metamorpherrat | 6765cc7ecc6f99061f89941cc280d206b0142667ee26d3852096ca1443e635b6

General

Target

6765cc7ecc6f99061f89941cc280d206b0142667ee26d3852096ca1443e635b6.exe
Size

78KB
MD5

64ede25968eaf1d786944fb8dd60134f
SHA1

02ede7184de208287c61e509b7b93c5e3b57fba8
SHA256

6765cc7ecc6f99061f89941cc280d206b0142667ee26d3852096ca1443e635b6
SHA512

a875bda5f5d432ec2b80247c6ae52e92ff7dc9c89a256026521347f9c41659e84637b20174aeb590f5e51d259c4491a50900b0ec3555bfc65223450d70e74633
SSDEEP

1536:+y5YXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt96l9/ej1Dr7:+y5gSyRxvhTzXPvCbW2U+9/W7

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2928	tmpA19C.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2548	6765cc7ecc6f99061f89941cc280d206b0142667ee26d3852096ca1443e635b6.exe
2548	6765cc7ecc6f99061f89941cc280d206b0142667ee26d3852096ca1443e635b6.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpA19C.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6765cc7ecc6f99061f89941cc280d206b0142667ee26d3852096ca1443e635b6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA19C.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2548	6765cc7ecc6f99061f89941cc280d206b0142667ee26d3852096ca1443e635b6.exe
Token: SeDebugPrivilege	2928	tmpA19C.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 1620	2548	6765cc7ecc6f99061f89941cc280d206b0142667ee26d3852096ca1443e635b6.exe	30
PID 2548 wrote to memory of 1620	2548	6765cc7ecc6f99061f89941cc280d206b0142667ee26d3852096ca1443e635b6.exe	30
PID 2548 wrote to memory of 1620	2548	6765cc7ecc6f99061f89941cc280d206b0142667ee26d3852096ca1443e635b6.exe	30
PID 2548 wrote to memory of 1620	2548	6765cc7ecc6f99061f89941cc280d206b0142667ee26d3852096ca1443e635b6.exe	30
PID 1620 wrote to memory of 1184	1620	vbc.exe	32
PID 1620 wrote to memory of 1184	1620	vbc.exe	32
PID 1620 wrote to memory of 1184	1620	vbc.exe	32
PID 1620 wrote to memory of 1184	1620	vbc.exe	32
PID 2548 wrote to memory of 2928	2548	6765cc7ecc6f99061f89941cc280d206b0142667ee26d3852096ca1443e635b6.exe	33
PID 2548 wrote to memory of 2928	2548	6765cc7ecc6f99061f89941cc280d206b0142667ee26d3852096ca1443e635b6.exe	33
PID 2548 wrote to memory of 2928	2548	6765cc7ecc6f99061f89941cc280d206b0142667ee26d3852096ca1443e635b6.exe	33
PID 2548 wrote to memory of 2928	2548	6765cc7ecc6f99061f89941cc280d206b0142667ee26d3852096ca1443e635b6.exe	33

C:\Users\Admin\AppData\Local\Temp\6765cc7ecc6f99061f89941cc280d206b0142667ee26d3852096ca1443e635b6.exe
"C:\Users\Admin\AppData\Local\Temp\6765cc7ecc6f99061f89941cc280d206b0142667ee26d3852096ca1443e635b6.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5857_5wa.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA2C6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA2C5.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1184
- C:\Users\Admin\AppData\Local\Temp\tmpA19C.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA19C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6765cc7ecc6f99061f89941cc280d206b0142667ee26d3852096ca1443e635b6.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5857_5wa.0.vb

Filesize
14KB

MD5
9228f7808f7b1f78743ab4a1d5391296

SHA1
43f71cc834a08567936728713f256d796855a1a8

SHA256
8d6623fc87e16d010f5475bca22fbaca240ca61485778e8c6d4b1024cf097d2d

SHA512
c28c2671f156da66c532793c2ced16c5d1f2fc8e61ad3ed05a212e6e7ca137b9ffef1c87fdbae7bbdec36e56a31f5d47ebabdafd8c3013112d0f0ac3665a6125

Download Submit
C:\Users\Admin\AppData\Local\Temp\5857_5wa.cmdline

Filesize
266B

MD5
5713087fa1b93c0a63fc09bffee6e52c

SHA1
9a68bf3f7d608cb0bec524351d6f08e7a5bed5bf

SHA256
fcd9a7a9573f033f12234f4fead3a19c00ede15a4fa06a6ff6a80e7ebe7f7228

SHA512
9a42cc81c473d9fbc84fe4ddf67543bc5f4484ee31ac90aa421f962e0673ae80857d86fff909fd59c1961d8135e6c8e6d6c1eff05d30f0aa7d0a0d05e87a4e9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA2C6.tmp

Filesize
1KB

MD5
089a282d6763ea7d77ea909dc1abc6d7

SHA1
d53c0b16c2d492d0290fcaa17423f4157b08c836

SHA256
91e678ee6447e32ac633e7b1d191a1faccbf76835ec4d66ff7fa6c7156872c69

SHA512
3572cff7ec92ad7135dd71b0ac190cd01bbfe423aec7c70ebe83144da0714b2707041830b6538e25fe755a2113c42f5e0e8f42cc52a8d608e59c97dd04c35417

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA19C.tmp.exe

Filesize
78KB

MD5
5619b2c050a29528797d7dafa78a122a

SHA1
31a1fc6a971b4f5325ee881a5242b69c20dac5fe

SHA256
46a5e0f11357b9c206afb89d218ca41beeea92f955a45ff04e60220851562331

SHA512
4a110aa9ff025f8b008ea5225556c691266c4404e15a5ce22888c563c60af1f46104f9e4f92505e0a17cb21d6506e8ca89a6e089356967b75850ddcd6f9d3904

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA2C5.tmp

Filesize
660B

MD5
aab7e2b26774828cbfcb5f70672378df

SHA1
9f715b2b6fcfe150fbfd7fe8c0fd17415491846d

SHA256
d3c3dbd8a9c7c152149f63f58864048efd3a19c6085d8bbd77958740912ee7b6

SHA512
3ca09f06155c09023b402bbc0ac86e72150940780a0c610f3cc67cbc3fe0ae7d70c09c1145d7df36939f3fc32e3f2df0c025524fddff51df0bea71bb2fc89876

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1620-8-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/1620-18-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/2548-0-0x00000000742E1000-0x00000000742E2000-memory.dmp

Filesize
4KB

Download
memory/2548-1-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/2548-2-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/2548-24-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads