metamorpherrat | 1adcacda47ac8b7bb684fd4b0d721f626c83d835e11b0ddcfe1128de26dbb305

General

Target

1adcacda47ac8b7bb684fd4b0d721f626c83d835e11b0ddcfe1128de26dbb305N.exe
Size

78KB
MD5

39e861c10ee19a6b7290154a4d98dcf0
SHA1

cce5b1b97dd5622e0bd45d57a7a602caa6d341c0
SHA256

1adcacda47ac8b7bb684fd4b0d721f626c83d835e11b0ddcfe1128de26dbb305
SHA512

916f7eac4df8480ea9ef8a9ce61a24c49a2836f38018fbf95f1dc229ae06b3918af839c6c9798a20f5131b7ff1768379751b9adc450e5def8ca2163abf3eea61
SSDEEP

1536:ORWtHFo6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtcD9/P1jA:ORWtHFonhASyRxvhTzXPvCbW2UcD9/W

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2956	tmp9E33.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2268	1adcacda47ac8b7bb684fd4b0d721f626c83d835e11b0ddcfe1128de26dbb305N.exe
2268	1adcacda47ac8b7bb684fd4b0d721f626c83d835e11b0ddcfe1128de26dbb305N.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp9E33.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1adcacda47ac8b7bb684fd4b0d721f626c83d835e11b0ddcfe1128de26dbb305N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9E33.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2268	1adcacda47ac8b7bb684fd4b0d721f626c83d835e11b0ddcfe1128de26dbb305N.exe
Token: SeDebugPrivilege	2956	tmp9E33.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2392	2268	1adcacda47ac8b7bb684fd4b0d721f626c83d835e11b0ddcfe1128de26dbb305N.exe	30
PID 2268 wrote to memory of 2392	2268	1adcacda47ac8b7bb684fd4b0d721f626c83d835e11b0ddcfe1128de26dbb305N.exe	30
PID 2268 wrote to memory of 2392	2268	1adcacda47ac8b7bb684fd4b0d721f626c83d835e11b0ddcfe1128de26dbb305N.exe	30
PID 2268 wrote to memory of 2392	2268	1adcacda47ac8b7bb684fd4b0d721f626c83d835e11b0ddcfe1128de26dbb305N.exe	30
PID 2392 wrote to memory of 2896	2392	vbc.exe	32
PID 2392 wrote to memory of 2896	2392	vbc.exe	32
PID 2392 wrote to memory of 2896	2392	vbc.exe	32
PID 2392 wrote to memory of 2896	2392	vbc.exe	32
PID 2268 wrote to memory of 2956	2268	1adcacda47ac8b7bb684fd4b0d721f626c83d835e11b0ddcfe1128de26dbb305N.exe	33
PID 2268 wrote to memory of 2956	2268	1adcacda47ac8b7bb684fd4b0d721f626c83d835e11b0ddcfe1128de26dbb305N.exe	33
PID 2268 wrote to memory of 2956	2268	1adcacda47ac8b7bb684fd4b0d721f626c83d835e11b0ddcfe1128de26dbb305N.exe	33
PID 2268 wrote to memory of 2956	2268	1adcacda47ac8b7bb684fd4b0d721f626c83d835e11b0ddcfe1128de26dbb305N.exe	33

C:\Users\Admin\AppData\Local\Temp\1adcacda47ac8b7bb684fd4b0d721f626c83d835e11b0ddcfe1128de26dbb305N.exe
"C:\Users\Admin\AppData\Local\Temp\1adcacda47ac8b7bb684fd4b0d721f626c83d835e11b0ddcfe1128de26dbb305N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9yj_tf6f.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F8B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9F8A.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2896
- C:\Users\Admin\AppData\Local\Temp\tmp9E33.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9E33.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1adcacda47ac8b7bb684fd4b0d721f626c83d835e11b0ddcfe1128de26dbb305N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9yj_tf6f.0.vb

Filesize
15KB

MD5
a06fb818fca2b8a8d2c02b78712671a3

SHA1
641e0e1b9c9fd2d84095b41d65c582df6383fe29

SHA256
c751e140425afdb7fb7cbe450b665e94cfb2de8a0d670a67ad5b59d9b852f883

SHA512
5cf6e83ffd28d2a351946b757079829d38d7566c42c182faa103616f55c6e0ff329c2f7ef6798373b52972fb56235a3320420c8c8e9835c41a9204a77639f0d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\9yj_tf6f.cmdline

Filesize
266B

MD5
493508816c763f3171ea71b0b82ddaba

SHA1
a4d7ca4cb59b4b8d7f4d4d9e85c87c2270c168ca

SHA256
cf1e22cdf24f42aa38ac6c6fdd5aea53f3580c57c22077d68bffd39c2ab8a0ab

SHA512
b5ee6f1373406928fe33915af479c4bdbe954382d9eb0f8b95aa98311807c0def84ba9459f2e0b36a6d59aef69f0eb77049eabdcba003915468caf84adea2012

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9F8B.tmp

Filesize
1KB

MD5
7beea4dbfd49ef18a0009455e88c4249

SHA1
26cd08bc9b9870093ffa2ee27cb4acc9fc98d920

SHA256
de99ebc63ecc38201ccb2acd2f67cf0608d8c8583ced3530cc105283a53079d9

SHA512
2945b4dfdbf81266bafa6cc7dd81ceec72fc935f157b23ccbb8af826c379c263775b1f538fb14d307b00dcc58209752e268f71223170a98deac7c69376d9b615

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9E33.tmp.exe

Filesize
78KB

MD5
e52527a13055afd1f490ff29397eddb4

SHA1
c077add40c8e48a58faa4c1227b4e407f9e2b6e9

SHA256
af45fb3caef0699fb17fdda141a2a9884e558e7e8ea0e8f3415c1afaa117776e

SHA512
196028505520804d93a627dd0d3aa14938e4ea85286c78c6f3d849891e2b5e35c15e568558d2d39da644f8b20129d2a68a72e94ba923e18dffc2475212fc78de

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9F8A.tmp

Filesize
660B

MD5
9b2d17df564c31cfc3fb00d03da05ef6

SHA1
10951ae7b7547bc278d718bcb38495bf3fc1e5da

SHA256
7deb1424a638bad172c4bac3a554269d2a531ce5eaee40ab40fd913219bea2a4

SHA512
ed7d6b21356e5a8db32083ae4e2f754bdd2284910e71c918372433cb58b94bf729b4637f1a78db16ffdb55ce3460a039022d32c9daf956e2ecd524fb1b018f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2268-0-0x00000000741C1000-0x00000000741C2000-memory.dmp

Filesize
4KB

Download
memory/2268-1-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/2268-2-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/2268-24-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/2392-8-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/2392-18-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads