metamorpherrat | cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940

General

Target

cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940.exe
Size

78KB
MD5

a2b0dee2daf2170c258fc68533075f86
SHA1

dbc5cd5b0fded25549ebadf2cf47c3a2558a3c3d
SHA256

cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940
SHA512

aa3ccbc8f3a6ffc19f9fadc64de394b9ab8d7b257566926c6d8faa1b9ac2843a3d0ffc1ccf74a8ab987c861e79101955fae32cda68fccec04111c0f667595b4d
SSDEEP

1536:o5jS5XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt96+9/9t1m6U:o5jSpSyRxvhTzXPvCbW2UZ9/9pU

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940.exe

Deletes itself 1 IoCs

pid	Process
1748	tmpBB80.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
1748	tmpBB80.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpBB80.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBB80.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	404	cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940.exe
Token: SeDebugPrivilege	1748	tmpBB80.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 404 wrote to memory of 3972	404	cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940.exe	82
PID 404 wrote to memory of 3972	404	cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940.exe	82
PID 404 wrote to memory of 3972	404	cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940.exe	82
PID 3972 wrote to memory of 3680	3972	vbc.exe	84
PID 3972 wrote to memory of 3680	3972	vbc.exe	84
PID 3972 wrote to memory of 3680	3972	vbc.exe	84
PID 404 wrote to memory of 1748	404	cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940.exe	85
PID 404 wrote to memory of 1748	404	cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940.exe	85
PID 404 wrote to memory of 1748	404	cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940.exe	85

C:\Users\Admin\AppData\Local\Temp\cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940.exe
"C:\Users\Admin\AppData\Local\Temp\cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:404
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kyerhaxj.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3972
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC7A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc128A4C6E2F7B43F1BFD93B13B3CE3B91.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3680
- C:\Users\Admin\AppData\Local\Temp\tmpBB80.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpBB80.tmp.exe" C:\Users\Admin\AppData\Local\Temp\cc8982e537ca9e07722f03d59f84fc4fa927e2295e61b409ce6df4800ca95940.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBC7A.tmp

Filesize
1KB

MD5
85b61c2ff8dd376c6024f806df54d82c

SHA1
c6a9012ec6bb3ab0685201236e0065f05ac15d88

SHA256
a864ef4f1c8f802f623f247fd0880e6dcf27a7afa76cc25350fbd777b72594ff

SHA512
c0197fc38b8253bcc1d8b325ac51c935e7fec4017910a85bea27f238924468a46bcb6406cf0138714275499910761cb2f71cd85dceca0bb91cb057bcc37f4364

Download Submit
C:\Users\Admin\AppData\Local\Temp\kyerhaxj.0.vb

Filesize
14KB

MD5
5b43a73abff4beeb10706d62148ef8b7

SHA1
aa0a2166d1b39ee6eded8d406e7411895efaf00c

SHA256
37b272d2e2d14379a9855a4b4c307845ff0b45999ae68135e8fa8b19a90fb57c

SHA512
b67bb219115aea824e2027783c3efcbf9841509b2e70cb6b68c11cb132b0e3e4af28aabc2b1b167da73e6f03d95692a650318fb6bdafc7198f3584723306ade1

Download Submit
C:\Users\Admin\AppData\Local\Temp\kyerhaxj.cmdline

Filesize
266B

MD5
4cd007db1ec4be139b0d69701f8207b2

SHA1
966088fa32510e5e0638d8c9ba372e5d6196463e

SHA256
33b59372097b04db98aab1f04e3e2914a64632e4cbf1f80200835e1326d08c54

SHA512
0b983936cb3be5c6b0d2e2c8c8e4dca51b86ae7bd3e8f0d396c8655c7a70c48b8d75401e35a7cb096461192aba3936486f9469e8ab257fc59c63b09238e5ce1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBB80.tmp.exe

Filesize
78KB

MD5
e7d0876a4cd2050abb284d60078ed498

SHA1
0216caf9277b2564f2ec85360a2bdc5e59ebb1e8

SHA256
605f29b66a86a13569e7f3bd8345b75720954a5ff3b53c2f2ea2983cea112207

SHA512
4ad8194710a40387edf9247f028ed2c5850183aeced65b62f5bebea12146280e08343780c0cc9c900bc8805d787a3d139f0bfe20d157fbc3579051ad8c5171f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc128A4C6E2F7B43F1BFD93B13B3CE3B91.TMP

Filesize
660B

MD5
2eda0f03b9428e9360cf514f08e058fd

SHA1
e32147159b4031eca934ed2ad70a1311678c2147

SHA256
16f14808843c888379d2f05d492c72deed0bb4fb9de4934837624d60e476dc8f

SHA512
a673a28d906659e3e5d74dbaa2a2d95419848948b23f395ca6717649cfd1b2f79432f641bb47d8ec78b7ba379c601cb3a14c31cb137f4a3e19676dbef1af6615

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/404-22-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/404-2-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/404-1-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/404-0-0x00000000750E2000-0x00000000750E3000-memory.dmp

Filesize
4KB

Download
memory/1748-23-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/1748-24-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/1748-26-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/1748-27-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/1748-28-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/3972-8-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/3972-18-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads