metamorpherrat | 0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838

General

Target

0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838.exe
Size

78KB
MD5

8b1a90f924ea8843777efa6bb36d9a44
SHA1

b72b10564f5a9c7d6c5b26137746e641e8dadf8d
SHA256

0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838
SHA512

73c4f3c4cf864ba761acae2bfd7a75e054e629b4b575f4919b96ba73c95cb3cd6276bb7ba2d1830a39f859664948d6a6ad9ec365962b334f3f0782f3c4010dd6
SSDEEP

1536:V5jSAXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtN6V9/FE1dAU:V5jS4SyRxvhTzXPvCbW2U+9/JU

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Deletes itself 1 IoCs

pid	Process
2212	tmpD76B.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2212	tmpD76B.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2324	0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838.exe
2324	0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpD76B.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD76B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2324	0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838.exe
Token: SeDebugPrivilege	2212	tmpD76B.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2288	2324	0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838.exe	31
PID 2324 wrote to memory of 2288	2324	0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838.exe	31
PID 2324 wrote to memory of 2288	2324	0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838.exe	31
PID 2324 wrote to memory of 2288	2324	0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838.exe	31
PID 2288 wrote to memory of 1560	2288	vbc.exe	33
PID 2288 wrote to memory of 1560	2288	vbc.exe	33
PID 2288 wrote to memory of 1560	2288	vbc.exe	33
PID 2288 wrote to memory of 1560	2288	vbc.exe	33
PID 2324 wrote to memory of 2212	2324	0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838.exe	34
PID 2324 wrote to memory of 2212	2324	0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838.exe	34
PID 2324 wrote to memory of 2212	2324	0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838.exe	34
PID 2324 wrote to memory of 2212	2324	0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838.exe	34

C:\Users\Admin\AppData\Local\Temp\0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838.exe
"C:\Users\Admin\AppData\Local\Temp\0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9uoan5nk.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD808.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD807.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1560
- C:\Users\Admin\AppData\Local\Temp\tmpD76B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpD76B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9uoan5nk.0.vb

Filesize
14KB

MD5
73317d464cc1111eeb1211fe2c637b91

SHA1
76695c066ea26a50db7515e76f348c1602a8b7fa

SHA256
6f831132c2beb21c69da5f121b4a5aa9c3f5c60a864688f7dccfdb88f8718a3f

SHA512
5e7b4b7934b43af7ce1d5364fb64a1d4093f69c091837c0f3637d873a29a3a32b84ee939fd19ef924bb996eb921f6e7db6555c005cbb21db32e46e4ce1d8afed

Download Submit
C:\Users\Admin\AppData\Local\Temp\9uoan5nk.cmdline

Filesize
266B

MD5
a7d61f4c0244f2d210486f13be977573

SHA1
39886cb413e304da66d30b75a9cc1afc2ee5fa46

SHA256
cb82e36736ee7e4c1889a5238d1e5c17b724797c2e8cb902890a98ee81b2e792

SHA512
6c08c9ffe47500613c0977e7c05ff21408c2a6860894b35bddc527b241fc7be2467f092e063e95472133f17cac6069dd40cc026800fcc52c8bac7d83eb7fe66f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD808.tmp

Filesize
1KB

MD5
c4a882edfddbb5af948c4d41353b81fa

SHA1
c750f32b12bffa75a5bcb89b1a178b504f35cadc

SHA256
7b3d8488b69eee757985b3cf64e289ccbd2ba729932a79b3db2a37c5bd3f50c4

SHA512
1cf88b5078f0af66d323db64b8f721453007aa7ca8d61125468d140d7afe8ed704bb77eb755d73f10bb7eba3a610f1ddfa9ed6bd483ce78d5ccb76a48331b3fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD76B.tmp.exe

Filesize
78KB

MD5
5265e71f36f59f67a0c1a1e1e68c9a15

SHA1
cb781b8b7c17b78ac9e56525f354030f62f957cd

SHA256
2e9db799dccbbdc5c618c95db02053a496539ad6985c955efbb6954ad27ff789

SHA512
fa7c36e781edecc31cae17a9ba8646280d89201dfa6fa4ac7dd47c0ebcc41eefe559ecf96c6271c45826e4c102735006fec3613b69e99399cf2b6cf655f51017

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD807.tmp

Filesize
660B

MD5
669ccf2d16e99ea7b4c1ffb94ca49473

SHA1
bae6563adf39b11babe6e22b5de814ecd5a82545

SHA256
18eb0d79c96d51a958095bf4208091e63c5dab540bd6c31f6d6f00907434139c

SHA512
ae676959530a16e2754a8383ae589bcde59b8b3a57def33d44c82dfa534ca77dacb059d114a2285c4f5d99b7fb64a10e2db9854dc52e5a206ac8f3e9ec6987ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2288-9-0x0000000074120000-0x00000000746CB000-memory.dmp

Filesize
5.7MB

Download
memory/2288-18-0x0000000074120000-0x00000000746CB000-memory.dmp

Filesize
5.7MB

Download
memory/2324-0-0x0000000074121000-0x0000000074122000-memory.dmp

Filesize
4KB

Download
memory/2324-1-0x0000000074120000-0x00000000746CB000-memory.dmp

Filesize
5.7MB

Download
memory/2324-2-0x0000000074120000-0x00000000746CB000-memory.dmp

Filesize
5.7MB

Download
memory/2324-24-0x0000000074120000-0x00000000746CB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads