metamorpherrat | 17e5f298f75d78d71cf62a02761c8f805e1eaff2612c0aec014966b201c75967

General

Target

17e5f298f75d78d71cf62a02761c8f805e1eaff2612c0aec014966b201c75967N.exe
Size

78KB
MD5

08d889480a2770d650d20e8f18885490
SHA1

e5c6f31cd767d26a8e85a1c65a9e3b970675329b
SHA256

17e5f298f75d78d71cf62a02761c8f805e1eaff2612c0aec014966b201c75967
SHA512

91fbe4b6535794e985db6fed0c4299e679ef5c0123edd545581c7a260da05febe1b6cc111bb58a0b6d23eb51c431ba4b88fe3c146a7223cee5320ea25a9e18b7
SSDEEP

1536:7PWtHY6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQte9/V1rl:7PWtHYnhASyRxvhTzXPvCbW2Ue9/J

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2256	tmpDD93.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1720	17e5f298f75d78d71cf62a02761c8f805e1eaff2612c0aec014966b201c75967N.exe
1720	17e5f298f75d78d71cf62a02761c8f805e1eaff2612c0aec014966b201c75967N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpDD93.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpDD93.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	17e5f298f75d78d71cf62a02761c8f805e1eaff2612c0aec014966b201c75967N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1720	17e5f298f75d78d71cf62a02761c8f805e1eaff2612c0aec014966b201c75967N.exe
Token: SeDebugPrivilege	2256	tmpDD93.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2836	1720	17e5f298f75d78d71cf62a02761c8f805e1eaff2612c0aec014966b201c75967N.exe	31
PID 1720 wrote to memory of 2836	1720	17e5f298f75d78d71cf62a02761c8f805e1eaff2612c0aec014966b201c75967N.exe	31
PID 1720 wrote to memory of 2836	1720	17e5f298f75d78d71cf62a02761c8f805e1eaff2612c0aec014966b201c75967N.exe	31
PID 1720 wrote to memory of 2836	1720	17e5f298f75d78d71cf62a02761c8f805e1eaff2612c0aec014966b201c75967N.exe	31
PID 2836 wrote to memory of 2324	2836	vbc.exe	33
PID 2836 wrote to memory of 2324	2836	vbc.exe	33
PID 2836 wrote to memory of 2324	2836	vbc.exe	33
PID 2836 wrote to memory of 2324	2836	vbc.exe	33
PID 1720 wrote to memory of 2256	1720	17e5f298f75d78d71cf62a02761c8f805e1eaff2612c0aec014966b201c75967N.exe	34
PID 1720 wrote to memory of 2256	1720	17e5f298f75d78d71cf62a02761c8f805e1eaff2612c0aec014966b201c75967N.exe	34
PID 1720 wrote to memory of 2256	1720	17e5f298f75d78d71cf62a02761c8f805e1eaff2612c0aec014966b201c75967N.exe	34
PID 1720 wrote to memory of 2256	1720	17e5f298f75d78d71cf62a02761c8f805e1eaff2612c0aec014966b201c75967N.exe	34

C:\Users\Admin\AppData\Local\Temp\17e5f298f75d78d71cf62a02761c8f805e1eaff2612c0aec014966b201c75967N.exe
"C:\Users\Admin\AppData\Local\Temp\17e5f298f75d78d71cf62a02761c8f805e1eaff2612c0aec014966b201c75967N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\piuxgqmh.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDE30.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDE2F.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2324
- C:\Users\Admin\AppData\Local\Temp\tmpDD93.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpDD93.tmp.exe" C:\Users\Admin\AppData\Local\Temp\17e5f298f75d78d71cf62a02761c8f805e1eaff2612c0aec014966b201c75967N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESDE30.tmp

Filesize
1KB

MD5
4679250a89f45e0a3be3ba867c6d0409

SHA1
9639eca92bda86ef48ab83294498dff33a2f66f3

SHA256
886c5ca68fdd948aacb5ae617926b672ac98ff6d362c4033be289cf0ab2662ef

SHA512
87b3043faedec782ff3ba2f33d728888c815fda7bee5e2c838accbef0976492fcec3e6c0235b0f93cf2fa17db3ab75042868854b0327df94b55e7c0832954236

Download Submit
C:\Users\Admin\AppData\Local\Temp\piuxgqmh.0.vb

Filesize
15KB

MD5
1453b1571b4fee08019c87d1513ef9f9

SHA1
4f94259c67c3f8779a33bd4e78845c3ef0564e66

SHA256
d56a2f4f73053ad09592956d1488b8b49a03bfffab59434614807c451fb64d4c

SHA512
e74c66c9e3483d9add2f0402c6ef43a14d888574abfcd23e577dfdea9b4703bfe38a8a9feae36fbced5f63aa4597c3ae876f3e55feb076d2819d18034cadb7f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\piuxgqmh.cmdline

Filesize
266B

MD5
7ae017dd12c053550cb4d27e7b3a3b3d

SHA1
c76a61cdb62815e195ace0b5c90abdf0c4bb4ade

SHA256
933cfd41cb576ee0b884435b5bae467988ace221e0009e100c9468524f35d475

SHA512
2dc11abe6ad35672bc36e5543bcdc80eba6d043f5f4fb2639ff7f5e6e05a3c9e3329fb6f676fb0a2076c1d1586b24582855c3910361507084f9aeda363476638

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDD93.tmp.exe

Filesize
78KB

MD5
7a965d979825871811729406b3a5a394

SHA1
8e49133ef6c21bbd34e72ae093b5ebd7fe319747

SHA256
1cd1fe0dcb5e1324aab78d7fcac377d72648b54696269173849ae87907707c1f

SHA512
d4325bdceedf84f40efc64a3e8d1cd0b0b6a782bf5f10ffe429fca923a73fb93063ea6789c9e38a48690170134b1ef843fc7fe77db423f49c9d97ef676d6c753

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDE2F.tmp

Filesize
660B

MD5
d986d993979786393c69b5fb7133288c

SHA1
87141931c8a97b139c5ce3e4fc2420b558fc543e

SHA256
bc47b61474a9b55287826b0b9d5e368dcf29af22dea21b5007b2dac497cda099

SHA512
13d9e033c33471478aee85bad5548c1e311d7e0dcd5e2b93c3fd810ba88ac35ec15f4ec88fa4cced93f9dcefc0dd637dc57e1e8fd35455c318dc695ee03db858

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1720-0-0x00000000743D1000-0x00000000743D2000-memory.dmp

Filesize
4KB

Download
memory/1720-1-0x00000000743D0000-0x000000007497B000-memory.dmp

Filesize
5.7MB

Download
memory/1720-2-0x00000000743D0000-0x000000007497B000-memory.dmp

Filesize
5.7MB

Download
memory/1720-24-0x00000000743D0000-0x000000007497B000-memory.dmp

Filesize
5.7MB

Download
memory/2836-8-0x00000000743D0000-0x000000007497B000-memory.dmp

Filesize
5.7MB

Download
memory/2836-18-0x00000000743D0000-0x000000007497B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads