metamorpherrat | d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273

General

Target

d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273N.exe
Size

78KB
MD5

1bcb46b33c8090dfe71118c387d072f0
SHA1

9a3d4fc274bc581f266f8aae273251cdf0148075
SHA256

d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273
SHA512

15afddd4461a0d91c4bb22cc9da7f6a3a3eaa62d3779dd7b530668cff1174d21f3927c90a24d9730e0b540357662cbbe968f47c7c49c0746094c109baa3dfe83
SSDEEP

1536:+y5YXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt96l9/ej1Dr:+y5gSyRxvhTzXPvCbW2U+9/W

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2280	tmpB6F0.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1872	d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273N.exe
1872	d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpB6F0.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB6F0.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1872	d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273N.exe
Token: SeDebugPrivilege	2280	tmpB6F0.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 2180	1872	d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273N.exe	30
PID 1872 wrote to memory of 2180	1872	d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273N.exe	30
PID 1872 wrote to memory of 2180	1872	d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273N.exe	30
PID 1872 wrote to memory of 2180	1872	d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273N.exe	30
PID 2180 wrote to memory of 3012	2180	vbc.exe	32
PID 2180 wrote to memory of 3012	2180	vbc.exe	32
PID 2180 wrote to memory of 3012	2180	vbc.exe	32
PID 2180 wrote to memory of 3012	2180	vbc.exe	32
PID 1872 wrote to memory of 2280	1872	d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273N.exe	33
PID 1872 wrote to memory of 2280	1872	d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273N.exe	33
PID 1872 wrote to memory of 2280	1872	d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273N.exe	33
PID 1872 wrote to memory of 2280	1872	d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273N.exe	33

C:\Users\Admin\AppData\Local\Temp\d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273N.exe
"C:\Users\Admin\AppData\Local\Temp\d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vvjnnyah.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB858.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB857.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3012
- C:\Users\Admin\AppData\Local\Temp\tmpB6F0.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB6F0.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB858.tmp

Filesize
1KB

MD5
1e699dd66b8b7c09b15e33fb16a207e5

SHA1
9e8564cf82b534bf992d702726f819ace7010e9f

SHA256
eb1c98617edb237539275c8ed306d05b57c801811ac42385b873d8a31bbad2cd

SHA512
651817ccce0ad46884d6d21ff7c08a84e4c48b93392a9e724233ed9395eee556afe812336d615d0e4041132b0518a789cb91e1d5f34b25ea0e9814dcd0fce2ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB6F0.tmp.exe

Filesize
78KB

MD5
07049973a0911304d2e9e3f3346b310a

SHA1
356826b3ebbef328fc196311cbe60bab5982cf31

SHA256
b45e57d4407728709e47c45e03dd299a5a35ed37f4c33cef1eebaae477424dd7

SHA512
2fa06f4db0c27b83e57b258f08aa2780a49c65d17c4265bb25fcf29181abb258c0c6b39c4e095900be439fd9be1155dc6a26b0221ea85acaf711518e1143831f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB857.tmp

Filesize
660B

MD5
0362bf3a4b507f91b4c26bcfa9467fe5

SHA1
cab649cbd17f6284dd3259846e2fcaf4a417aee9

SHA256
f468e193b219c038f80b85780ef21f54157005c39eeeb342e5ba87921534d6e0

SHA512
99646c02101da036bd9ad4b976ab391c96ac5cf39eb63285dd2c43562e170188373b403ec8759b69b53e3057baef0339823080100ae1c598bdc073be1fe6bb76

Download Submit
C:\Users\Admin\AppData\Local\Temp\vvjnnyah.0.vb

Filesize
14KB

MD5
b2976d781757022711ce02d3133b1f75

SHA1
02947ac14c46aad4d8dcb5569090014fda59159e

SHA256
9f225eb74fd586eaa7207b3001a8514344d5278bcac32ea1cf3d49c5e733cf3f

SHA512
49ab160a3b7739cfeeedf76c203e8c25ce6a6e1d6326c9b76dc881e4e2951a4477d2f57ac3f13ae133b16bf69298aa2dfb0ee2ece96e98689b3dcf626e42e94d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vvjnnyah.cmdline

Filesize
266B

MD5
81656ab2604edaaf1e16fe543fd4b695

SHA1
642e0085133b9844e661ef05880f81aec826e7f6

SHA256
bc05509bfb9dcaace762705997dbe6f10ffd1e47c2a26865491673632d511ad1

SHA512
9b8c3f076d9444104e5f53f5ca3806c2d3e6f6e135e4e8c2c39310b153120649709ce378c4c364b036d559580373b00f8a97e2ffc07e9796f9313dbcf6b2c4c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1872-0-0x0000000074371000-0x0000000074372000-memory.dmp

Filesize
4KB

Download
memory/1872-1-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/1872-2-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/1872-24-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/2180-8-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/2180-18-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads