metamorpherrat | 6cffad9f751ff707de710be4b98f8c5b7af93961e09187e50caab6fdea59d038

General

Target

6cffad9f751ff707de710be4b98f8c5b7af93961e09187e50caab6fdea59d038N.exe
Size

78KB
MD5

6c3538f20f62c8730a7235bb1dcc5840
SHA1

5a29b3d12eca2bc70f6c8c644bf5604bc4b66682
SHA256

6cffad9f751ff707de710be4b98f8c5b7af93961e09187e50caab6fdea59d038
SHA512

4ef144932922de5ab7f83af26575f0b2fb2c6d2158d8b8e63012e73ff08375a603bffb5a57a200bc9e36b57e142e31978b00cad21557872e8b795441595c656a
SSDEEP

1536:DPCHY6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtz9/y1Pu:DPCHYnhASyRxvhTzXPvCbW2Uz9/R

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2812	tmp9914.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2564	6cffad9f751ff707de710be4b98f8c5b7af93961e09187e50caab6fdea59d038N.exe
2564	6cffad9f751ff707de710be4b98f8c5b7af93961e09187e50caab6fdea59d038N.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp9914.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9914.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6cffad9f751ff707de710be4b98f8c5b7af93961e09187e50caab6fdea59d038N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2564	6cffad9f751ff707de710be4b98f8c5b7af93961e09187e50caab6fdea59d038N.exe
Token: SeDebugPrivilege	2812	tmp9914.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 2528	2564	6cffad9f751ff707de710be4b98f8c5b7af93961e09187e50caab6fdea59d038N.exe	29
PID 2564 wrote to memory of 2528	2564	6cffad9f751ff707de710be4b98f8c5b7af93961e09187e50caab6fdea59d038N.exe	29
PID 2564 wrote to memory of 2528	2564	6cffad9f751ff707de710be4b98f8c5b7af93961e09187e50caab6fdea59d038N.exe	29
PID 2564 wrote to memory of 2528	2564	6cffad9f751ff707de710be4b98f8c5b7af93961e09187e50caab6fdea59d038N.exe	29
PID 2528 wrote to memory of 268	2528	vbc.exe	31
PID 2528 wrote to memory of 268	2528	vbc.exe	31
PID 2528 wrote to memory of 268	2528	vbc.exe	31
PID 2528 wrote to memory of 268	2528	vbc.exe	31
PID 2564 wrote to memory of 2812	2564	6cffad9f751ff707de710be4b98f8c5b7af93961e09187e50caab6fdea59d038N.exe	32
PID 2564 wrote to memory of 2812	2564	6cffad9f751ff707de710be4b98f8c5b7af93961e09187e50caab6fdea59d038N.exe	32
PID 2564 wrote to memory of 2812	2564	6cffad9f751ff707de710be4b98f8c5b7af93961e09187e50caab6fdea59d038N.exe	32
PID 2564 wrote to memory of 2812	2564	6cffad9f751ff707de710be4b98f8c5b7af93961e09187e50caab6fdea59d038N.exe	32

C:\Users\Admin\AppData\Local\Temp\6cffad9f751ff707de710be4b98f8c5b7af93961e09187e50caab6fdea59d038N.exe
"C:\Users\Admin\AppData\Local\Temp\6cffad9f751ff707de710be4b98f8c5b7af93961e09187e50caab6fdea59d038N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7lrqp3dc.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9C6F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9C5F.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:268
- C:\Users\Admin\AppData\Local\Temp\tmp9914.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9914.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6cffad9f751ff707de710be4b98f8c5b7af93961e09187e50caab6fdea59d038N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7lrqp3dc.0.vb

Filesize
15KB

MD5
3bd90ce3c84c89405014dde98fb58817

SHA1
2621b4959969267580ecf612f8a38d92a0723522

SHA256
32491691fc4abbbee803ad329d6f9389939bf976501686e71f80b7f6ba880871

SHA512
5b6b4e81382a5146435a29fb6fe3a91dc61bc884bdb69249850f784da975a2f710b6cb52465ff7f03471f141b78f4094d0dffe47481d82923973f8adee23a4b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7lrqp3dc.cmdline

Filesize
266B

MD5
712c6c1522da39a650f26a431bad9cf8

SHA1
923a84d77da5c55dc91ba614046eac43fd496949

SHA256
f432e2ecb5c2266029bd87e3026c0914e92bb017db8d0b728ac7fff7259a8a3b

SHA512
6ade43bc63e868ace66e0e87e581d12034076b7fcc190b7b712f4f88b6a5158941a3d0a002024c99b19b7f083cdd4072078db274f16fb034429bc8f787085baa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9C6F.tmp

Filesize
1KB

MD5
272d6f71842f4fd331319ae73272a677

SHA1
86448c282456977193303f7adfc4cce99249eecb

SHA256
bc4c8e12dd5b2bc2d586232b8ae9b82948063f3efc60b278547d8719edd8b7f8

SHA512
0b67aefe8a60b3d588b86e2e7f233232d779dfc9469c45c3f3636af56e53df916f37b03836f452b91e1fc28e11b6d111e94ec5beb68cad54a4a308dd26a307a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9914.tmp.exe

Filesize
78KB

MD5
79977a46d726c305fdb5fc06344d694b

SHA1
7fbb4ac0a599c2a7c91d01ebbd620895410c771b

SHA256
039f7b6706940f9763c2c1ca2ca039e1f727002894a18d11adf7ef70e9b8ddf5

SHA512
6213a6effb4e7fad3a93c37deb01165b0599c3d2f520b86b16a271b652b7e0765df22869dbcec775489f06d3c1dbc18ad7c72f242eb34cc35e511e7799699a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9C5F.tmp

Filesize
660B

MD5
546a4f83140239591d569c20f4e5b746

SHA1
67ed9d1401e7e5b056236196770b2419810e2029

SHA256
e3ba429cc36a271592180699a8704ea28f01a228cfb31b2171cfd912fc0bae70

SHA512
13261c7f78ea4c2369b22cf053abde0471c55250be44a6c8ed1f1f28ca9f1c156bae9ae9ec7ff517d87143bdae7b7c43fb2ff977aa6ad2eadb583a61903e6444

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2528-8-0x0000000074D00000-0x00000000752AB000-memory.dmp

Filesize
5.7MB

Download
memory/2528-18-0x0000000074D00000-0x00000000752AB000-memory.dmp

Filesize
5.7MB

Download
memory/2564-0-0x0000000074D01000-0x0000000074D02000-memory.dmp

Filesize
4KB

Download
memory/2564-1-0x0000000074D00000-0x00000000752AB000-memory.dmp

Filesize
5.7MB

Download
memory/2564-2-0x0000000074D00000-0x00000000752AB000-memory.dmp

Filesize
5.7MB

Download
memory/2564-24-0x0000000074D00000-0x00000000752AB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads