metamorpherrat | 1ae2db6febb5ac5c668740cdd7b13d343685ca7bf18d8fdbedddb24509e268ac

General

Target

1ae2db6febb5ac5c668740cdd7b13d343685ca7bf18d8fdbedddb24509e268acN.exe
Size

78KB
MD5

862505ea452c4a0749cbbdd38a99a1b0
SHA1

fc2feda64ac0921eb0bfbf4f73832615aa7397bf
SHA256

1ae2db6febb5ac5c668740cdd7b13d343685ca7bf18d8fdbedddb24509e268ac
SHA512

162fd800a580c25a48f0be06dcbc4a75aa65d0f680d158b37f92d3b9e70a6022b34d1261e0a2919be7418e714ee113bd6ce1a471b598b89f5af454d56f4504f2
SSDEEP

1536:kRWV5jGXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtC629/JWV16A:kRWV5jOSyRxvhTzXPvCbW2Ue9/a

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2724	tmpEB39.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1720	1ae2db6febb5ac5c668740cdd7b13d343685ca7bf18d8fdbedddb24509e268acN.exe
1720	1ae2db6febb5ac5c668740cdd7b13d343685ca7bf18d8fdbedddb24509e268acN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpEB39.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1ae2db6febb5ac5c668740cdd7b13d343685ca7bf18d8fdbedddb24509e268acN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpEB39.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1720	1ae2db6febb5ac5c668740cdd7b13d343685ca7bf18d8fdbedddb24509e268acN.exe
Token: SeDebugPrivilege	2724	tmpEB39.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 588	1720	1ae2db6febb5ac5c668740cdd7b13d343685ca7bf18d8fdbedddb24509e268acN.exe	31
PID 1720 wrote to memory of 588	1720	1ae2db6febb5ac5c668740cdd7b13d343685ca7bf18d8fdbedddb24509e268acN.exe	31
PID 1720 wrote to memory of 588	1720	1ae2db6febb5ac5c668740cdd7b13d343685ca7bf18d8fdbedddb24509e268acN.exe	31
PID 1720 wrote to memory of 588	1720	1ae2db6febb5ac5c668740cdd7b13d343685ca7bf18d8fdbedddb24509e268acN.exe	31
PID 588 wrote to memory of 304	588	vbc.exe	33
PID 588 wrote to memory of 304	588	vbc.exe	33
PID 588 wrote to memory of 304	588	vbc.exe	33
PID 588 wrote to memory of 304	588	vbc.exe	33
PID 1720 wrote to memory of 2724	1720	1ae2db6febb5ac5c668740cdd7b13d343685ca7bf18d8fdbedddb24509e268acN.exe	34
PID 1720 wrote to memory of 2724	1720	1ae2db6febb5ac5c668740cdd7b13d343685ca7bf18d8fdbedddb24509e268acN.exe	34
PID 1720 wrote to memory of 2724	1720	1ae2db6febb5ac5c668740cdd7b13d343685ca7bf18d8fdbedddb24509e268acN.exe	34
PID 1720 wrote to memory of 2724	1720	1ae2db6febb5ac5c668740cdd7b13d343685ca7bf18d8fdbedddb24509e268acN.exe	34

C:\Users\Admin\AppData\Local\Temp\1ae2db6febb5ac5c668740cdd7b13d343685ca7bf18d8fdbedddb24509e268acN.exe
"C:\Users\Admin\AppData\Local\Temp\1ae2db6febb5ac5c668740cdd7b13d343685ca7bf18d8fdbedddb24509e268acN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\f6xkxi6e.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:588
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC63.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEC62.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:304
- C:\Users\Admin\AppData\Local\Temp\tmpEB39.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpEB39.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1ae2db6febb5ac5c668740cdd7b13d343685ca7bf18d8fdbedddb24509e268acN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESEC63.tmp

Filesize
1KB

MD5
d3f1d67227a056cc3081369c81c31cab

SHA1
230369eae6c3326e953043fbcf3b7a295b95eb60

SHA256
24afc82f02436b70c07861b3194f1228ebdfa84d6f65d177e2167965e7041487

SHA512
3d245d9dcd89f22107a29b5748257c4b6bba336367a9fbf9089f707ffcb021685ddc02e8aec648d8ae006edb44e680984406853382a9848182715659d6222e20

Download Submit
C:\Users\Admin\AppData\Local\Temp\f6xkxi6e.0.vb

Filesize
14KB

MD5
e1262e7fb587951fa81f3b5be5f6a8f2

SHA1
15cb59ae0061084783dfae8a0992d1b30591a259

SHA256
247e6472316822dfb959e8dc07d2c20e1194fd1cb1e6c35903c707159432a532

SHA512
cc39b042f719f8b41eedd332140c2ff642492d51b265724c8341b565c7ea04b215e96ebb9fd15a167b546448a63f2856656a56bc8daf0f28514a670d4d24eb2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\f6xkxi6e.cmdline

Filesize
266B

MD5
e268754f03163bdb34cc745396b773bd

SHA1
61a09a7fd12b57c876d3a25f088ce5dbbc0b472f

SHA256
f9c8eb07d3a91b9962c29cc8eb174798e2b85648a8695d8c23b5cd582c11bddc

SHA512
35e30ed1fa056f169f5c8f7420a95e99486dc17f535d27f437aae65898fc5862fd9ebde36abc482bd246289c8b5495fb6bed098e1468b13fada06397f69f2d00

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEB39.tmp.exe

Filesize
78KB

MD5
a477a20e46a1d88588c6233fd40a4880

SHA1
d5aa2619b69323c74877ce46c234cdeb242b86ec

SHA256
e29227de1db7a8b36c8ec59152ba28f5d1ae416d7a826e927b9a8218d80c6758

SHA512
9f462ff1f138db6c2a3c142f2ff832f91af96288266344b7ea4a2294308c6643ff63602efb4afc15d0fb879e113fb8574d9df7dbaed68c810bb325b7d206e81d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEC62.tmp

Filesize
660B

MD5
1aa7bed0f8c9d10c1d171e1f3c1969e1

SHA1
6bee5320b9bba21bb7ecce073e792111382deac9

SHA256
2a84e79ee37675d8cdd81a5aa913b440936e7df47fe3abe7c534c7c258db3508

SHA512
07d295a384e40c50805a87232a589511085d5d78cc7b9d4f0e00409c0dd08c8f7333d20284bbd009e7a304066f9005f5d8fdab4c2e9faf1e52f27f6fa9ba3e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/588-8-0x0000000074D00000-0x00000000752AB000-memory.dmp

Filesize
5.7MB

Download
memory/588-18-0x0000000074D00000-0x00000000752AB000-memory.dmp

Filesize
5.7MB

Download
memory/1720-0-0x0000000074D01000-0x0000000074D02000-memory.dmp

Filesize
4KB

Download
memory/1720-1-0x0000000074D00000-0x00000000752AB000-memory.dmp

Filesize
5.7MB

Download
memory/1720-2-0x0000000074D00000-0x00000000752AB000-memory.dmp

Filesize
5.7MB

Download
memory/1720-24-0x0000000074D00000-0x00000000752AB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads