metamorpherrat | 848260c0c359d9466be69bc778d1794f8ebf1ff97a878ee3f330de88b0f02de2

General

Target

848260c0c359d9466be69bc778d1794f8ebf1ff97a878ee3f330de88b0f02de2.exe
Size

78KB
MD5

cce8d3caaac342c9f68fb22d7d400bf4
SHA1

a7493335479e82d1f4fb6489cae3afee8b6e061d
SHA256

848260c0c359d9466be69bc778d1794f8ebf1ff97a878ee3f330de88b0f02de2
SHA512

763e2e38cd71120dcb869ab12081e72b8b9eff53e917356a2c1cacab9fe035a6c097299875466afb424f26d7254e8fc17feee6c2137d91df83c874a35721f30c
SSDEEP

1536:kPCHHM7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQti9/c1Ec:kPCHshASyRxvhTzXPvCbW2Ui9/U

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Deletes itself 1 IoCs

pid	Process
2764	tmpF4F9.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2764	tmpF4F9.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2328	848260c0c359d9466be69bc778d1794f8ebf1ff97a878ee3f330de88b0f02de2.exe
2328	848260c0c359d9466be69bc778d1794f8ebf1ff97a878ee3f330de88b0f02de2.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpF4F9.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpF4F9.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	848260c0c359d9466be69bc778d1794f8ebf1ff97a878ee3f330de88b0f02de2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2328	848260c0c359d9466be69bc778d1794f8ebf1ff97a878ee3f330de88b0f02de2.exe
Token: SeDebugPrivilege	2764	tmpF4F9.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 1904	2328	848260c0c359d9466be69bc778d1794f8ebf1ff97a878ee3f330de88b0f02de2.exe	31
PID 2328 wrote to memory of 1904	2328	848260c0c359d9466be69bc778d1794f8ebf1ff97a878ee3f330de88b0f02de2.exe	31
PID 2328 wrote to memory of 1904	2328	848260c0c359d9466be69bc778d1794f8ebf1ff97a878ee3f330de88b0f02de2.exe	31
PID 2328 wrote to memory of 1904	2328	848260c0c359d9466be69bc778d1794f8ebf1ff97a878ee3f330de88b0f02de2.exe	31
PID 1904 wrote to memory of 2264	1904	vbc.exe	33
PID 1904 wrote to memory of 2264	1904	vbc.exe	33
PID 1904 wrote to memory of 2264	1904	vbc.exe	33
PID 1904 wrote to memory of 2264	1904	vbc.exe	33
PID 2328 wrote to memory of 2764	2328	848260c0c359d9466be69bc778d1794f8ebf1ff97a878ee3f330de88b0f02de2.exe	34
PID 2328 wrote to memory of 2764	2328	848260c0c359d9466be69bc778d1794f8ebf1ff97a878ee3f330de88b0f02de2.exe	34
PID 2328 wrote to memory of 2764	2328	848260c0c359d9466be69bc778d1794f8ebf1ff97a878ee3f330de88b0f02de2.exe	34
PID 2328 wrote to memory of 2764	2328	848260c0c359d9466be69bc778d1794f8ebf1ff97a878ee3f330de88b0f02de2.exe	34

C:\Users\Admin\AppData\Local\Temp\848260c0c359d9466be69bc778d1794f8ebf1ff97a878ee3f330de88b0f02de2.exe
"C:\Users\Admin\AppData\Local\Temp\848260c0c359d9466be69bc778d1794f8ebf1ff97a878ee3f330de88b0f02de2.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pmwwc8px.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF5D5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF5D4.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2264
- C:\Users\Admin\AppData\Local\Temp\tmpF4F9.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpF4F9.tmp.exe" C:\Users\Admin\AppData\Local\Temp\848260c0c359d9466be69bc778d1794f8ebf1ff97a878ee3f330de88b0f02de2.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF5D5.tmp

Filesize
1KB

MD5
dd8117ed048b3d4e80766c5483b25932

SHA1
37dc282aa808700ff55117a31045ebfa3cb26e0e

SHA256
298dc4e9a08e64923f721d8635f3759ac86055a0b794706b29224beec684e85c

SHA512
7f719c2fda61fa4f6d246700d7ebada9ca07d38c71e71fc1bf4242faec997d3f1cef4aa9522709d85f36e0038f8d16c7b5b10f2e63118aebe65ea0ff6598fbd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\pmwwc8px.0.vb

Filesize
15KB

MD5
68ce7d3679b7ac96e0e7e92f00ca439e

SHA1
a709d0926117aec95ff9a457adcde04cb615e564

SHA256
e92eee41af18a56b6c92e04c94fb2d46c6f7373f0cdea8d6233509a6b60cd2ea

SHA512
61428373e8a295d4f99a24fe6e6dc7bc7a5c6df9bde41fe43728cf3023438edcc7554fe52c86a472845c3849bd010868e7a26ce0546a57af4a04bbd1507fcf79

Download Submit
C:\Users\Admin\AppData\Local\Temp\pmwwc8px.cmdline

Filesize
266B

MD5
91dc6839de9acea904440e7e232cfe8a

SHA1
05db5d17bd763c1ead623ea8cd52f603e7d02fc3

SHA256
11e59ec444981782d6ae1a598a3d4e4266c5bbc6f5dd20cfde43f896a89516ae

SHA512
7cc60f678fb18e7602f06cb7e408d2c964056b0658c4aa5f60d8adeb47a617199b7b7dd67920a2ea0f4d4b73e03704de2f48e9acfe6d96b370b1e65f0baeb1f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF4F9.tmp.exe

Filesize
78KB

MD5
c4955f14a8ca4bdea7f38ce5c4d4c647

SHA1
76542648c9ab6d4eff3f616a646c84d735a32916

SHA256
81ee72f2e8bf83a666e47f31203e39ad980b5d50dd9a94206e01581d588e9822

SHA512
3d8cb7d67d4fb5d89eb1686f935496317059fdc54c161d520d18b20c418c691d31f5f6fb1553295c3484be51f95215c3c84eff39c744aeef412ae4591a05a644

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF5D4.tmp

Filesize
660B

MD5
5d1e04eb358b7ce9fa4c5a264bb23553

SHA1
ad5bf13d1e714e0d5d200402254fcbaae86c9b25

SHA256
fcb4d542bb4ae9036725fc1a2056562b3528928803852aec21a240227f8c99ed

SHA512
caafff4f8802911003f3c0fb83b39453bffb33f736c19b680467c055b9f6f3c90c06f4d4f29e51e50cdc6d41dc84a9b7997af480ec962ec0cac1da3dcda05d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1904-8-0x0000000074F20000-0x00000000754CB000-memory.dmp

Filesize
5.7MB

Download
memory/1904-18-0x0000000074F20000-0x00000000754CB000-memory.dmp

Filesize
5.7MB

Download
memory/2328-0-0x0000000074F21000-0x0000000074F22000-memory.dmp

Filesize
4KB

Download
memory/2328-1-0x0000000074F20000-0x00000000754CB000-memory.dmp

Filesize
5.7MB

Download
memory/2328-2-0x0000000074F20000-0x00000000754CB000-memory.dmp

Filesize
5.7MB

Download
memory/2328-23-0x0000000074F20000-0x00000000754CB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads