metamorpherrat | 88acd56df611532294a0829c5966672cf5a10a0762b67f225fe2a52b8aa057b5

General

Target

88acd56df611532294a0829c5966672cf5a10a0762b67f225fe2a52b8aa057b5N.exe
Size

78KB
MD5

a7755b37efc6aaaf9ad9bb597247b7f0
SHA1

9eeb5d77a59042ef3592970c3de0a70267d32641
SHA256

88acd56df611532294a0829c5966672cf5a10a0762b67f225fe2a52b8aa057b5
SHA512

38bd46a12a772db0f8aa33fe43be4f074967a2dc93ce21bbf6319b193408612420fc979bdd2c697aefc4364246514b9760e28d54abf9f26118860d0ac9506738
SSDEEP

1536:We5jxXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtC67l9/31E+:We5jxSyRxvhTzXPvCbW2UDl9/F

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2632	tmpB0D8.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2980	88acd56df611532294a0829c5966672cf5a10a0762b67f225fe2a52b8aa057b5N.exe
2980	88acd56df611532294a0829c5966672cf5a10a0762b67f225fe2a52b8aa057b5N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpB0D8.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB0D8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	88acd56df611532294a0829c5966672cf5a10a0762b67f225fe2a52b8aa057b5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2980	88acd56df611532294a0829c5966672cf5a10a0762b67f225fe2a52b8aa057b5N.exe
Token: SeDebugPrivilege	2632	tmpB0D8.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2472	2980	88acd56df611532294a0829c5966672cf5a10a0762b67f225fe2a52b8aa057b5N.exe	30
PID 2980 wrote to memory of 2472	2980	88acd56df611532294a0829c5966672cf5a10a0762b67f225fe2a52b8aa057b5N.exe	30
PID 2980 wrote to memory of 2472	2980	88acd56df611532294a0829c5966672cf5a10a0762b67f225fe2a52b8aa057b5N.exe	30
PID 2980 wrote to memory of 2472	2980	88acd56df611532294a0829c5966672cf5a10a0762b67f225fe2a52b8aa057b5N.exe	30
PID 2472 wrote to memory of 1804	2472	vbc.exe	32
PID 2472 wrote to memory of 1804	2472	vbc.exe	32
PID 2472 wrote to memory of 1804	2472	vbc.exe	32
PID 2472 wrote to memory of 1804	2472	vbc.exe	32
PID 2980 wrote to memory of 2632	2980	88acd56df611532294a0829c5966672cf5a10a0762b67f225fe2a52b8aa057b5N.exe	33
PID 2980 wrote to memory of 2632	2980	88acd56df611532294a0829c5966672cf5a10a0762b67f225fe2a52b8aa057b5N.exe	33
PID 2980 wrote to memory of 2632	2980	88acd56df611532294a0829c5966672cf5a10a0762b67f225fe2a52b8aa057b5N.exe	33
PID 2980 wrote to memory of 2632	2980	88acd56df611532294a0829c5966672cf5a10a0762b67f225fe2a52b8aa057b5N.exe	33

C:\Users\Admin\AppData\Local\Temp\88acd56df611532294a0829c5966672cf5a10a0762b67f225fe2a52b8aa057b5N.exe
"C:\Users\Admin\AppData\Local\Temp\88acd56df611532294a0829c5966672cf5a10a0762b67f225fe2a52b8aa057b5N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zziyqf_7.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB194.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB193.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1804
- C:\Users\Admin\AppData\Local\Temp\tmpB0D8.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB0D8.tmp.exe" C:\Users\Admin\AppData\Local\Temp\88acd56df611532294a0829c5966672cf5a10a0762b67f225fe2a52b8aa057b5N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB194.tmp

Filesize
1KB

MD5
09c664fddcaed6cde4738101e11c932a

SHA1
38928f2906a369b289773102092be00627849977

SHA256
b9556eaf7f09629fd9485f78006f1b4b4172306223c0c316128781d8be6169ee

SHA512
116e53eac906129dbd63129ba4403b5ca3b53fab4609a059fc354698f14eb90d1be1f632bde61bb0f56418f8cbf9e2343b697be61b8403079be1fc04f7d25d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB0D8.tmp.exe

Filesize
78KB

MD5
54668c676c0bf496eb2ab13b566b2f59

SHA1
5719ab58b57deb5c27a2636a74ecb057a1550647

SHA256
09dc9546407944e53e1690b6e51c8bc466e27113bcc016e2357fd574f6b1fb49

SHA512
276249d8e7c2a15670335203ee9545016fc045362c22b0abe7d9137a66ecb29eb499f95663f0bf44545f68e644c555f141b2afdc6efb3cea5617fc7a6c96a4c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB193.tmp

Filesize
660B

MD5
9a829e3f16c7170b951866407fbc6a55

SHA1
39dec5a609f40f33480a8c14569e8cd5617370cc

SHA256
b3cfd4144781ea5ba31f3c79623cde18ae082338b6609ab4e27d416b79995257

SHA512
94eb923e4e4634ad1d6b3f9127adbca4cf906cceb0c46f035da3945bd0222505f23824a56edf49ec0e5a8a691c1997ef064418bb94a24267ef17028aea630c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zziyqf_7.0.vb

Filesize
14KB

MD5
e0cca88dbf591db43f53cf3641c3e3fa

SHA1
217ecf648398b66f53165c401bce4b4111639bc2

SHA256
e49c77124795f55c75230a78295599db5b59781bb7817c48282a94e866d22d1c

SHA512
4142f34bac124b0eedec1ae531271b5f2b34c707066c8566d5e3f65caf3a7226d8fe714faf2814bc117d5237004ba1b88f08281ddefa636dc8eae2dfab71f7ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\zziyqf_7.cmdline

Filesize
266B

MD5
c28100ad40dca3a3db5c95758438b3e5

SHA1
65606148d58b8c070e9ead00424010f5ab37042d

SHA256
1356f92b2aab392330857494ee74d81ce0ad91d17cd4d32b7f0e8b7924203709

SHA512
4dd26308992b3227d885ff96feda24701b0f53be55f7dd45640610f6914e130c1fddfad832ff13b339b5f6f59bdbb388744caebc8952e8aba54d112beec56c18

Download Submit
memory/2472-8-0x0000000074B70000-0x000000007511B000-memory.dmp

Filesize
5.7MB

Download
memory/2472-18-0x0000000074B70000-0x000000007511B000-memory.dmp

Filesize
5.7MB

Download
memory/2980-0-0x0000000074B71000-0x0000000074B72000-memory.dmp

Filesize
4KB

Download
memory/2980-1-0x0000000074B70000-0x000000007511B000-memory.dmp

Filesize
5.7MB

Download
memory/2980-2-0x0000000074B70000-0x000000007511B000-memory.dmp

Filesize
5.7MB

Download
memory/2980-24-0x0000000074B70000-0x000000007511B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads