metamorpherrat | a70d6bb6cf18d990e14d34870e163ca14451a3a64f465893bcd21b7702cadabc

General

Target

a70d6bb6cf18d990e14d34870e163ca14451a3a64f465893bcd21b7702cadabcN.exe
Size

78KB
MD5

65401931f5e4367d829d2a43b4fee2c0
SHA1

bd154f5a3946280905d2cf01a9e4d745a0b6f616
SHA256

a70d6bb6cf18d990e14d34870e163ca14451a3a64f465893bcd21b7702cadabc
SHA512

cb3f00a174b4820f75c2254804f051bdbd1ddb5206eecfce6f8e6621a8d6c606c7cd7036d814c7055aacaa5d01a56ce27a0cf8c2f2886289b214bc1165c5fd21
SSDEEP

1536:IHHM7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtd9/G12B:IHshASyRxvhTzXPvCbW2Ud9/l

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2592	tmp80B4.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1548	a70d6bb6cf18d990e14d34870e163ca14451a3a64f465893bcd21b7702cadabcN.exe
1548	a70d6bb6cf18d990e14d34870e163ca14451a3a64f465893bcd21b7702cadabcN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp80B4.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp80B4.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a70d6bb6cf18d990e14d34870e163ca14451a3a64f465893bcd21b7702cadabcN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1548	a70d6bb6cf18d990e14d34870e163ca14451a3a64f465893bcd21b7702cadabcN.exe
Token: SeDebugPrivilege	2592	tmp80B4.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 2204	1548	a70d6bb6cf18d990e14d34870e163ca14451a3a64f465893bcd21b7702cadabcN.exe	28
PID 1548 wrote to memory of 2204	1548	a70d6bb6cf18d990e14d34870e163ca14451a3a64f465893bcd21b7702cadabcN.exe	28
PID 1548 wrote to memory of 2204	1548	a70d6bb6cf18d990e14d34870e163ca14451a3a64f465893bcd21b7702cadabcN.exe	28
PID 1548 wrote to memory of 2204	1548	a70d6bb6cf18d990e14d34870e163ca14451a3a64f465893bcd21b7702cadabcN.exe	28
PID 2204 wrote to memory of 2536	2204	vbc.exe	30
PID 2204 wrote to memory of 2536	2204	vbc.exe	30
PID 2204 wrote to memory of 2536	2204	vbc.exe	30
PID 2204 wrote to memory of 2536	2204	vbc.exe	30
PID 1548 wrote to memory of 2592	1548	a70d6bb6cf18d990e14d34870e163ca14451a3a64f465893bcd21b7702cadabcN.exe	31
PID 1548 wrote to memory of 2592	1548	a70d6bb6cf18d990e14d34870e163ca14451a3a64f465893bcd21b7702cadabcN.exe	31
PID 1548 wrote to memory of 2592	1548	a70d6bb6cf18d990e14d34870e163ca14451a3a64f465893bcd21b7702cadabcN.exe	31
PID 1548 wrote to memory of 2592	1548	a70d6bb6cf18d990e14d34870e163ca14451a3a64f465893bcd21b7702cadabcN.exe	31

C:\Users\Admin\AppData\Local\Temp\a70d6bb6cf18d990e14d34870e163ca14451a3a64f465893bcd21b7702cadabcN.exe
"C:\Users\Admin\AppData\Local\Temp\a70d6bb6cf18d990e14d34870e163ca14451a3a64f465893bcd21b7702cadabcN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mmd7rni2.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES819F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc819E.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2536
- C:\Users\Admin\AppData\Local\Temp\tmp80B4.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp80B4.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a70d6bb6cf18d990e14d34870e163ca14451a3a64f465893bcd21b7702cadabcN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES819F.tmp

Filesize
1KB

MD5
b92bbbb0195427a3f1f8b2a50044453c

SHA1
83f1e7329c5b75412c39145f1ba15e72c1bbeb1f

SHA256
cba087e1c4cceaf0b0e1b10369dd906978843c4533dc4a8f6edac74ffadc373b

SHA512
5a838831b7b9262bba5e1cad60e228ace6704ffe67c7326107250bfd9cf84453509152cde3723a90759194d005109fc61e0cdba1b296c181d722b272b9c8bed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mmd7rni2.0.vb

Filesize
15KB

MD5
7f50e1a9e0d2bd3f559ff14dd5085986

SHA1
6d8423cf2a19912a829bab8aa940aee3f051655e

SHA256
6523d972c2ae3eaf7c9ca04342007e75746abf479d2a739a4280e4fc4e42376b

SHA512
300464e23b9577c018c12be53d812913c8a01ee3e2f71e5c187119a2d88cd3570634bca95a551d30d5f5c5ace9cc0c93e3354ba9f0c49e2d23a41f533abe6f05

Download Submit
C:\Users\Admin\AppData\Local\Temp\mmd7rni2.cmdline

Filesize
266B

MD5
9d93a042d50b6d04fccf7e984796ab25

SHA1
f74bc44d228b033b7954d0d644cb6839d7723e0d

SHA256
4e26cf3afc5ee08520f3fdacfd221060a18e3ea3f42c3c1a459ebeba3a6f2ff1

SHA512
f6c0a7204c4f62e63f00b15351166eda348676cba9ed87e55349feb2f5f9b7b5739f7ff5b00ddfac20bc8c8e5f9b42c3630d12feda358c425569e273bbffd5b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp80B4.tmp.exe

Filesize
78KB

MD5
58bdf1a9404d935592db36dc93915bb7

SHA1
d8dfec9506206d28d6586ca312a7eb2945905aff

SHA256
24e6abbd69b3b0c736b5d02e5e73e00a950b05253121617b0d8bb2a8704ed548

SHA512
85e9234eba7a83f8c889066a4b57467f73248f46b0643111e6aadaa62d7ed4f93dc5d43a0cd841233755be40f52396b75b8a2558d830e7c6e3b4900f09b3a882

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc819E.tmp

Filesize
660B

MD5
72fda5a4704bfe38630fa719df2bbdfb

SHA1
e5ff8cdbff12b2e17e407ecf656b22b50b8fb77d

SHA256
5320c0372f5311bfe999a02b4e2a8355e3d36cb9043f240cb4ea1f8c86fcb081

SHA512
18ef43c1d2c1a15e571acb4ce1adc744600a95c6239ab2d6c80b2de8b0bb9dedad324adf90fba9007064aeb08121c8d2a21d0fb9c7b48a921d46a1f77f549304

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1548-0-0x0000000074D91000-0x0000000074D92000-memory.dmp

Filesize
4KB

Download
memory/1548-1-0x0000000074D90000-0x000000007533B000-memory.dmp

Filesize
5.7MB

Download
memory/1548-2-0x0000000074D90000-0x000000007533B000-memory.dmp

Filesize
5.7MB

Download
memory/1548-24-0x0000000074D90000-0x000000007533B000-memory.dmp

Filesize
5.7MB

Download
memory/2204-8-0x0000000074D90000-0x000000007533B000-memory.dmp

Filesize
5.7MB

Download
memory/2204-18-0x0000000074D90000-0x000000007533B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads