metamorpherrat | 60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479c

General

Target

60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479c.exe
Size

78KB
MD5

7fce8b67a8607f52f0f58b95eef23120
SHA1

0e506a7effb98b39c1272da3ee38c8f0d54467b8
SHA256

60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479c
SHA512

0eec06a28537329a6ac92301d583cfcfd4c051e59b56bc0b595a10186ff57f865d7409d10a223f1d8ad91670db7b0806c70a18105960130d833668826af39008
SSDEEP

1536:iPCHF3M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtg9/B1Ha:iPCHF8hASyRxvhTzXPvCbW2Ug9/G

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2100	tmpD069.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2128	60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479c.exe
2128	60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479c.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpD069.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD069.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2128	60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479c.exe
Token: SeDebugPrivilege	2100	tmpD069.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 3008	2128	60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479c.exe	31
PID 2128 wrote to memory of 3008	2128	60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479c.exe	31
PID 2128 wrote to memory of 3008	2128	60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479c.exe	31
PID 2128 wrote to memory of 3008	2128	60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479c.exe	31
PID 3008 wrote to memory of 2112	3008	vbc.exe	33
PID 3008 wrote to memory of 2112	3008	vbc.exe	33
PID 3008 wrote to memory of 2112	3008	vbc.exe	33
PID 3008 wrote to memory of 2112	3008	vbc.exe	33
PID 2128 wrote to memory of 2100	2128	60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479c.exe	34
PID 2128 wrote to memory of 2100	2128	60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479c.exe	34
PID 2128 wrote to memory of 2100	2128	60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479c.exe	34
PID 2128 wrote to memory of 2100	2128	60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479c.exe	34

C:\Users\Admin\AppData\Local\Temp\60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479c.exe
"C:\Users\Admin\AppData\Local\Temp\60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479c.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\prtbqkwp.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD183.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD182.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2112
- C:\Users\Admin\AppData\Local\Temp\tmpD069.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpD069.tmp.exe" C:\Users\Admin\AppData\Local\Temp\60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479c.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD183.tmp

Filesize
1KB

MD5
f644b9f72edf1e73f82af57160f6769d

SHA1
eb82f554545507a33e84c13e9b8a0028da6e30c5

SHA256
fac49a5ad7b437140064996b231b83930a929f37e0bdb4fc48b6c672ccb70df5

SHA512
90a3133589a0f3b84bd492558969c90d7c63331b97065f92490461343befde4078109d04c99159fe0c1a58a084e65f86ac7ec293e23e3921e5a6a17f5f796741

Download Submit
C:\Users\Admin\AppData\Local\Temp\prtbqkwp.0.vb

Filesize
15KB

MD5
e9517db22f833d5013f6c76c392a9411

SHA1
d13c217573f6b29e081809ade3b680f0064c61c2

SHA256
0f13018eb96e9fcc497d40652a63e23db6e660a0ccfbdfe6716a0db3df7ba8ee

SHA512
6cc4cb0368a9eb944eb2a5c96431958a99cca094c7e5f6f36a55bc78aeb994baa1d7c584f46e19451134696bb9fdb02228668b34c90d5b612aa3ded6078817df

Download Submit
C:\Users\Admin\AppData\Local\Temp\prtbqkwp.cmdline

Filesize
266B

MD5
606ec8b720e004ea2db43272d5e01952

SHA1
19f78b0f4da5283bce5da765a3cf503cd0df04d1

SHA256
5ea52d9169c0e92829ded5165cb656d9c9fbc3ae75e87dd0dc09d929500a9901

SHA512
b6802f1849a4db53500a4e693da613753864a5d4035a448dcd709252beb5412192ce470c4cc48f1b148f40c2eb186c82f4a5af6d4d57927a7185a1630f001eb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD069.tmp.exe

Filesize
78KB

MD5
5646bf0b31d7dfe5abe3c2d0407ea790

SHA1
55485753538d2abe2b64a6a8eb4c1aa202fcd665

SHA256
0ebea24727347bf318efeddb204885f3c51eb4ccec3349d6789b017a3ae8e28d

SHA512
45218cfc1306e90f3a8ab7851353791c05ae0f88a938e98c2cd0c87dc0c9877b0432788a98d2e151556eb70ab8eb764777b705a9d01621d140d58d0cd6a96e41

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD182.tmp

Filesize
660B

MD5
d4d27ea591f4e3c88b59799879026aca

SHA1
e4888b165bd58790581cd75257d5fbad6f6dd9c4

SHA256
94733a44c84fb5cb5de174711f08c65f656020234b1c62899a391a883802c0d2

SHA512
4612f54a0d306b684be942fde91a9fd3abf68c3958be1694f2b52707ef9cfe511ddd2a65622ae45f8e26ac7edf97fb37e10ae307a6e14414c9232e991dac38e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2128-0-0x0000000074C11000-0x0000000074C12000-memory.dmp

Filesize
4KB

Download
memory/2128-1-0x0000000074C10000-0x00000000751BB000-memory.dmp

Filesize
5.7MB

Download
memory/2128-2-0x0000000074C10000-0x00000000751BB000-memory.dmp

Filesize
5.7MB

Download
memory/2128-24-0x0000000074C10000-0x00000000751BB000-memory.dmp

Filesize
5.7MB

Download
memory/3008-8-0x0000000074C10000-0x00000000751BB000-memory.dmp

Filesize
5.7MB

Download
memory/3008-18-0x0000000074C10000-0x00000000751BB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads