metamorpherrat | cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940

General

Target

cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940.exe
Size

78KB
MD5

a2b0dee2daf2170c258fc68533075f86
SHA1

dbc5cd5b0fded25549ebadf2cf47c3a2558a3c3d
SHA256

cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940
SHA512

aa3ccbc8f3a6ffc19f9fadc64de394b9ab8d7b257566926c6d8faa1b9ac2843a3d0ffc1ccf74a8ab987c861e79101955fae32cda68fccec04111c0f667595b4d
SSDEEP

1536:o5jS5XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt96+9/9t1m6U:o5jSpSyRxvhTzXPvCbW2UZ9/9pU

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2752	tmp9E04.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2272	cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940.exe
2272	cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp9E04.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9E04.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2272	cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940.exe
Token: SeDebugPrivilege	2752	tmp9E04.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 1240	2272	cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940.exe	30
PID 2272 wrote to memory of 1240	2272	cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940.exe	30
PID 2272 wrote to memory of 1240	2272	cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940.exe	30
PID 2272 wrote to memory of 1240	2272	cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940.exe	30
PID 1240 wrote to memory of 2192	1240	vbc.exe	32
PID 1240 wrote to memory of 2192	1240	vbc.exe	32
PID 1240 wrote to memory of 2192	1240	vbc.exe	32
PID 1240 wrote to memory of 2192	1240	vbc.exe	32
PID 2272 wrote to memory of 2752	2272	cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940.exe	33
PID 2272 wrote to memory of 2752	2272	cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940.exe	33
PID 2272 wrote to memory of 2752	2272	cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940.exe	33
PID 2272 wrote to memory of 2752	2272	cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940.exe	33

C:\Users\Admin\AppData\Local\Temp\cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940.exe
"C:\Users\Admin\AppData\Local\Temp\cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\darn31dp.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1240
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F4C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9F4B.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2192
- C:\Users\Admin\AppData\Local\Temp\tmp9E04.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9E04.tmp.exe" C:\Users\Admin\AppData\Local\Temp\cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2752

Network

DNS

bejnz.com

tmp9E04.tmp.exe

Remote address:

8.8.8.8:53

Request

bejnz.com

IN A

Response

bejnz.com

IN A

44.221.84.105
DNS

rwkeith.no-ip.org

tmp9E04.tmp.exe

Remote address:

8.8.8.8:53

Request

rwkeith.no-ip.org

IN A

Response
DNS

rwkeith.no-ip.org

tmp9E04.tmp.exe

Remote address:

8.8.8.8:53

Request

rwkeith.no-ip.org

IN A

44.221.84.105:80

bejnz.com

tmp9E04.tmp.exe

152 B
3
44.221.84.105:80

bejnz.com

tmp9E04.tmp.exe

152 B
3
44.221.84.105:80

bejnz.com

tmp9E04.tmp.exe

152 B
3
44.221.84.105:80

bejnz.com

tmp9E04.tmp.exe

152 B
3
44.221.84.105:80

bejnz.com

tmp9E04.tmp.exe

152 B
3
44.221.84.105:80

bejnz.com

tmp9E04.tmp.exe

52 B
1

8.8.8.8:53

bejnz.com

dns

tmp9E04.tmp.exe

55 B
71 B
1
1

DNS Request

bejnz.com

DNS Response

44.221.84.105
8.8.8.8:53

rwkeith.no-ip.org

dns

tmp9E04.tmp.exe

126 B
123 B
2
1

DNS Request

rwkeith.no-ip.org

DNS Request

rwkeith.no-ip.org

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9F4C.tmp

Filesize
1KB

MD5
1cce4b213825f9c1d17c7255b9c5ea17

SHA1
578b7fcf434b0fc42b3be6d84f546d8ac3191e86

SHA256
4cd6af18c6a3ba10e4971662a6a5864058d3a3184a30e81e72514a09c88531e2

SHA512
b64ecdc8aa12e998f18f18c4a3abf75f7d9cfe31af023568e326c3dd3bdcb1e7d0b000905fcd2439d954fedcc165974d39983134b7dfe6d99cc8c5a7a6156306

Download Submit
C:\Users\Admin\AppData\Local\Temp\darn31dp.0.vb

Filesize
14KB

MD5
b9175235b3467ca6c2b04c9baf91e339

SHA1
824e9b1534085673195b8ee77ca4164851d3c39c

SHA256
61668875ea9cde2fe82d7fa94cd435c1b4bf7edd2538ceda39aaaab68c806e4d

SHA512
458e1379292d786398922e354c456dd83a1d379305f367c474cca7964ffe4652ebb36ddc1ebc2e0afd99749031a6389005644c6f0df652974e6a26b8da2aa837

Download Submit
C:\Users\Admin\AppData\Local\Temp\darn31dp.cmdline

Filesize
266B

MD5
f86332d99a205a49ff4d9d6f8b4d571e

SHA1
11c246b0187e2a51dd2306b55c8b2cd24a600bba

SHA256
0bf504bfc2dac2a9d1b92afd76cc68d0a933f17474061cd305348779451ea3b3

SHA512
ada593c130941e78329f35d3af5cb6e1b1cb762efe71129cf2d8f7e1f174d136a1badbddd647829583d0f0f01c3e96c8f604644d9f5ae64a9ed3f25fbc4516fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9E04.tmp.exe

Filesize
78KB

MD5
d74f887396ff7417943fd743aa78b9d0

SHA1
49628f7d2a32e1512a1abe127309c8981e5f986d

SHA256
7415a9f690603715ec997cdf49501e9ae92895cc33bd211338250246552cb909

SHA512
72115f08c6cb5626c601b5796d6f3c770b91db362e455af4fb391515c0ca74f5ef6743db8d008844c8699d8a5239c9f36b5609eca627b7d8fc9eb637a3e9ebe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9F4B.tmp

Filesize
660B

MD5
db8d7d98df1d1ee87c2647da0e32a876

SHA1
1e646d74def2452cdad4ef8b0d7b24af145644bb

SHA256
f0f1a693a4658902979faa4c1f22532f1ef782445ce49d31be1595f0ebc1a98d

SHA512
c37e3ebc85f7e772a2377a90514c89d5999a8a00006b08326ce9c01d649a449f17c8a1c418aa51eea371d5d2e27f97a6f9935448f1b74e01b58c9877680d5872

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1240-8-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/1240-18-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/2272-0-0x00000000741C1000-0x00000000741C2000-memory.dmp

Filesize
4KB

Download
memory/2272-1-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/2272-2-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/2272-24-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Response

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.