metamorpherrat | 6ca8a2394be1fd44474d0b067068fe33a4f09b635a5b3ddd69a1791491530526

General

Target

9644bf2e0888b5d495ae2e347b4a62f0N.exe
Size

78KB
MD5

9644bf2e0888b5d495ae2e347b4a62f0
SHA1

16cc2c83a8e3a913172fff0f2ab9b29ae0925d90
SHA256

6ca8a2394be1fd44474d0b067068fe33a4f09b635a5b3ddd69a1791491530526
SHA512

e594e168c019223d44cf05d1d47430cbe8acf833ecb8c0cdd00821fee932a3c0902cb0be94f36267d4cf9a52c2b70ead1fc32a106893fa40a4d52748ba947ce7
SSDEEP

1536:zPWV58PXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt961E9/S1KM:zPWV58vSyRxvhTzXPvCbW2UGE9/g

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2756	tmpD0A7.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2124	9644bf2e0888b5d495ae2e347b4a62f0N.exe
2124	9644bf2e0888b5d495ae2e347b4a62f0N.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpD0A7.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD0A7.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9644bf2e0888b5d495ae2e347b4a62f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2124	9644bf2e0888b5d495ae2e347b4a62f0N.exe
Token: SeDebugPrivilege	2756	tmpD0A7.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 1904	2124	9644bf2e0888b5d495ae2e347b4a62f0N.exe	30
PID 2124 wrote to memory of 1904	2124	9644bf2e0888b5d495ae2e347b4a62f0N.exe	30
PID 2124 wrote to memory of 1904	2124	9644bf2e0888b5d495ae2e347b4a62f0N.exe	30
PID 2124 wrote to memory of 1904	2124	9644bf2e0888b5d495ae2e347b4a62f0N.exe	30
PID 1904 wrote to memory of 1656	1904	vbc.exe	32
PID 1904 wrote to memory of 1656	1904	vbc.exe	32
PID 1904 wrote to memory of 1656	1904	vbc.exe	32
PID 1904 wrote to memory of 1656	1904	vbc.exe	32
PID 2124 wrote to memory of 2756	2124	9644bf2e0888b5d495ae2e347b4a62f0N.exe	33
PID 2124 wrote to memory of 2756	2124	9644bf2e0888b5d495ae2e347b4a62f0N.exe	33
PID 2124 wrote to memory of 2756	2124	9644bf2e0888b5d495ae2e347b4a62f0N.exe	33
PID 2124 wrote to memory of 2756	2124	9644bf2e0888b5d495ae2e347b4a62f0N.exe	33

C:\Users\Admin\AppData\Local\Temp\9644bf2e0888b5d495ae2e347b4a62f0N.exe
"C:\Users\Admin\AppData\Local\Temp\9644bf2e0888b5d495ae2e347b4a62f0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8_8s24ic.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD1A2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD1A1.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1656
- C:\Users\Admin\AppData\Local\Temp\tmpD0A7.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpD0A7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9644bf2e0888b5d495ae2e347b4a62f0N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8_8s24ic.0.vb

Filesize
14KB

MD5
4c52928db37b042413ce47c32bdab9ae

SHA1
cc1ef4d99788f5ca92f93746c4cc62642f5ccf60

SHA256
b95cc4efac6a84fa040d57e1f794c8eed09750bd501e9b195a68e81d0ff5e8fc

SHA512
288c8d02f558ea7eb8c46bc254e1c9fbc1ca193672ca458ed724fafb3fad0b56658a63a42c4a24adae3a03efedb7b23145dd429a8eaae96a00865d3b338a5ce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\8_8s24ic.cmdline

Filesize
266B

MD5
55c9b79e57acf132ada120a2d9a8c475

SHA1
afd94a527ec9548aa3b9209313d169e915f835fa

SHA256
9aae76d4052cb9db50d4ba2910e033e6ccec1bd2d4873d110b4abb490a2c7108

SHA512
06a5274e7b93fa74f620eb0029b671de12048c6bd2a6a3a26f468fa2eb457f4042f9f72af18556a59e6432d73283f4d4b76830b431dc8a8d8bb424561e6a162e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD1A2.tmp

Filesize
1KB

MD5
b7e68b398c4138cb8b49caf413c015b8

SHA1
2c58f9bff34d1350c9f99020d4fe821df84dfaf6

SHA256
2e0e910a4413f8131fef0e1d36c5a8821b247151a6af553af70eee878f27d6e6

SHA512
17b4fd0a317d409593f439536bab3e15d5da06ceaddeb2df6db54b139f1e577d991a08454c3d0f7a8a7af5b17038c9d3b0fd981f254ec40d74bb5c66f4c028a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD0A7.tmp.exe

Filesize
78KB

MD5
2dcf54060f5683bc606c1ce4b78dd7ee

SHA1
848327f993b8c34a2b0bfc00709dd2619e3ad72b

SHA256
c2ca94d8855b628dc39fb01f50dab510c937884ff86e84dc980310e6d62ed93a

SHA512
ae020eef6810119d41d7a2f3260de864a82a561bfd6dabc1145187af43b20b7f3c88a158c9f01e6e6633c6fcadeef691f9a68e7320b0d6d5d5a88c8490dbb7ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD1A1.tmp

Filesize
660B

MD5
d5261978f2f0fb32a3272aae9f6b59cf

SHA1
5e941d97ba2e55302298d267fe43012127c3e5de

SHA256
19f20e082a0892cf7739cac36474b41051da52fbd115ad9cb2a47c9a10dcaf9a

SHA512
5643a2e5056afbe43ef12af8b89bf78b4a23eebdbf4a844f8969c7f1a5d242f09139e68347bcba10a8afc90216b48e750bad0952ae68884283ef51ec8a2b3495

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1904-8-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/1904-18-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2124-0-0x00000000747C1000-0x00000000747C2000-memory.dmp

Filesize
4KB

Download
memory/2124-1-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2124-3-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2124-24-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads