metamorpherrat | 7af1ed80aceb58d7e48c78e1305a310bda5791e37ad8287d7452dd4b8ecd6e8e

General

Target

7af1ed80aceb58d7e48c78e1305a310bda5791e37ad8287d7452dd4b8ecd6e8e.exe
Size

78KB
MD5

9a5b36dbb2aef49ab0cea07620de1f6a
SHA1

b22fafa901c53180bdac54793ba4afa3d3a640db
SHA256

7af1ed80aceb58d7e48c78e1305a310bda5791e37ad8287d7452dd4b8ecd6e8e
SHA512

20226a19c0c4b8f6a1a6ae8d05727e804c275013ebb60b052339e619ff98b2f128defdec84834493dd01bfec00e258ad14ff55a62635047cd4476f8e5e36b3ea
SSDEEP

1536:65OXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtN6Y9/qj01KP:65GSyRxvhTzXPvCbW2U39/qJ

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2844	tmp5706.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2192	7af1ed80aceb58d7e48c78e1305a310bda5791e37ad8287d7452dd4b8ecd6e8e.exe
2192	7af1ed80aceb58d7e48c78e1305a310bda5791e37ad8287d7452dd4b8ecd6e8e.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp5706.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7af1ed80aceb58d7e48c78e1305a310bda5791e37ad8287d7452dd4b8ecd6e8e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5706.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2192	7af1ed80aceb58d7e48c78e1305a310bda5791e37ad8287d7452dd4b8ecd6e8e.exe
Token: SeDebugPrivilege	2844	tmp5706.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2608	2192	7af1ed80aceb58d7e48c78e1305a310bda5791e37ad8287d7452dd4b8ecd6e8e.exe	28
PID 2192 wrote to memory of 2608	2192	7af1ed80aceb58d7e48c78e1305a310bda5791e37ad8287d7452dd4b8ecd6e8e.exe	28
PID 2192 wrote to memory of 2608	2192	7af1ed80aceb58d7e48c78e1305a310bda5791e37ad8287d7452dd4b8ecd6e8e.exe	28
PID 2192 wrote to memory of 2608	2192	7af1ed80aceb58d7e48c78e1305a310bda5791e37ad8287d7452dd4b8ecd6e8e.exe	28
PID 2608 wrote to memory of 2612	2608	vbc.exe	30
PID 2608 wrote to memory of 2612	2608	vbc.exe	30
PID 2608 wrote to memory of 2612	2608	vbc.exe	30
PID 2608 wrote to memory of 2612	2608	vbc.exe	30
PID 2192 wrote to memory of 2844	2192	7af1ed80aceb58d7e48c78e1305a310bda5791e37ad8287d7452dd4b8ecd6e8e.exe	31
PID 2192 wrote to memory of 2844	2192	7af1ed80aceb58d7e48c78e1305a310bda5791e37ad8287d7452dd4b8ecd6e8e.exe	31
PID 2192 wrote to memory of 2844	2192	7af1ed80aceb58d7e48c78e1305a310bda5791e37ad8287d7452dd4b8ecd6e8e.exe	31
PID 2192 wrote to memory of 2844	2192	7af1ed80aceb58d7e48c78e1305a310bda5791e37ad8287d7452dd4b8ecd6e8e.exe	31

C:\Users\Admin\AppData\Local\Temp\7af1ed80aceb58d7e48c78e1305a310bda5791e37ad8287d7452dd4b8ecd6e8e.exe
"C:\Users\Admin\AppData\Local\Temp\7af1ed80aceb58d7e48c78e1305a310bda5791e37ad8287d7452dd4b8ecd6e8e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ns5kocne.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES57C2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc57C1.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2612
- C:\Users\Admin\AppData\Local\Temp\tmp5706.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp5706.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7af1ed80aceb58d7e48c78e1305a310bda5791e37ad8287d7452dd4b8ecd6e8e.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES57C2.tmp

Filesize
1KB

MD5
a8772a0678ae8919ac7851a8df2a9d62

SHA1
3062ef0e05944a465109d61901d227b5e10f665c

SHA256
e389b8ca6b2c37eb63a4b84ae2d7e625c733e6d0968c5d0f71c33d57885c1cc9

SHA512
5eb9301fe8a0e99d081d73eac217b9bf27e2647f81ea773e8ac40eb6dff88bb0c673e51503aa2845d731f73296c37efdadc1235dc166d825129a1904f23705d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ns5kocne.0.vb

Filesize
14KB

MD5
43ce2def895c9161aa643f952ffc3273

SHA1
78feb2dd3723176df4677a1dec18c31df4779245

SHA256
eb905b66d60b4276a31bb9216e2c08e5315cc7349cf091646974d6a4b6c964d2

SHA512
dc61c36b5d0388ceb91ae128bed426810e737ac64343113d8c0e9a15ccce531af4f5121158b48027d218b6dd003b0053de80f5383450ad35240b961039c55728

Download Submit
C:\Users\Admin\AppData\Local\Temp\ns5kocne.cmdline

Filesize
266B

MD5
290ef03c6b660e92ad88dea936718a5b

SHA1
84f157daa83c9ea35a9646ba825fca2ff318f662

SHA256
cf30a36c92fcc10e78bcac28c90fd770d6b08eb11139d3bc71258a8e8c300d83

SHA512
314e481870a6ef3bc1475bd3743ee26dd34d10dd6a4e65e1f540395555a0f0e27c916c72d1d3cf0da5a14f08c9bc4543b6903ea53a0ecf7f7e8a3f5c8cdd0d7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5706.tmp.exe

Filesize
78KB

MD5
05d50c9450c8dd93648a047d1c71a5ce

SHA1
3d0b09b0f438a2410b61e7ff03696913d23c2b6c

SHA256
f62b8f39673a63492a732665cbf6ebfa014ca733f7a4922819e3418ad52bc2d2

SHA512
5510e9b23c77867f39ceb1955e33480149a6bbe05e1f18de49fc9cf2221581a91ac988ef7ff61b62537a37dea3bb612bf1fc7769c6328c48135bc823743bb661

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc57C1.tmp

Filesize
660B

MD5
4206822617bd9f903f107390fda1e30c

SHA1
dd76cbb24f9a2ba72ea1727cfb319b02058cef14

SHA256
cc007ee4bcf47d0798c2500d8bab87175fd19dbee7380ff8ff565d6f6acbaeae

SHA512
045da9b1b435c7565448d86ee9bca570d11c4289dfc1b4e7a29d27a2cc19b5722feebb60c4a39c912b0c249e687c95d43adb44a49886a5d8cf29edd98e813281

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2192-0-0x0000000074FC1000-0x0000000074FC2000-memory.dmp

Filesize
4KB

Download
memory/2192-1-0x0000000074FC0000-0x000000007556B000-memory.dmp

Filesize
5.7MB

Download
memory/2192-2-0x0000000074FC0000-0x000000007556B000-memory.dmp

Filesize
5.7MB

Download
memory/2192-24-0x0000000074FC0000-0x000000007556B000-memory.dmp

Filesize
5.7MB

Download
memory/2608-8-0x0000000074FC0000-0x000000007556B000-memory.dmp

Filesize
5.7MB

Download
memory/2608-18-0x0000000074FC0000-0x000000007556B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads