metamorpherrat | eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89

General

Target

eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe
Size

78KB
MD5

edadcbcef93c77248f4d2c0c723ac480
SHA1

9e63fbfcdc6d64d4e2eeb25f7b252ba6d5c1bd00
SHA256

eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89
SHA512

ef758c1a6b869ff711d6803e177e78670ab711868216881630108aa846ef1d63d824e9d92f99245eccf0c91939f26f1510fdfb12e5c2f16bd5f7932e144946c0
SSDEEP

1536:ZWtHFo6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtRM9/q51KS:ZWtHFonhASyRxvhTzXPvCbW2URM9/E

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2424	tmpCAFD.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2604	eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe
2604	eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpCAFD.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpCAFD.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2604	eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe
Token: SeDebugPrivilege	2424	tmpCAFD.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 1284	2604	eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe	30
PID 2604 wrote to memory of 1284	2604	eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe	30
PID 2604 wrote to memory of 1284	2604	eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe	30
PID 2604 wrote to memory of 1284	2604	eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe	30
PID 1284 wrote to memory of 1328	1284	vbc.exe	32
PID 1284 wrote to memory of 1328	1284	vbc.exe	32
PID 1284 wrote to memory of 1328	1284	vbc.exe	32
PID 1284 wrote to memory of 1328	1284	vbc.exe	32
PID 2604 wrote to memory of 2424	2604	eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe	33
PID 2604 wrote to memory of 2424	2604	eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe	33
PID 2604 wrote to memory of 2424	2604	eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe	33
PID 2604 wrote to memory of 2424	2604	eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe	33

C:\Users\Admin\AppData\Local\Temp\eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe
"C:\Users\Admin\AppData\Local\Temp\eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zpoq5gxj.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF61.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCF60.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1328
- C:\Users\Admin\AppData\Local\Temp\tmpCAFD.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpCAFD.tmp.exe" C:\Users\Admin\AppData\Local\Temp\eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESCF61.tmp

Filesize
1KB

MD5
57caa1b253c31aea3433e023e1cd30a9

SHA1
3442799d504df477d419972615258a3fc9aa434a

SHA256
b1a35918a3393b7bb1034cacac7a227f737856300acaa598b15513cfd5db8503

SHA512
f23ed3fca0e928140d39cac774d637a59f6445270112c0decc93af12f4af44440c9f0327ee5a8c8081bfd47daf56578998c1332318eca6adbc8f65c6552a3608

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCAFD.tmp.exe

Filesize
78KB

MD5
911a3d1989a390e3d08fec28e2366f16

SHA1
a5668591123e508cfcd40dc5fba92d9a2d0b2669

SHA256
85c5bdbd82fbe4df238ae040d3db4355b146baf496ee8b2e2b62a468871596d9

SHA512
8a717635bc921e3395c38d82833fa6dd881635a64af5fa036e094368ed6c8339414e71884877489e1bb892eb05f79409b63b2368463056854aa6d91141d9c192

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCF60.tmp

Filesize
660B

MD5
d20aa0bfe394b486b820ed03a8a1c2fe

SHA1
554b0afb9ebd72f67db48978cec81e3855d83577

SHA256
f084d010c2417e7c7868d57019efe680e026275ee99a3b13e96f27a4c5fa5bb8

SHA512
cb0c054ddfe80725e64bb27a64de948eeae5e2c372d6f841b9ef88c11e53604a652f2d52e3c0d1a6e0d97a1d9af012f08e11103339e7eb1cd758ba1c6c391625

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zpoq5gxj.0.vb

Filesize
15KB

MD5
c3d41a3e6d7c6cca6804b4e5ec7ce3b1

SHA1
eda63e6d893797a3104ccd7862117d7edaa1d62a

SHA256
a23c5817b2250d693fa4be1074c9c23136526fb7b43b79010cc01c13e62cf4d6

SHA512
e67fa9ba94cf05c46541374378c3211d4554e531b552630de87f11be5f756c52c18ca4849cfab75ca2e7cae190a36e7dd20932e8e56ba054fe92e0f844ca7cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zpoq5gxj.cmdline

Filesize
266B

MD5
0c6607694847e897726c54ed2c20eefd

SHA1
19ca151170c3213dda3ab32b496a1cd2cc81ce67

SHA256
1d846cbbfe8af63d4da9803c28c01630f5f55f4475a7593bc95438e4f30a9258

SHA512
2e8e220b7477368747f402fa820b0111cdda30951730e4340fbac5e33066e6a3115ea71dba4186dcab642bd5a59bfa3363444e7ceb1327712caa5e3c7bef377c

Download Submit
memory/1284-8-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/1284-18-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/2604-0-0x0000000074B31000-0x0000000074B32000-memory.dmp

Filesize
4KB

Download
memory/2604-1-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/2604-2-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/2604-24-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads