metamorpherrat | 897215a2e9493bd9f7b9c830236d4398fff83451eb65983eb807256902394f4e

General

Target

897215a2e9493bd9f7b9c830236d4398fff83451eb65983eb807256902394f4eN.exe
Size

78KB
MD5

06cbd6dcdac61b56497ed32e887aac80
SHA1

d427f13e4c3e23965a38d45342c934d1ed167479
SHA256

897215a2e9493bd9f7b9c830236d4398fff83451eb65983eb807256902394f4e
SHA512

97d0e7156cbc4f91726969455271effba2db247cb0b5b1f2154f820a8612715627557c197bd8c7fee0d0a991def9f8cf9622c65b463fc4f291dae4edce095e4a
SSDEEP

1536:se5OXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtC6549/51bW:se5GSyRxvhTzXPvCbW2UR49/u

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2256	tmp455A.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2748	897215a2e9493bd9f7b9c830236d4398fff83451eb65983eb807256902394f4eN.exe
2748	897215a2e9493bd9f7b9c830236d4398fff83451eb65983eb807256902394f4eN.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp455A.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	897215a2e9493bd9f7b9c830236d4398fff83451eb65983eb807256902394f4eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp455A.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2748	897215a2e9493bd9f7b9c830236d4398fff83451eb65983eb807256902394f4eN.exe
Token: SeDebugPrivilege	2256	tmp455A.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2700	2748	897215a2e9493bd9f7b9c830236d4398fff83451eb65983eb807256902394f4eN.exe	30
PID 2748 wrote to memory of 2700	2748	897215a2e9493bd9f7b9c830236d4398fff83451eb65983eb807256902394f4eN.exe	30
PID 2748 wrote to memory of 2700	2748	897215a2e9493bd9f7b9c830236d4398fff83451eb65983eb807256902394f4eN.exe	30
PID 2748 wrote to memory of 2700	2748	897215a2e9493bd9f7b9c830236d4398fff83451eb65983eb807256902394f4eN.exe	30
PID 2700 wrote to memory of 2844	2700	vbc.exe	32
PID 2700 wrote to memory of 2844	2700	vbc.exe	32
PID 2700 wrote to memory of 2844	2700	vbc.exe	32
PID 2700 wrote to memory of 2844	2700	vbc.exe	32
PID 2748 wrote to memory of 2256	2748	897215a2e9493bd9f7b9c830236d4398fff83451eb65983eb807256902394f4eN.exe	33
PID 2748 wrote to memory of 2256	2748	897215a2e9493bd9f7b9c830236d4398fff83451eb65983eb807256902394f4eN.exe	33
PID 2748 wrote to memory of 2256	2748	897215a2e9493bd9f7b9c830236d4398fff83451eb65983eb807256902394f4eN.exe	33
PID 2748 wrote to memory of 2256	2748	897215a2e9493bd9f7b9c830236d4398fff83451eb65983eb807256902394f4eN.exe	33

C:\Users\Admin\AppData\Local\Temp\897215a2e9493bd9f7b9c830236d4398fff83451eb65983eb807256902394f4eN.exe
"C:\Users\Admin\AppData\Local\Temp\897215a2e9493bd9f7b9c830236d4398fff83451eb65983eb807256902394f4eN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l9jnoanm.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4693.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4692.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2844
- C:\Users\Admin\AppData\Local\Temp\tmp455A.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp455A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\897215a2e9493bd9f7b9c830236d4398fff83451eb65983eb807256902394f4eN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4693.tmp

Filesize
1KB

MD5
99ff0dbb10b2264e593a2df2b2a459a2

SHA1
17ffa7d9d8c0758e3b57dfd11d6183e4c01c2624

SHA256
bc0a61ea383b242167d9c3629eb495e63a68d941f3cddd6877868f0e42583d7a

SHA512
48538a6b67bde6561ace10e93318027f3d242bf08fe2f3139424d68116175e621a7f5017b7b2864b339515c16168fd793371a2792353a4d4068d77e530ffa402

Download Submit
C:\Users\Admin\AppData\Local\Temp\l9jnoanm.0.vb

Filesize
14KB

MD5
0d6bc4e9662ef9cd9b90db6a71a41246

SHA1
98d4647dfb88dd63a6cad0495ab3f4e1d907dcf6

SHA256
41f73a111ddffbe1b320de0cb99260f1797ab765d595dbbe63642a38f86dac48

SHA512
90ce6fca62324c35f2f14d2d309c6744b5ba317a3740dd0e0b9eba52dc9cd32a45aee790174f1ea878819a1611b036e3b6f4a6d7aa0f5b8f4fa0618969410be4

Download Submit
C:\Users\Admin\AppData\Local\Temp\l9jnoanm.cmdline

Filesize
266B

MD5
5916257c217ab484677b6885c7ef6526

SHA1
3d9eb691f51368d0dcee0aa10ac35f05205aea09

SHA256
54cfb01eceabdf000201e3dac76efc755ed0f392b3075973f01ed32f47450a0b

SHA512
fd2e40802fda5bcec95eae9f6e286a60b2ce76f4ae9bc18e594bc9ee3d5148a618957f5ed5968b3ab310104c69bcbf6532f22cdd57cf927087e350c103ff5710

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp455A.tmp.exe

Filesize
78KB

MD5
1ccb10ae6fc7d1fb35b9ceee9f1a728a

SHA1
5a144806549f571baecb7114aaa0c1253515f84f

SHA256
adce3c190acab7a03f961b08eb6367983829f4faadf912ddfaa3bdf8dc462ceb

SHA512
5866da7e6636e2c8e9c7111172ea7bfda9b9dd90ccbbfe0293ced8e6fa08ceba972ce080a10307ce2979635aa03b24a3b2772bd055acb333512b6e493d9c4ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4692.tmp

Filesize
660B

MD5
379e944af726e17fcfa7c3b1a5c9cf89

SHA1
fce4092f60f8769dd8c51bf36917568b76823b26

SHA256
ee6f13a11d9b703a3b7f01ac024ed99b91165dbca0fd7d4b6e2e680165326c54

SHA512
298604fdf5c7ea297994e3b6543eca32c818259414fee1d50cf61c10e628eb059ed560e33cd9c1dfa23d3cc99c39e3718df1a865af06deb8a6e9fdc4dbb62ac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2700-8-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/2700-18-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/2748-0-0x0000000074851000-0x0000000074852000-memory.dmp

Filesize
4KB

Download
memory/2748-1-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/2748-2-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/2748-24-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads