metamorpherrat | 66831ac1d830e25614682b8bb307d63a602a98a1db1a433e321256d8d533d00c

General

Target

66831ac1d830e25614682b8bb307d63a602a98a1db1a433e321256d8d533d00cN.exe
Size

78KB
MD5

c9990768388e8ffdd4f7644aed366fa0
SHA1

9df1027572a239bdc6c7a05049cb24333a14be30
SHA256

66831ac1d830e25614682b8bb307d63a602a98a1db1a433e321256d8d533d00c
SHA512

ac6989db1d9c5f2def9e5fe2a8fa040eaac02d7cebc024ad3c11cb0ccfa202d117e6142e4c473966e3652a276b3059fe7239d841b043a3a42042bc5595963214
SSDEEP

1536:9PWV5jcXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt96Z9/Bc16X:9PWV5jESyRxvhTzXPvCbW2Ua9/BF

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2056	tmpB903.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2176	66831ac1d830e25614682b8bb307d63a602a98a1db1a433e321256d8d533d00cN.exe
2176	66831ac1d830e25614682b8bb307d63a602a98a1db1a433e321256d8d533d00cN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpB903.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB903.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66831ac1d830e25614682b8bb307d63a602a98a1db1a433e321256d8d533d00cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2176	66831ac1d830e25614682b8bb307d63a602a98a1db1a433e321256d8d533d00cN.exe
Token: SeDebugPrivilege	2056	tmpB903.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2476	2176	66831ac1d830e25614682b8bb307d63a602a98a1db1a433e321256d8d533d00cN.exe	30
PID 2176 wrote to memory of 2476	2176	66831ac1d830e25614682b8bb307d63a602a98a1db1a433e321256d8d533d00cN.exe	30
PID 2176 wrote to memory of 2476	2176	66831ac1d830e25614682b8bb307d63a602a98a1db1a433e321256d8d533d00cN.exe	30
PID 2176 wrote to memory of 2476	2176	66831ac1d830e25614682b8bb307d63a602a98a1db1a433e321256d8d533d00cN.exe	30
PID 2476 wrote to memory of 2360	2476	vbc.exe	32
PID 2476 wrote to memory of 2360	2476	vbc.exe	32
PID 2476 wrote to memory of 2360	2476	vbc.exe	32
PID 2476 wrote to memory of 2360	2476	vbc.exe	32
PID 2176 wrote to memory of 2056	2176	66831ac1d830e25614682b8bb307d63a602a98a1db1a433e321256d8d533d00cN.exe	33
PID 2176 wrote to memory of 2056	2176	66831ac1d830e25614682b8bb307d63a602a98a1db1a433e321256d8d533d00cN.exe	33
PID 2176 wrote to memory of 2056	2176	66831ac1d830e25614682b8bb307d63a602a98a1db1a433e321256d8d533d00cN.exe	33
PID 2176 wrote to memory of 2056	2176	66831ac1d830e25614682b8bb307d63a602a98a1db1a433e321256d8d533d00cN.exe	33

C:\Users\Admin\AppData\Local\Temp\66831ac1d830e25614682b8bb307d63a602a98a1db1a433e321256d8d533d00cN.exe
"C:\Users\Admin\AppData\Local\Temp\66831ac1d830e25614682b8bb307d63a602a98a1db1a433e321256d8d533d00cN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pxb0sryu.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB9EE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB9ED.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2360
- C:\Users\Admin\AppData\Local\Temp\tmpB903.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB903.tmp.exe" C:\Users\Admin\AppData\Local\Temp\66831ac1d830e25614682b8bb307d63a602a98a1db1a433e321256d8d533d00cN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB9EE.tmp

Filesize
1KB

MD5
7c8fb9746e9fa86d584234a3323d74f7

SHA1
ab9d744caea3451a13a80f544215203435608b5f

SHA256
40279d52560313c62bae980d9bb41e5015cd68c33d481010252eaca98e0a68af

SHA512
8ed30b2298bd92dd7b95fd489122c780c7783a8ae9a34e9b1eb3ad12119a2fc31888ffd9847d282a0e4140c37f7cf4a328ec8a51f98d16025c7b79583a2a59f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\pxb0sryu.0.vb

Filesize
14KB

MD5
0e237198ee1a076811fc29b20731769a

SHA1
289334335d99bd119de18e38bd346d2b79429dce

SHA256
44bd29d5b9e70b923716a113213f467c0ad17ebbea90a5f99e177e1c735f516f

SHA512
8973b2a48dacbdec535eb1d92539e3e47ce39ba97a33903d43c24739b22ab7902fb8554a1096b220a25a4b4b90eca627621f7a6e430d66e541a7a95192f9c287

Download Submit
C:\Users\Admin\AppData\Local\Temp\pxb0sryu.cmdline

Filesize
266B

MD5
8938af2f7f2ade0658061fb26c88c466

SHA1
46c3252da71158d45ffaf7fdf56fe2e069ea98fb

SHA256
16e16cd201a324c51b6124bd60ca055a911859c425af4cc0cb83895bad0ebb54

SHA512
0c5f27648363e204575148effaff4a55d070ee594be38e0dddb095d86c58a16e9ea008ebcd9cff67a8bd4dcf97bd5679a9c9a7674731bc28e306ea549110014e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB903.tmp.exe

Filesize
78KB

MD5
4e853538fb1fdd690a516aefbed9b586

SHA1
4a67d5bb02186d106ddff2e4e4c9d6770f1a6107

SHA256
7bc1039e4145105612919c1c88fb9bced2b91fc250528401cad3b047b2c58479

SHA512
0a26cb9d73440b25e8f38851ac6da4a611f0edb8974c564f93d230cd635f6a4d9eb5ecc95a27a94cab1d57d9fc364a2d9fde28e12b68d16c8a8fa2ffc814f0a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB9ED.tmp

Filesize
660B

MD5
a404d2e3c9c96a1b774d6ffc6d9958d4

SHA1
079a08d743bda588bdc4be34103fd96fd556f508

SHA256
ac757903db9c7d22753f41be1c95ec46969072882eda870eab0269885650790b

SHA512
db4bdd8c9b4d470c9e3a0190d20585698118721134274fc9ff60a0992dc19a03a2a4b21f8bc325c5cf01386db6e902550f6ad21109e0549ba78e2fdf46709a87

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2176-0-0x0000000074E71000-0x0000000074E72000-memory.dmp

Filesize
4KB

Download
memory/2176-1-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/2176-2-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/2176-24-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/2476-8-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/2476-18-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads