	2636	909f89bd3fc549425a97a8fb9d405790N.exe	33
PID 2636 wrote to memory of 2740	2636	909f89bd3fc549425a97a8fb9d405790N.exe	33

C:\Users\Admin\AppData\Local\Temp\909f89bd3fc549425a97a8fb9d405790N.exe
"C:\Users\Admin\AppData\Local\Temp\909f89bd3fc549425a97a8fb9d405790N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bq86o9fv.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES583F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc583E.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2536
- C:\Users\Admin\AppData\Local\Temp\tmp560C.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp560C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\909f89bd3fc549425a97a8fb9d405790N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES583F.tmp

Filesize
1KB

MD5
34132efea614760ce515dfd4ea78f559

SHA1
ab3f3717f1039b45f0aa28384cde97c8c07a9dc0

SHA256
1b64afe2cb6ac8e01894667099752232103f16622aa23721ee8989a1da4df95c

SHA512
980c6fca40271093b2873a9151dcade5b16a46935f887214b183dc274df20b473e5def57867871b09a6a909458ac058a10f1b576d9821ca93611d35f21bc2738

Download Submit
C:\Users\Admin\AppData\Local\Temp\bq86o9fv.0.vb

Filesize
14KB

MD5
df5e85d2772c0c05fac22939baa9b2c1

SHA1
a71359a815482ea2b4e4d88bc19a5495cd5bbc4d

SHA256
01f315261e1f7a50c3f8804790850cc6b64e2a9416538d26838f62ab4b451ffc

SHA512
2e7c0adad82c0f8b77346c75fe8264025a3cde1382d8fe319aff840797ef160dfc4e4ed5cbb884f28bbf456d004d62f320b6fc69d47d484888eb23851470c82b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bq86o9fv.cmdline

Filesize
266B

MD5
8fcb136b84e11243a86595dee8668ed2

SHA1
c77f2c55c39205a0c058e804b2f94a4e959464e9

SHA256
9121c81050bebd5172496ceb429456b1439d4b1289307b9b7869f48cc0abe9bc

SHA512
03a8ff54439fbaadf4a7a335d1e2483298739817849cac09d323b173cda0e9a543e7c60cdd185f186878d61439042c5136aaae5aaea6822e9b2c6d8e55fd8de4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp560C.tmp.exe

Filesize
78KB

MD5
d271036fde30e007c5baf5240becd3d1

SHA1
814ed0ca73f23349eaf6617b7ce683237b5836d1

SHA256
8d619aa564219c42207393e175033ebd3163e6ab5a52d8d9ef92dce8eb486428

SHA512
76a978a0b6a737ff3ed9e3701ab3f957a70974016538e98e0a04ed534e840dc9829161da4a39c843862e7e0ac6bce6674de80649ba66530e3eaac9986fe5033e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc583E.tmp

Filesize
660B

MD5
7f7ac8d62ddb7795123ab886a661ff69

SHA1
6f4829f68f95b5894ca1200ed304280eb3c30f90

SHA256
5f8012ac22b80f5bbf217db462dd3b612619fbccb300d49f2a6cda0ecffab752

SHA512
b5f4b4369f3f574e329394fac81021144efe245e501f560cfaa38fac6f5ebbebe484f241192a6fcba25fd1e5f7361edc152db31e3e5ccb82db6e78020f281137

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2636-0-0x0000000074351000-0x0000000074352000-memory.dmp

Filesize
4KB

Download
memory/2636-1-0x0000000074350000-0x00000000748FB000-memory.dmp

Filesize
5.7MB

Download
memory/2636-3-0x0000000074350000-0x00000000748FB000-memory.dmp

Filesize
5.7MB

Download
memory/2636-24-0x0000000074350000-0x00000000748FB000-memory.dmp

Filesize
5.7MB

Download
memory/2820-8-0x0000000074350000-0x00000000748FB000-memory.dmp

Filesize
5.7MB

Download
memory/2820-18-0x0000000074350000-0x00000000748FB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads