metamorpherrat | ee944562089f2d87d209e48d6eb01e5f6261fca76106766ce09ae2241f71969b

General

Target

ee944562089f2d87d209e48d6eb01e5f6261fca76106766ce09ae2241f71969b.exe
Size

78KB
MD5

b6f0674c0f2b31b3b5cefe91be1b6582
SHA1

dd40df38bc722c3dff53ee01a7cc878b75660d83
SHA256

ee944562089f2d87d209e48d6eb01e5f6261fca76106766ce09ae2241f71969b
SHA512

ae15dfb83e002e4de7d57aefefd3ee8e10fd84d7a3839b2c9b58db5e7c8415afa2d78962f6b4cdf7671fffc8693e71b0be295e9f0454f62c8cfe4293f71c3716
SSDEEP

1536:ye58AXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtC6g9/D1B/:ye584SyRxvhTzXPvCbW2UI9//

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Deletes itself 1 IoCs

pid	Process
2712	tmpA6F9.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2712	tmpA6F9.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2352	ee944562089f2d87d209e48d6eb01e5f6261fca76106766ce09ae2241f71969b.exe
2352	ee944562089f2d87d209e48d6eb01e5f6261fca76106766ce09ae2241f71969b.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpA6F9.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee944562089f2d87d209e48d6eb01e5f6261fca76106766ce09ae2241f71969b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA6F9.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2352	ee944562089f2d87d209e48d6eb01e5f6261fca76106766ce09ae2241f71969b.exe
Token: SeDebugPrivilege	2712	tmpA6F9.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 1600	2352	ee944562089f2d87d209e48d6eb01e5f6261fca76106766ce09ae2241f71969b.exe	30
PID 2352 wrote to memory of 1600	2352	ee944562089f2d87d209e48d6eb01e5f6261fca76106766ce09ae2241f71969b.exe	30
PID 2352 wrote to memory of 1600	2352	ee944562089f2d87d209e48d6eb01e5f6261fca76106766ce09ae2241f71969b.exe	30
PID 2352 wrote to memory of 1600	2352	ee944562089f2d87d209e48d6eb01e5f6261fca76106766ce09ae2241f71969b.exe	30
PID 1600 wrote to memory of 3032	1600	vbc.exe	32
PID 1600 wrote to memory of 3032	1600	vbc.exe	32
PID 1600 wrote to memory of 3032	1600	vbc.exe	32
PID 1600 wrote to memory of 3032	1600	vbc.exe	32
PID 2352 wrote to memory of 2712	2352	ee944562089f2d87d209e48d6eb01e5f6261fca76106766ce09ae2241f71969b.exe	33
PID 2352 wrote to memory of 2712	2352	ee944562089f2d87d209e48d6eb01e5f6261fca76106766ce09ae2241f71969b.exe	33
PID 2352 wrote to memory of 2712	2352	ee944562089f2d87d209e48d6eb01e5f6261fca76106766ce09ae2241f71969b.exe	33
PID 2352 wrote to memory of 2712	2352	ee944562089f2d87d209e48d6eb01e5f6261fca76106766ce09ae2241f71969b.exe	33

C:\Users\Admin\AppData\Local\Temp\ee944562089f2d87d209e48d6eb01e5f6261fca76106766ce09ae2241f71969b.exe
"C:\Users\Admin\AppData\Local\Temp\ee944562089f2d87d209e48d6eb01e5f6261fca76106766ce09ae2241f71969b.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bn6tvkxi.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA7D4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA7D3.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3032
- C:\Users\Admin\AppData\Local\Temp\tmpA6F9.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA6F9.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ee944562089f2d87d209e48d6eb01e5f6261fca76106766ce09ae2241f71969b.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA7D4.tmp

Filesize
1KB

MD5
b91ca02ad69f925e52e11dfe394a2554

SHA1
71cc9b765db0446af606f4ed916e72d0a9b1c8b3

SHA256
cee45ff2cc45960af2e90de95ab0bf5ae2ff5cffcf81fb8c6dda5703d9e273eb

SHA512
81b9cf468ecb3c128e491d996ed41eea8d4c4d36514423a1e2ab0dcc36a528e807caf6a4c68fdc7acb9d24dd3e71cb26ffc47a01e984cf968183c84ae726610b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bn6tvkxi.0.vb

Filesize
14KB

MD5
af505f1369a121601c2203c83e5d58d1

SHA1
8095a4d498997188d4b44518d8149387f9046b52

SHA256
119c373185ce31eeedeb59fcd7653cabd00d5d88485f878425d3c1397b09ebc2

SHA512
910821306a1b7c94d4bb4fb303c5e4ac4bacf2ab4ba396a744fa7efac227c58b7f9e583f53a92ab331318140b518961e0d43ad8417bc5d980613b0b0960c1676

Download Submit
C:\Users\Admin\AppData\Local\Temp\bn6tvkxi.cmdline

Filesize
266B

MD5
133e506596fe5defe6d7bd8dab2b7e19

SHA1
ee51f213329d73789857181e611d4d59b9ca8511

SHA256
0e6acbead76fd7f27226cc41e919c1d036905cbdf4eceb3671bf969100a94d65

SHA512
f671822c97ff0b2a3a16f421abb66ec304b9e8306df52370730d5107b7d53590c0521a3ba71e7bad4c33ea4beb04f82c719627fa9abb9af5e31f652170cfa419

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA6F9.tmp.exe

Filesize
78KB

MD5
3647c825fe7fb8a2aef7cdaa21684f43

SHA1
effdc8854f1ed316f0723268a2142cdd9a8ec181

SHA256
3dd38e34e3d3c25d3c5e53f67673fbb72841b03d211877ec9eca1c5d2b7c9749

SHA512
43ea2ef7a223c88a20f0a67d3273d030a7fa6ff6ea48033bcec623da2746bc829e4418e6b8310957bdcf17e5c80815610d9cedab2a9e71d6ac1f249a96dfff5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA7D3.tmp

Filesize
660B

MD5
d8afe584c7c95255b7a28bc733ea97ed

SHA1
78070df32f6787fc1f3b9b5fedce3f8236576932

SHA256
a6962a76b2dc26f73a471ff24ea32967951861db8d01d605277e505c459d5ceb

SHA512
6c26852e4c60ad18c385a8cffcda20d6e2af26d4649c4c599965ed25ac32fd37786cc1220e69ddc672259ab8ce35359f3f322d6106bac184b1576911f1d09c58

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1600-8-0x0000000074E20000-0x00000000753CB000-memory.dmp

Filesize
5.7MB

Download
memory/1600-18-0x0000000074E20000-0x00000000753CB000-memory.dmp

Filesize
5.7MB

Download
memory/2352-0-0x0000000074E21000-0x0000000074E22000-memory.dmp

Filesize
4KB

Download
memory/2352-1-0x0000000074E20000-0x00000000753CB000-memory.dmp

Filesize
5.7MB

Download
memory/2352-2-0x0000000074E20000-0x00000000753CB000-memory.dmp

Filesize
5.7MB

Download
memory/2352-23-0x0000000074E20000-0x00000000753CB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads