metamorpherrat | eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89

General

Target

eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe
Size

78KB
MD5

edadcbcef93c77248f4d2c0c723ac480
SHA1

9e63fbfcdc6d64d4e2eeb25f7b252ba6d5c1bd00
SHA256

eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89
SHA512

ef758c1a6b869ff711d6803e177e78670ab711868216881630108aa846ef1d63d824e9d92f99245eccf0c91939f26f1510fdfb12e5c2f16bd5f7932e144946c0
SSDEEP

1536:ZWtHFo6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtRM9/q51KS:ZWtHFonhASyRxvhTzXPvCbW2URM9/E

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2520	tmp8085.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2540	eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe
2540	eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp8085.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8085.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2540	eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe
Token: SeDebugPrivilege	2520	tmp8085.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 1584	2540	eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe	30
PID 2540 wrote to memory of 1584	2540	eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe	30
PID 2540 wrote to memory of 1584	2540	eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe	30
PID 2540 wrote to memory of 1584	2540	eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe	30
PID 1584 wrote to memory of 2344	1584	vbc.exe	32
PID 1584 wrote to memory of 2344	1584	vbc.exe	32
PID 1584 wrote to memory of 2344	1584	vbc.exe	32
PID 1584 wrote to memory of 2344	1584	vbc.exe	32
PID 2540 wrote to memory of 2520	2540	eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe	33
PID 2540 wrote to memory of 2520	2540	eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe	33
PID 2540 wrote to memory of 2520	2540	eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe	33
PID 2540 wrote to memory of 2520	2540	eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe	33

C:\Users\Admin\AppData\Local\Temp\eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe
"C:\Users\Admin\AppData\Local\Temp\eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\agvhwfdn.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8132.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8131.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2344
- C:\Users\Admin\AppData\Local\Temp\tmp8085.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8085.tmp.exe" C:\Users\Admin\AppData\Local\Temp\eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8132.tmp

Filesize
1KB

MD5
aa64b8ca86959f5245b0640b3740a23d

SHA1
6be061a88368416b9188f6e40632af4ac0564ceb

SHA256
0e82bb7c6f750f9412cb6b80f8792481f349454db2563af3e4e53d87aed2e954

SHA512
d83ea68623efe552ed1fb837aa9a63d761adc8846286209466ab824a29782e1c995863945ce02f0530bcbc773052233224e2dba7b660d9a2499509f0affa78f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\agvhwfdn.0.vb

Filesize
15KB

MD5
22f5efd43906937748758ec4dcdcc3d0

SHA1
50fb988563fca9a16f78a2097f827c5dbe1d1c95

SHA256
b65f5012294aac3c4eb09abc15cb656592d972ada45006eafa5bb70a5bfc8f36

SHA512
3de8154704d06d57886d7b4b4c9ac1c35f2ac68efd90ea6952c19043b195b4ab6fd9ef0b383ca407596426663c8815db855afa72ccdbb634edeb328234f7669e

Download Submit
C:\Users\Admin\AppData\Local\Temp\agvhwfdn.cmdline

Filesize
266B

MD5
b41443f533739e8ff243773419dfdda8

SHA1
97df03869b116922c3c148774605210464605077

SHA256
3a1847864aa96c55420c3ef9c96fd2a6d593bd85c56f0e3c255f65e020e33eb8

SHA512
8c09f9028a66ca2ddcd6a301e7526efa269258b46fcbcac805e8da87f7aea7ff2050422952399a28a20b23147e8031b87a69f4eb5d23cd1f80861480798d4f2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8085.tmp.exe

Filesize
78KB

MD5
85e0b5aa2ac65cbf7b17d5450682a78d

SHA1
da6f69e7f8b24c7e5b8cb83a6ba60bd936495281

SHA256
174debdb5229038a89f0ba1a27b41a80113854970aed2a3294f40392746eb5f2

SHA512
40238952edd6bd436f80d2e8795634a8ea6efff3f25680974de61e36b3245d407a90fe6d3a9152c87c194a5184c1b5c04cbaec4adb9b40366843369eb578a6f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8131.tmp

Filesize
660B

MD5
fb8686647699e9d5f4bbdfae2223702e

SHA1
75a0bb4dddb6394d0a138ce0bc89927295dfc279

SHA256
b1050ec854f95661d914d4e8f0edbe53f29e17b0a08462c662889c5e1ebfb225

SHA512
e975a8d4ad9ab2e2830f04cdeedb653254a98f77bc36496ccc06f2e2e26518894e74971da9ee924424cbbdbe00c1b737c54a49811e7e4fbe4a08f16ee2ef71c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1584-8-0x0000000074A80000-0x000000007502B000-memory.dmp

Filesize
5.7MB

Download
memory/1584-18-0x0000000074A80000-0x000000007502B000-memory.dmp

Filesize
5.7MB

Download
memory/2540-0-0x0000000074A81000-0x0000000074A82000-memory.dmp

Filesize
4KB

Download
memory/2540-1-0x0000000074A80000-0x000000007502B000-memory.dmp

Filesize
5.7MB

Download
memory/2540-2-0x0000000074A80000-0x000000007502B000-memory.dmp

Filesize
5.7MB

Download
memory/2540-24-0x0000000074A80000-0x000000007502B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads