metamorpherrat | 894a184a26cd23c167403b615474a3e5c14868267383ac1c0e23a88b7dedd9cf

General

Target

58017e4abd7af023671ddce9dcca1060N.exe
Size

78KB
MD5

58017e4abd7af023671ddce9dcca1060
SHA1

f2081c7d3b4242415b4656ff0ab4539176ce4318
SHA256

894a184a26cd23c167403b615474a3e5c14868267383ac1c0e23a88b7dedd9cf
SHA512

c5e3fba8723e0197785aec1c37856eb5447ee9f347927d99c4be8c1bcb3332985b7c3bfc239595b888e4b7a31bc5a049df3bf8f5d95ee56c3cdfe3c038d57427
SSDEEP

1536:/WV5jSAXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtN6Q9/J1PE:/WV5jS4SyRxvhTzXPvCbW2Uj9/o

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
1892	tmpC88D.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2556	58017e4abd7af023671ddce9dcca1060N.exe
2556	58017e4abd7af023671ddce9dcca1060N.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpC88D.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	58017e4abd7af023671ddce9dcca1060N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC88D.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2556	58017e4abd7af023671ddce9dcca1060N.exe
Token: SeDebugPrivilege	1892	tmpC88D.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 1872	2556	58017e4abd7af023671ddce9dcca1060N.exe	30
PID 2556 wrote to memory of 1872	2556	58017e4abd7af023671ddce9dcca1060N.exe	30
PID 2556 wrote to memory of 1872	2556	58017e4abd7af023671ddce9dcca1060N.exe	30
PID 2556 wrote to memory of 1872	2556	58017e4abd7af023671ddce9dcca1060N.exe	30
PID 1872 wrote to memory of 2428	1872	vbc.exe	32
PID 1872 wrote to memory of 2428	1872	vbc.exe	32
PID 1872 wrote to memory of 2428	1872	vbc.exe	32
PID 1872 wrote to memory of 2428	1872	vbc.exe	32
PID 2556 wrote to memory of 1892	2556	58017e4abd7af023671ddce9dcca1060N.exe	33
PID 2556 wrote to memory of 1892	2556	58017e4abd7af023671ddce9dcca1060N.exe	33
PID 2556 wrote to memory of 1892	2556	58017e4abd7af023671ddce9dcca1060N.exe	33
PID 2556 wrote to memory of 1892	2556	58017e4abd7af023671ddce9dcca1060N.exe	33

C:\Users\Admin\AppData\Local\Temp\58017e4abd7af023671ddce9dcca1060N.exe
"C:\Users\Admin\AppData\Local\Temp\58017e4abd7af023671ddce9dcca1060N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wzur00b2.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCA14.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCA13.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2428
- C:\Users\Admin\AppData\Local\Temp\tmpC88D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpC88D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\58017e4abd7af023671ddce9dcca1060N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESCA14.tmp

Filesize
1KB

MD5
242fc3ced6cebb93feecea6722c5122a

SHA1
f192c30b125a9a23e8523a1af7ad8ed1e8b5eaaa

SHA256
8a40180a3041d80ad75ca1085efa5e98678ab848f27e70ad9715e3e19d518dd8

SHA512
7c18be10325bdd8a1359b4fc1a9ee3f50831377e18c43cf9f5df21d038782512e199df7a8ddcf37bdb7151b3fc856740c9421e6fe1f738fb46e711e6e2bc43a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC88D.tmp.exe

Filesize
78KB

MD5
724af22d0469bd0cfdd79934ee119096

SHA1
f5b35ac4c16c231a2cbecb6e94eef88e2b4b5c19

SHA256
a29657c6483cc9cbe5dfa7ebbd3048cebe9968e5e0e535b663b05746d2f20bb6

SHA512
11c7c28670636532bc04f116a80f0b0dffe3faaad454098af303e8153ce2c9f7d454d768907d4d9b2f697ff9cd58089f06b0d3f83b961d4a3f0539789aae1655

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCA13.tmp

Filesize
660B

MD5
d88fdc5426a4ad2331bdb33847f736f3

SHA1
8be2f9c4377f710df647669f300908a142eecf79

SHA256
f730ee2fadb96f291aa339c923220c7b81234bccdc6058ab7f0d61e555e2fd82

SHA512
fe91909adac716b372d0288a243081e54b480c221ce2b85bcbb954531c1ff3d753b19ec0fd74b3176f5734ede486271cdf9760232a33a1e352ffbf409c326a92

Download Submit
C:\Users\Admin\AppData\Local\Temp\wzur00b2.0.vb

Filesize
14KB

MD5
250bafd5bebe3f925bbe4a6076575c4a

SHA1
cb2a6b1a307baa60d124b69702fa039603661d57

SHA256
e8d5e08b54a9400782eca9eed2b0eca3a28e2eb718dfe96d672b97ef6ef2a6f3

SHA512
27058902ff9486a0e9388d73b46f7ff04a3496857855b45efad0006888d3d7f5a25c26d997191e728a80609093db7a863acbd413447269826ec4bf0eba5387f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wzur00b2.cmdline

Filesize
266B

MD5
f6bded8dd231569db1c5b15bfb981bb5

SHA1
cddf1c8f77dfd8f4b01f70a49dd1ef0782e49a6a

SHA256
89df5d54cbc488f3cf8d85f09750081420d05dded467bdcdac89bb03e1141bdd

SHA512
b86ff92e4e4fa1b8141ef58f36eb119f0a6c6e1faa4c503de90e266b93b90f307b30779571b26f1ec3de1f01e4fc391277f068a10d07f5641a08d5c11036beba

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1872-8-0x00000000744B0000-0x0000000074A5B000-memory.dmp

Filesize
5.7MB

Download
memory/1872-18-0x00000000744B0000-0x0000000074A5B000-memory.dmp

Filesize
5.7MB

Download
memory/2556-0-0x00000000744B1000-0x00000000744B2000-memory.dmp

Filesize
4KB

Download
memory/2556-1-0x00000000744B0000-0x0000000074A5B000-memory.dmp

Filesize
5.7MB

Download
memory/2556-2-0x00000000744B0000-0x0000000074A5B000-memory.dmp

Filesize
5.7MB

Download
memory/2556-24-0x00000000744B0000-0x0000000074A5B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads