metamorpherrat | 2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699

General

Target

2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699N.exe
Size

78KB
MD5

4a2966b481f738097e4c0a574ed70d00
SHA1

94b17490616dbc1499ea0e0ee39f43eb4f709615
SHA256

2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699
SHA512

bc8e321b039c23a64fd55743a3cad9f29f0fd53e258231b107988ae6761698de12c83a8d229108cab612cbd43d39a8f2195a567be5fea85868fba4ee81f256c2
SSDEEP

1536:6tHHM7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtwF9/jM1uQ:6tHshASyRxvhTzXPvCbW2UwF9/m

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2772	tmpEE45.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2708	2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699N.exe
2708	2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpEE45.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpEE45.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2708	2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699N.exe
Token: SeDebugPrivilege	2772	tmpEE45.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2752	2708	2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699N.exe	31
PID 2708 wrote to memory of 2752	2708	2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699N.exe	31
PID 2708 wrote to memory of 2752	2708	2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699N.exe	31
PID 2708 wrote to memory of 2752	2708	2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699N.exe	31
PID 2752 wrote to memory of 2900	2752	vbc.exe	33
PID 2752 wrote to memory of 2900	2752	vbc.exe	33
PID 2752 wrote to memory of 2900	2752	vbc.exe	33
PID 2752 wrote to memory of 2900	2752	vbc.exe	33
PID 2708 wrote to memory of 2772	2708	2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699N.exe	34
PID 2708 wrote to memory of 2772	2708	2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699N.exe	34
PID 2708 wrote to memory of 2772	2708	2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699N.exe	34
PID 2708 wrote to memory of 2772	2708	2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699N.exe	34

C:\Users\Admin\AppData\Local\Temp\2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699N.exe
"C:\Users\Admin\AppData\Local\Temp\2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tm2tmjdy.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEFEB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEFEA.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2900
- C:\Users\Admin\AppData\Local\Temp\tmpEE45.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpEE45.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESEFEB.tmp

Filesize
1KB

MD5
cf9fb49b3c3a5b3797ca5495b9061069

SHA1
5ceec0cead49aab73d2c8881a80d660be1a8fe88

SHA256
aa37ef1213fb23bb2f15828952f5eb120ea4230ac00b0967d40a18a9e7d16934

SHA512
5134735eb702e8810cf63662ad0f2f345e4a2b37144407edcdf38e4ffe188aa0a7b05e2eff68e14964fcc54f1aa5ab1761492fa4c9f277f9ebda091cae2683f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tm2tmjdy.0.vb

Filesize
15KB

MD5
3e2973dbe8e384acc41d5b2bb62f4d66

SHA1
4f9a5122d7e386bb174465b11f1619f491406bac

SHA256
1781eeed8f34548da06506a05a20de81195ee304e8679d29bd687e776d69a712

SHA512
1b729246fdb70d188c709b045bad850f1980acb2bf7f67ffdd6d2a2579789af0953c676b9278dc196ea71406b89e677647c7cb1cd3d12f0c082db8e1a2606a92

Download Submit
C:\Users\Admin\AppData\Local\Temp\tm2tmjdy.cmdline

Filesize
266B

MD5
77b53121c95a979439907fb6378dcaed

SHA1
cf14f855494c64faa137ca9f4fd62b4821f2d3f1

SHA256
6f8519e367d4a6fad77a8d233979cfb44be4698bb5031e1a1f225dc118a77a5c

SHA512
15b7b096de8aa82e191046d6c28671471bc582f4c55234dcee162cb404413141b454cc4533aecdceb3f3472282763c2bfe146020003ea989925ae38a58085407

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEE45.tmp.exe

Filesize
78KB

MD5
03b79b9ac0b30a731877bd98b32933d0

SHA1
9cd40dc723105afb9651d2a83347feac67d18790

SHA256
ff62d26f0b3419508a1a73f46b8dc1864c33b66b2b3a106fd5a592d2d3a656f7

SHA512
b71ac2b811e146ff93618c84f0ac22e77ca6b2f8b553e5f0bf3cfe995a1fbbf81be8b91701d44d14d52491b2d85d011461c49518ac0783a80faad148c82ceb36

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEFEA.tmp

Filesize
660B

MD5
3e28fb45aec052ecab5a1dfc91242a8a

SHA1
091e9c67782fd37cee3781ac55ae7216abc09a55

SHA256
e264405d2280b8e5423ad326b3d1cdc197bfd00992766dcc5bcc16c5b73e3dcd

SHA512
8c1e7a63f100b0eeff76d19576fc24fac50927dbe2d75e52c8704ae63f2a91d21db94766f33d68760c09002326f0e286d3c39c02d0a04a8076e7fd70642433a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2708-0-0x0000000074A41000-0x0000000074A42000-memory.dmp

Filesize
4KB

Download
memory/2708-1-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2708-2-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2708-24-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2752-8-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2752-18-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads