metamorpherrat | c899ef4ca4d00a1f74ea670d589fa9426bceae11bc14b268b695034226022ba6

General

Target

c899ef4ca4d00a1f74ea670d589fa9426bceae11bc14b268b695034226022ba6N.exe
Size

78KB
MD5

970c82b0bcea5031ceb690f522bfd8e0
SHA1

f33c8f7c04118929b458c076f33d0db114a8c885
SHA256

c899ef4ca4d00a1f74ea670d589fa9426bceae11bc14b268b695034226022ba6
SHA512

43e9b54de9748cf207bd47ef6e3051aace1ae80c23f36cd1f18f7e6c9624e5d07b8ef24d33f3a36525f5e4b5826e49f61240de09667987e6427972bfd030b7da
SSDEEP

1536:FPCHFo6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtl9/Y15M:FPCHFonhASyRxvhTzXPvCbW2Ul9/r

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2632	tmpDE00.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2888	c899ef4ca4d00a1f74ea670d589fa9426bceae11bc14b268b695034226022ba6N.exe
2888	c899ef4ca4d00a1f74ea670d589fa9426bceae11bc14b268b695034226022ba6N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpDE00.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpDE00.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c899ef4ca4d00a1f74ea670d589fa9426bceae11bc14b268b695034226022ba6N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2888	c899ef4ca4d00a1f74ea670d589fa9426bceae11bc14b268b695034226022ba6N.exe
Token: SeDebugPrivilege	2632	tmpDE00.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2340	2888	c899ef4ca4d00a1f74ea670d589fa9426bceae11bc14b268b695034226022ba6N.exe	31
PID 2888 wrote to memory of 2340	2888	c899ef4ca4d00a1f74ea670d589fa9426bceae11bc14b268b695034226022ba6N.exe	31
PID 2888 wrote to memory of 2340	2888	c899ef4ca4d00a1f74ea670d589fa9426bceae11bc14b268b695034226022ba6N.exe	31
PID 2888 wrote to memory of 2340	2888	c899ef4ca4d00a1f74ea670d589fa9426bceae11bc14b268b695034226022ba6N.exe	31
PID 2340 wrote to memory of 868	2340	vbc.exe	33
PID 2340 wrote to memory of 868	2340	vbc.exe	33
PID 2340 wrote to memory of 868	2340	vbc.exe	33
PID 2340 wrote to memory of 868	2340	vbc.exe	33
PID 2888 wrote to memory of 2632	2888	c899ef4ca4d00a1f74ea670d589fa9426bceae11bc14b268b695034226022ba6N.exe	34
PID 2888 wrote to memory of 2632	2888	c899ef4ca4d00a1f74ea670d589fa9426bceae11bc14b268b695034226022ba6N.exe	34
PID 2888 wrote to memory of 2632	2888	c899ef4ca4d00a1f74ea670d589fa9426bceae11bc14b268b695034226022ba6N.exe	34
PID 2888 wrote to memory of 2632	2888	c899ef4ca4d00a1f74ea670d589fa9426bceae11bc14b268b695034226022ba6N.exe	34

C:\Users\Admin\AppData\Local\Temp\c899ef4ca4d00a1f74ea670d589fa9426bceae11bc14b268b695034226022ba6N.exe
"C:\Users\Admin\AppData\Local\Temp\c899ef4ca4d00a1f74ea670d589fa9426bceae11bc14b268b695034226022ba6N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nmwwlruq.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDEDB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDEDA.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:868
- C:\Users\Admin\AppData\Local\Temp\tmpDE00.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpDE00.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c899ef4ca4d00a1f74ea670d589fa9426bceae11bc14b268b695034226022ba6N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESDEDB.tmp

Filesize
1KB

MD5
a30b214e2a3c2305aa205a676a434ed2

SHA1
d56848d7ea41172c4e720bd2f30bb80f5a7af5e5

SHA256
2433e72ee173f2d66dc4f8591fa39c4ed17bf845ee04098a51e844bc50d1ced1

SHA512
0b33232133e53dc00a48b3f4a460c473f5758783b5daadadda8c5cc61c361f8136d45d8358744a39e569ef3fc870a4a7a5dcf92492b22af239c9b204d32b186a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nmwwlruq.0.vb

Filesize
15KB

MD5
32f6cd3fcb3a6cda668bfdc17eeb434e

SHA1
55fae843e06ebb4699e57b08ad22f5d886a0d529

SHA256
1fa456f245859928567b22ed3d8e64900137aa2f03b157eda45cda8b12163f9d

SHA512
478cc24d18fe5d0ef02ae988a23059886536645439e922327279e015d8fbb87cb7be8627f32846e0a950f86e841653797df2d0572be079710755f1849c0c19c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nmwwlruq.cmdline

Filesize
266B

MD5
0fb1d4c2db6141ef7a0e3411a8d138ad

SHA1
332cc59827e73eee54a82fce38378b1a8443550f

SHA256
a4c7ae86e82020f4f049b0a59fdeb9a7e32b6a02e40670c9cd895628fe68286a

SHA512
2cc692706b63a86f925bf306ab7fad7c6f7de6c69fc0562af6c46881c722c502098e69fe928fead95d0102471d89d6258da41f56b2d06ce5e5aec21d6e0c88f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDE00.tmp.exe

Filesize
78KB

MD5
ae2db838811c786640de1bb75627eb5c

SHA1
69051884fe94d6955ff9dc72e8b8c0bdb42c380d

SHA256
eb9f6a4e8209a73aaa32a3c1a2b701d81acf555d78e6f215915aba6f719ce822

SHA512
f8054c22369cd31418875d66382ab493477558bf7dad64b5ab1914cd4970c9b211acc47f5a1ab5c5619d487805a112b7373a47c0239853d010cd20e24502d6c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDEDA.tmp

Filesize
660B

MD5
1ce2512648798d36f70e865b0ce233e2

SHA1
8d1d29d4d0894e53af0ebb95f04268bdbc4c6951

SHA256
b4279ae9f7effa0d6d34cf1772c5184f91895c3276876518f083d31e7a29350c

SHA512
002a5efa0fea30bc10fc7a2d3e4cf210f1501ccdb272ed9700f59da94b9a3281ddec1908d2b136e53a97856d9f816e61828926f9fb59b3ba620fb818972dc33a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2340-8-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2340-18-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2888-0-0x0000000074C01000-0x0000000074C02000-memory.dmp

Filesize
4KB

Download
memory/2888-1-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2888-2-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2888-24-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads