metamorpherrat | c899ef4ca4d00a1f74ea670d589fa9426bceae11bc14b268b695034226022ba6

General

Target

c899ef4ca4d00a1f74ea670d589fa9426bceae11bc14b268b695034226022ba6N.exe
Size

78KB
MD5

970c82b0bcea5031ceb690f522bfd8e0
SHA1

f33c8f7c04118929b458c076f33d0db114a8c885
SHA256

c899ef4ca4d00a1f74ea670d589fa9426bceae11bc14b268b695034226022ba6
SHA512

43e9b54de9748cf207bd47ef6e3051aace1ae80c23f36cd1f18f7e6c9624e5d07b8ef24d33f3a36525f5e4b5826e49f61240de09667987e6427972bfd030b7da
SSDEEP

1536:FPCHFo6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtl9/Y15M:FPCHFonhASyRxvhTzXPvCbW2Ul9/r

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2644	tmpD3C3.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2848	c899ef4ca4d00a1f74ea670d589fa9426bceae11bc14b268b695034226022ba6N.exe
2848	c899ef4ca4d00a1f74ea670d589fa9426bceae11bc14b268b695034226022ba6N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpD3C3.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD3C3.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c899ef4ca4d00a1f74ea670d589fa9426bceae11bc14b268b695034226022ba6N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2848	c899ef4ca4d00a1f74ea670d589fa9426bceae11bc14b268b695034226022ba6N.exe
Token: SeDebugPrivilege	2644	tmpD3C3.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2256	2848	c899ef4ca4d00a1f74ea670d589fa9426bceae11bc14b268b695034226022ba6N.exe	31
PID 2848 wrote to memory of 2256	2848	c899ef4ca4d00a1f74ea670d589fa9426bceae11bc14b268b695034226022ba6N.exe	31
PID 2848 wrote to memory of 2256	2848	c899ef4ca4d00a1f74ea670d589fa9426bceae11bc14b268b695034226022ba6N.exe	31
PID 2848 wrote to memory of 2256	2848	c899ef4ca4d00a1f74ea670d589fa9426bceae11bc14b268b695034226022ba6N.exe	31
PID 2256 wrote to memory of 2496	2256	vbc.exe	33
PID 2256 wrote to memory of 2496	2256	vbc.exe	33
PID 2256 wrote to memory of 2496	2256	vbc.exe	33
PID 2256 wrote to memory of 2496	2256	vbc.exe	33
PID 2848 wrote to memory of 2644	2848	c899ef4ca4d00a1f74ea670d589fa9426bceae11bc14b268b695034226022ba6N.exe	34
PID 2848 wrote to memory of 2644	2848	c899ef4ca4d00a1f74ea670d589fa9426bceae11bc14b268b695034226022ba6N.exe	34
PID 2848 wrote to memory of 2644	2848	c899ef4ca4d00a1f74ea670d589fa9426bceae11bc14b268b695034226022ba6N.exe	34
PID 2848 wrote to memory of 2644	2848	c899ef4ca4d00a1f74ea670d589fa9426bceae11bc14b268b695034226022ba6N.exe	34

C:\Users\Admin\AppData\Local\Temp\c899ef4ca4d00a1f74ea670d589fa9426bceae11bc14b268b695034226022ba6N.exe
"C:\Users\Admin\AppData\Local\Temp\c899ef4ca4d00a1f74ea670d589fa9426bceae11bc14b268b695034226022ba6N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zvzys868.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD51B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD51A.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2496
- C:\Users\Admin\AppData\Local\Temp\tmpD3C3.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpD3C3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c899ef4ca4d00a1f74ea670d589fa9426bceae11bc14b268b695034226022ba6N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD51B.tmp

Filesize
1KB

MD5
0002a77bff59a7cdcd4a9a1dda749863

SHA1
6415b6aee19e5761455e2c6adb7e2cbdd3347e48

SHA256
196023382dc2db97f7ed8f9febd7e3bcc8ec83ec2cae7831702631b0c9d2506e

SHA512
52d0c052b5d3e23209e4248643555ddbfb18138c6fab0d4f45548ba3c790bacaf6b8d6c19860b7023ad5a18a3057317cc2eba4d621f6400457dc4ccd469322df

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD3C3.tmp.exe

Filesize
78KB

MD5
695ee45536195a73014eaf199605e542

SHA1
27bfeb411d0d0e334d434e0cf722cff98ea74e83

SHA256
22d86a63cb9976f35bbd306a71756b02c7a5c001a38012cc3da81480abe2b112

SHA512
0c115b50fa2998139867e79dedb8a893d1f273a4195e8437e5ade2537607f02e8509d3e79858c577dfb8db4405ae755600c5ad8f58940060ba89b27082549b12

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD51A.tmp

Filesize
660B

MD5
60cecc4170654933d17833b52b7de8b9

SHA1
1138c09bbf0916678357d503279c63ae7ec36352

SHA256
d88be5bf11ba0387cbcee2ec0277abac80d28c3c2d3f7214c432210244541df2

SHA512
3b30164872faec0458765e763e14a77438ea4f5a0dc6f46615f41c1d2269f6851cd94200f8c9b33f35246d90b70fe955dde0a23a8e9ab62b5eb24f7cdeb2f89b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zvzys868.0.vb

Filesize
15KB

MD5
bfba358fee1fdec532c75b34191b6b8c

SHA1
a1c63448549e504f18bc16fadf7625cecc0377fe

SHA256
c72041c27bbcbe8b72cb99c4d5e7c27d1474b6ec0683ada5462c50e438315f17

SHA512
642e89dfe81eea3a02c515acc6ed5cc87177b81cc5de15c2301970ffeaa8353867024ca9bd449004790de9564500e4214c65df820126e4d04cbfc38c30e74d9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zvzys868.cmdline

Filesize
266B

MD5
124da025c8a1233e1687fd710bfd3c25

SHA1
48ae70200e8120ab6b4aebf2e3911ccf34bb4182

SHA256
c30fd2b2cee3c43a9dd0bcb5e0fa995bf3222c9d3396e792918d95ee021fc67f

SHA512
6a5be473b6bd3c0919ac3b55777bca89d583fa3d76c8ec702f9fa190a379ad0f9ae8fa3001a9624ec577d0097fdd915418463a83422f654bae7c332e87817a1f

Download Submit
memory/2256-8-0x0000000074B50000-0x00000000750FB000-memory.dmp

Filesize
5.7MB

Download
memory/2256-18-0x0000000074B50000-0x00000000750FB000-memory.dmp

Filesize
5.7MB

Download
memory/2848-0-0x0000000074B51000-0x0000000074B52000-memory.dmp

Filesize
4KB

Download
memory/2848-1-0x0000000074B50000-0x00000000750FB000-memory.dmp

Filesize
5.7MB

Download
memory/2848-2-0x0000000074B50000-0x00000000750FB000-memory.dmp

Filesize
5.7MB

Download
memory/2848-24-0x0000000074B50000-0x00000000750FB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads