metamorpherrat | cf2466b2cd9669e659c7e3d7e5bfadc1546e97b5f116bebf55563ac53981ea62

General

Target

cf2466b2cd9669e659c7e3d7e5bfadc1546e97b5f116bebf55563ac53981ea62.exe
Size

78KB
MD5

2d945b53f667100d2e31633e89130f9c
SHA1

38eda96f053547cdd2aaaf83a8388348958670bf
SHA256

cf2466b2cd9669e659c7e3d7e5bfadc1546e97b5f116bebf55563ac53981ea62
SHA512

d5ef0b44166562d4af1bbdf1226cef91e831155db8538aaccb0d0874ccb5ad9803416e43ad4f665039a5652c92c26458e3a0c8f2ca0bbd0c1b2d33a7a06194df
SSDEEP

1536:iPCHF3M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtg9/B1HaM:iPCHF8hASyRxvhTzXPvCbW2Ug9/GM

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
804	tmp9731.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2324	cf2466b2cd9669e659c7e3d7e5bfadc1546e97b5f116bebf55563ac53981ea62.exe
2324	cf2466b2cd9669e659c7e3d7e5bfadc1546e97b5f116bebf55563ac53981ea62.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp9731.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9731.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf2466b2cd9669e659c7e3d7e5bfadc1546e97b5f116bebf55563ac53981ea62.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2324	cf2466b2cd9669e659c7e3d7e5bfadc1546e97b5f116bebf55563ac53981ea62.exe
Token: SeDebugPrivilege	804	tmp9731.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 352	2324	cf2466b2cd9669e659c7e3d7e5bfadc1546e97b5f116bebf55563ac53981ea62.exe	28
PID 2324 wrote to memory of 352	2324	cf2466b2cd9669e659c7e3d7e5bfadc1546e97b5f116bebf55563ac53981ea62.exe	28
PID 2324 wrote to memory of 352	2324	cf2466b2cd9669e659c7e3d7e5bfadc1546e97b5f116bebf55563ac53981ea62.exe	28
PID 2324 wrote to memory of 352	2324	cf2466b2cd9669e659c7e3d7e5bfadc1546e97b5f116bebf55563ac53981ea62.exe	28
PID 352 wrote to memory of 2224	352	vbc.exe	30
PID 352 wrote to memory of 2224	352	vbc.exe	30
PID 352 wrote to memory of 2224	352	vbc.exe	30
PID 352 wrote to memory of 2224	352	vbc.exe	30
PID 2324 wrote to memory of 804	2324	cf2466b2cd9669e659c7e3d7e5bfadc1546e97b5f116bebf55563ac53981ea62.exe	31
PID 2324 wrote to memory of 804	2324	cf2466b2cd9669e659c7e3d7e5bfadc1546e97b5f116bebf55563ac53981ea62.exe	31
PID 2324 wrote to memory of 804	2324	cf2466b2cd9669e659c7e3d7e5bfadc1546e97b5f116bebf55563ac53981ea62.exe	31
PID 2324 wrote to memory of 804	2324	cf2466b2cd9669e659c7e3d7e5bfadc1546e97b5f116bebf55563ac53981ea62.exe	31

C:\Users\Admin\AppData\Local\Temp\cf2466b2cd9669e659c7e3d7e5bfadc1546e97b5f116bebf55563ac53981ea62.exe
"C:\Users\Admin\AppData\Local\Temp\cf2466b2cd9669e659c7e3d7e5bfadc1546e97b5f116bebf55563ac53981ea62.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vbb5xoiq.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:352
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES97FC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc97FB.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2224
- C:\Users\Admin\AppData\Local\Temp\tmp9731.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9731.tmp.exe" C:\Users\Admin\AppData\Local\Temp\cf2466b2cd9669e659c7e3d7e5bfadc1546e97b5f116bebf55563ac53981ea62.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES97FC.tmp

Filesize
1KB

MD5
852250ebf9d1cbf153dda0bc519d4e73

SHA1
ea896ae2cbc4f836798bfb67190dd7ac2069babe

SHA256
a3a01359577dde6fb2989abee1e29c297a8e38725d8779fbb8a59ca879d4c44d

SHA512
a9bbc500eb5bbab03af2875c8350d69e20d0cdf8dacb4a18760ff10e716a78497a28dd53b57637503422ff5e9c95999c6bc64e63302ba510ea7fc0401fdeb814

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9731.tmp.exe

Filesize
78KB

MD5
eed2b22d49b17e057f7fb38e5eb4e7f7

SHA1
280b5c1c550fdec4c491c67b0688a92810727d34

SHA256
c53d7418c02a30e0fbb7957dadd0338cb4b0b355b518ec269f196b6a2c16681e

SHA512
a55eeadd72f6cace801e07eaf187fdf6f359185c14f5d627378ec05aecc751e40dd8d363cf31023963d8d2e70a6f3b5569e321fdbb6020622e670dade2f06438

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbb5xoiq.0.vb

Filesize
15KB

MD5
81f65d4c4b187e25bfe6d6179ea78952

SHA1
bbc4b2444def7a56b9fbebe38889276006380fd3

SHA256
bef354a177474af819b3651955a27cec7aa8d355511ff4f7c35df2d164bf2bed

SHA512
6fa63d01e58087e089d93eb4de87d5b624dcc47f2f448fe3b108b69cbeb2e39a46af2cdc26124baa025a0d4d105a62713c741bb6dcaee36cc109fe42671fb923

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbb5xoiq.cmdline

Filesize
266B

MD5
d6bd8bc8ce5a28ed3653fc7f386c5707

SHA1
289693c8505149ad08d114939506164ee5501f69

SHA256
e71cac227dfecfaa9818c94c9f95b9fc7a72ecb24ae4eaae5b5fe7453e5315d7

SHA512
511b2358997383530c3465933fb4d9d0d160111b53305d6bd6f07a1df67a8ef17494642e0d749301f7deac25fc1b484c72cd736787d8e53096e337682b8c4bda

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc97FB.tmp

Filesize
660B

MD5
0ed7ac3df144741b5cc2030a75db31d3

SHA1
8d7200c55eef3e6f4d991ad8b64f4bbde5e1b716

SHA256
475a8d422b1169a2a61fb34cb4f7f779b05cfb3b85073b9bef703995042c62f2

SHA512
8e26af93fe36c9cdd8ce24c40810d2224e12d5af44943f873812e8f55ad0e43ca089f1f3e96c18d188e9e6b5801920c0bca1301abb682cfca495bd63634f0479

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/352-8-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/352-18-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2324-0-0x0000000074A41000-0x0000000074A42000-memory.dmp

Filesize
4KB

Download
memory/2324-1-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2324-2-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2324-24-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads