metamorpherrat | c39a9070ea9643502d925d813e93d4f65b0055fdd8b610c2db07acd0bd741a28

General

Target

c39a9070ea9643502d925d813e93d4f65b0055fdd8b610c2db07acd0bd741a28.exe
Size

78KB
MD5

fcfee62d15bc1020b62d0c2d96eefa68
SHA1

6e0716eb02b116df6775a11a44bb9d749b611c02
SHA256

c39a9070ea9643502d925d813e93d4f65b0055fdd8b610c2db07acd0bd741a28
SHA512

2dc97692ea3506dca80a0ae8d2b9a18e25532fbc517cf6f1d12d0fdec8e6451f860c8652650975ea61e76847c91b56a8f7fddf6b927e5e3901570a1ac6390c14
SSDEEP

1536:9PWV5jcXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt96Z9/Bc16XP:9PWV5jESyRxvhTzXPvCbW2Ua9/BFP

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2148	tmpD3E2.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2364	c39a9070ea9643502d925d813e93d4f65b0055fdd8b610c2db07acd0bd741a28.exe
2364	c39a9070ea9643502d925d813e93d4f65b0055fdd8b610c2db07acd0bd741a28.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpD3E2.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c39a9070ea9643502d925d813e93d4f65b0055fdd8b610c2db07acd0bd741a28.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD3E2.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2364	c39a9070ea9643502d925d813e93d4f65b0055fdd8b610c2db07acd0bd741a28.exe
Token: SeDebugPrivilege	2148	tmpD3E2.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2324	2364	c39a9070ea9643502d925d813e93d4f65b0055fdd8b610c2db07acd0bd741a28.exe	31
PID 2364 wrote to memory of 2324	2364	c39a9070ea9643502d925d813e93d4f65b0055fdd8b610c2db07acd0bd741a28.exe	31
PID 2364 wrote to memory of 2324	2364	c39a9070ea9643502d925d813e93d4f65b0055fdd8b610c2db07acd0bd741a28.exe	31
PID 2364 wrote to memory of 2324	2364	c39a9070ea9643502d925d813e93d4f65b0055fdd8b610c2db07acd0bd741a28.exe	31
PID 2324 wrote to memory of 1812	2324	vbc.exe	33
PID 2324 wrote to memory of 1812	2324	vbc.exe	33
PID 2324 wrote to memory of 1812	2324	vbc.exe	33
PID 2324 wrote to memory of 1812	2324	vbc.exe	33
PID 2364 wrote to memory of 2148	2364	c39a9070ea9643502d925d813e93d4f65b0055fdd8b610c2db07acd0bd741a28.exe	34
PID 2364 wrote to memory of 2148	2364	c39a9070ea9643502d925d813e93d4f65b0055fdd8b610c2db07acd0bd741a28.exe	34
PID 2364 wrote to memory of 2148	2364	c39a9070ea9643502d925d813e93d4f65b0055fdd8b610c2db07acd0bd741a28.exe	34
PID 2364 wrote to memory of 2148	2364	c39a9070ea9643502d925d813e93d4f65b0055fdd8b610c2db07acd0bd741a28.exe	34

C:\Users\Admin\AppData\Local\Temp\c39a9070ea9643502d925d813e93d4f65b0055fdd8b610c2db07acd0bd741a28.exe
"C:\Users\Admin\AppData\Local\Temp\c39a9070ea9643502d925d813e93d4f65b0055fdd8b610c2db07acd0bd741a28.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9_5ligky.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD4AE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD4AD.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1812
- C:\Users\Admin\AppData\Local\Temp\tmpD3E2.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpD3E2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c39a9070ea9643502d925d813e93d4f65b0055fdd8b610c2db07acd0bd741a28.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9_5ligky.0.vb

Filesize
14KB

MD5
00eae2875d20d3581492a1b8a51b9fd3

SHA1
e34f678f4070af71f6136a6819f561cb3b9c3d9d

SHA256
26946dec98cab004e92386b47314be1c527b2bf16c4d6c9731b17164248a8658

SHA512
ae6667c487af6894b68b1301b51f6775388ab3588e568508eef7ffc9eb3529d79f2f82162ceeb6560d55e7dbcc9ef755296cee3e68a3352afcb72c0f561dd602

Download Submit
C:\Users\Admin\AppData\Local\Temp\9_5ligky.cmdline

Filesize
266B

MD5
59d6ca9576fe1793e0ad3893874cbdbc

SHA1
55df1868d4d03372c2bf3cbec4d168371e5b2065

SHA256
4ce7105eebc2aadb1580617696272d50bd4a29ecac80e9b4d6365e13ad1a00ed

SHA512
fb4d06224947dfeedde1f09c2858293b87a4d3a6996a4408ac2a5c3b9256ced84a37f7abec7c76ff829db9c9865b40a2038c14753791f46ecf0141bb711fa458

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD4AE.tmp

Filesize
1KB

MD5
74f21efd9183d44b15dbaa6661acb196

SHA1
cd3471872e53cb6136039e7c3a4e1377db829878

SHA256
6c8160fc6f883b76811455c2dee7ec28f7931867507ed53cf3c06f6adc287938

SHA512
37513c8cc9ea3ef971c397a40cb25ca9e0d1f6b4229b90d17ef69270d5bc3ba2b849b9b6231f77c7e796bb26c4e94878265c3f835da4721e72c25647321402e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD3E2.tmp.exe

Filesize
78KB

MD5
d68f196c6cb9e91af34b93291fdc485a

SHA1
6fc028906aea8b963960a4b8f4d8346c9ee09ccc

SHA256
29b562e57ac204ceacb70940e8f5ec577375121c6a61d393c608dfa503c4b329

SHA512
90a962d64acf5804ccb600124b342338abc5cfecf28b07dcd33187f856a7904fbe71bccced2ce966ce6ded5a07da9d3788b68719718b35005b41fa92317e8f75

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD4AD.tmp

Filesize
660B

MD5
b75f66832159bf59846694b3a28193c8

SHA1
e1214160a36f7b146077745147ead789b1495689

SHA256
005b32cbfac0f2299e08e72bf09786dc219c0f8229b6e09fda277d622cfb19ff

SHA512
2b22cc0373933d76574a0077f2792cd94b720331bd44bea3c8793615d42ea8cc2741e66a81af8aeaa53a372cbaca705b2eb4f7cb3c715c9e648f89bf2e5b70e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2324-8-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2324-18-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2364-0-0x00000000747C1000-0x00000000747C2000-memory.dmp

Filesize
4KB

Download
memory/2364-1-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2364-2-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2364-24-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads