metamorpherrat | 60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479c

General

Target

60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479cN.exe
Size

78KB
MD5

7fce8b67a8607f52f0f58b95eef23120
SHA1

0e506a7effb98b39c1272da3ee38c8f0d54467b8
SHA256

60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479c
SHA512

0eec06a28537329a6ac92301d583cfcfd4c051e59b56bc0b595a10186ff57f865d7409d10a223f1d8ad91670db7b0806c70a18105960130d833668826af39008
SSDEEP

1536:iPCHF3M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtg9/B1Ha:iPCHF8hASyRxvhTzXPvCbW2Ug9/G

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2076	tmpBC6C.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1620	60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479cN.exe
1620	60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479cN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpBC6C.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBC6C.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1620	60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479cN.exe
Token: SeDebugPrivilege	2076	tmpBC6C.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 2128	1620	60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479cN.exe	30
PID 1620 wrote to memory of 2128	1620	60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479cN.exe	30
PID 1620 wrote to memory of 2128	1620	60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479cN.exe	30
PID 1620 wrote to memory of 2128	1620	60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479cN.exe	30
PID 2128 wrote to memory of 2360	2128	vbc.exe	32
PID 2128 wrote to memory of 2360	2128	vbc.exe	32
PID 2128 wrote to memory of 2360	2128	vbc.exe	32
PID 2128 wrote to memory of 2360	2128	vbc.exe	32
PID 1620 wrote to memory of 2076	1620	60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479cN.exe	33
PID 1620 wrote to memory of 2076	1620	60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479cN.exe	33
PID 1620 wrote to memory of 2076	1620	60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479cN.exe	33
PID 1620 wrote to memory of 2076	1620	60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479cN.exe	33

C:\Users\Admin\AppData\Local\Temp\60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479cN.exe
"C:\Users\Admin\AppData\Local\Temp\60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479cN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rrl2pysp.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBE70.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBE6F.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2360
- C:\Users\Admin\AppData\Local\Temp\tmpBC6C.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpBC6C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479cN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBE70.tmp

Filesize
1KB

MD5
1b6446e58191d594f887ce50eb49ac55

SHA1
ea3ca8424b004523f5d4be1203fbcd823e9aca4d

SHA256
200e1fc25ca4d46eb90a2f51274203a82a44521d473d91f16cc02b889aad7e2a

SHA512
6c0fc485d0c2d42fa8864750e31733b7bd366c6f0b10467835a824d96de0d358b0bcc1ec544bbc4911cee5d26dd97992521d5d5a5a12410d8a7cec8ca9a372c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\rrl2pysp.0.vb

Filesize
15KB

MD5
fb2226a1473493c829c96ae3eb129dbb

SHA1
89ab0bb466e16c2966421bc056d5208428fab82b

SHA256
88b1355c5a1e9dac552353a13762a119c20df66294abecef3d058ecc2eeb7c4e

SHA512
9130037d36b5b5ef3eb7003a662f2395ef1e8ebf86810897c63d82eec09512afd19c2d4da35596f350d962d6bca7e58a94f960fb8736e16aa6c9b480df468021

Download Submit
C:\Users\Admin\AppData\Local\Temp\rrl2pysp.cmdline

Filesize
266B

MD5
176d0c90a7dc3fba262600db6117a0e1

SHA1
487a4902d16c244ffc2f85be751c70d0f4cff780

SHA256
8a7142103a3b9dca4e649662bf28ff13972aa971ba1e2bcaf9426f0a75446352

SHA512
b1e7167c4561867eecc97c462386ddfa3c12b118e6e06b1396c48d877750b5093b174e2616853d859e20d622a1d93715d434243d2ec4d38fa969885884d7d44a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBC6C.tmp.exe

Filesize
78KB

MD5
c3d53045e087e7a2ceac416c345c384c

SHA1
09e2ce9ec2efc157f9420ba38de0caafede693d5

SHA256
d17fbe61764f0931f905a66979710b6c979ddfc60d8954f089f452e0f623df1e

SHA512
e9033c2a88e140cb642d9feb984e62b99ad9cd2b826e462cb16f6b50ee4056506a5fea047e2242fec6f56a43a48909759cf410c3a89e920dd36cfca9070a1b85

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBE6F.tmp

Filesize
660B

MD5
aab1e2f247df591be669b6d0558ef260

SHA1
d92ef51b1b1d8a395118dba118c28fac099beeeb

SHA256
4311517acbd31ef1e0b2d8bed02f4abdd2b75a19397c6cafc038974afc9a344c

SHA512
4e2f79e1f94541e4250a9533302c01dd68830de04951db78c86586e8c528cc15ac670be6de79fc7fcd7ddb5ca0eed4ae7b1d52bebaf3902f173cebe7db7bdd81

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1620-0-0x0000000074051000-0x0000000074052000-memory.dmp

Filesize
4KB

Download
memory/1620-1-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/1620-5-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/1620-24-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/2128-8-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/2128-18-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads