metamorpherrat | 07bbf60bd5f17b7e7dc67c478cc626534dd7d270c4fff3e6ae5b869fd19ca7ff

General

Target

07bbf60bd5f17b7e7dc67c478cc626534dd7d270c4fff3e6ae5b869fd19ca7ff.exe
Size

78KB
MD5

e5a28cec78d365832ad8dbb0ba37bd6c
SHA1

6797a971726d0528646c0a2c25398550d582af81
SHA256

07bbf60bd5f17b7e7dc67c478cc626534dd7d270c4fff3e6ae5b869fd19ca7ff
SHA512

232b9719b281fb92e19f1405004c29cc91f19288166e0176465c52ece3e01ffd3b0a8818becefce01f65d18a0b86a0d6fc008b1ac258c3205e36800199a91329
SSDEEP

1536:ptHY6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtRU9/jA1kdg:ptHYnhASyRxvhTzXPvCbW2URU9/Ng

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2764	tmpD00B.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2132	07bbf60bd5f17b7e7dc67c478cc626534dd7d270c4fff3e6ae5b869fd19ca7ff.exe
2132	07bbf60bd5f17b7e7dc67c478cc626534dd7d270c4fff3e6ae5b869fd19ca7ff.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpD00B.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD00B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07bbf60bd5f17b7e7dc67c478cc626534dd7d270c4fff3e6ae5b869fd19ca7ff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2132	07bbf60bd5f17b7e7dc67c478cc626534dd7d270c4fff3e6ae5b869fd19ca7ff.exe
Token: SeDebugPrivilege	2764	tmpD00B.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2148	2132	07bbf60bd5f17b7e7dc67c478cc626534dd7d270c4fff3e6ae5b869fd19ca7ff.exe	31
PID 2132 wrote to memory of 2148	2132	07bbf60bd5f17b7e7dc67c478cc626534dd7d270c4fff3e6ae5b869fd19ca7ff.exe	31
PID 2132 wrote to memory of 2148	2132	07bbf60bd5f17b7e7dc67c478cc626534dd7d270c4fff3e6ae5b869fd19ca7ff.exe	31
PID 2132 wrote to memory of 2148	2132	07bbf60bd5f17b7e7dc67c478cc626534dd7d270c4fff3e6ae5b869fd19ca7ff.exe	31
PID 2148 wrote to memory of 632	2148	vbc.exe	33
PID 2148 wrote to memory of 632	2148	vbc.exe	33
PID 2148 wrote to memory of 632	2148	vbc.exe	33
PID 2148 wrote to memory of 632	2148	vbc.exe	33
PID 2132 wrote to memory of 2764	2132	07bbf60bd5f17b7e7dc67c478cc626534dd7d270c4fff3e6ae5b869fd19ca7ff.exe	34
PID 2132 wrote to memory of 2764	2132	07bbf60bd5f17b7e7dc67c478cc626534dd7d270c4fff3e6ae5b869fd19ca7ff.exe	34
PID 2132 wrote to memory of 2764	2132	07bbf60bd5f17b7e7dc67c478cc626534dd7d270c4fff3e6ae5b869fd19ca7ff.exe	34
PID 2132 wrote to memory of 2764	2132	07bbf60bd5f17b7e7dc67c478cc626534dd7d270c4fff3e6ae5b869fd19ca7ff.exe	34

C:\Users\Admin\AppData\Local\Temp\07bbf60bd5f17b7e7dc67c478cc626534dd7d270c4fff3e6ae5b869fd19ca7ff.exe
"C:\Users\Admin\AppData\Local\Temp\07bbf60bd5f17b7e7dc67c478cc626534dd7d270c4fff3e6ae5b869fd19ca7ff.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_uu2jzy8.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD154.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD153.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:632
- C:\Users\Admin\AppData\Local\Temp\tmpD00B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpD00B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\07bbf60bd5f17b7e7dc67c478cc626534dd7d270c4fff3e6ae5b869fd19ca7ff.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD154.tmp

Filesize
1KB

MD5
f522179efabd95d683aeffd2c26e20d3

SHA1
7b7f83229cfb9515b44a6a69acc687da11a1acaa

SHA256
cf1762b6a341c784fd7920a8b3ad0eb734368d2faa8316f1714a0d73f376c623

SHA512
7bdbb9b29864c4cc96c9e82acd6c90429eb6aee35d9de7e1e3963fa4456d447bde7e06e61e3b3300f9a8d61a2fd96ac9652ca271f2fc7697072d72762cae37cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_uu2jzy8.0.vb

Filesize
15KB

MD5
ed38448464b8470c3818ddd84f979160

SHA1
904cb4ec83fc0c4b2aa602140b297ed0ff9345a3

SHA256
10e8e1090c1ec6e442e80ab54733e2575a63d461dcac7333e9bb3747a8041449

SHA512
1c7cd10bc6265dc5a73729065d89eca87337bd3fcfbd86bf861191094acaec704a1c0f4eead63927889ff695739218ca036a647a7d7f77c5c25da7a280ed6702

Download Submit
C:\Users\Admin\AppData\Local\Temp\_uu2jzy8.cmdline

Filesize
266B

MD5
32a7b6ab61f161a8831e4a2f863633f2

SHA1
3d1fa5c6778d06460dbdbecab205605e9ea1ea54

SHA256
7de5792ff0bd8a2324c67db76d001930fa3e48cea2268647a82efba81d66665b

SHA512
0305d16c0db42e81aedc0a1759c908a02a03c93e728d68737992a8eb4492b0233f48d7360e90d5b71913e2a7cc7ee396972ccb4d3042107fc293bf1df26477d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD00B.tmp.exe

Filesize
78KB

MD5
3dd3974f6fef90b1fafc96e507c8190c

SHA1
91618f3054940f7f4a4c4ff729c2c9a865543fa5

SHA256
1f5b76dc75936fcdc05ec704718621da7bc2f46818079531601df65e3bcbb651

SHA512
440379729f0b20988035752c49b4548e7475100b04f50d9dbf195c53850694c250d54fb5b08b27247fb1d2aeacef342872fbf0ac62082e5fab0e11f85f059da9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD153.tmp

Filesize
660B

MD5
2174d6c647c9bb1082fe13e0081160dd

SHA1
693122edd4f1bcb236ab4b15854216774bfcb809

SHA256
5513c9ca27cbd22f0a498a1d2aff2d58cad072c521ca61590e294d11a32bd5c4

SHA512
e1b5528bad32308d0e580079c3117298061093e07720f1335a12365bd27bd6370b85a4ddac7ee02203e305072df61eb7cc40abef25ed176a2f216c84afea6761

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2132-0-0x0000000074EE1000-0x0000000074EE2000-memory.dmp

Filesize
4KB

Download
memory/2132-1-0x0000000074EE0000-0x000000007548B000-memory.dmp

Filesize
5.7MB

Download
memory/2132-2-0x0000000074EE0000-0x000000007548B000-memory.dmp

Filesize
5.7MB

Download
memory/2132-24-0x0000000074EE0000-0x000000007548B000-memory.dmp

Filesize
5.7MB

Download
memory/2148-8-0x0000000074EE0000-0x000000007548B000-memory.dmp

Filesize
5.7MB

Download
memory/2148-18-0x0000000074EE0000-0x000000007548B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads