metamorpherrat | 61c02081dac3602ce3b073298aff8c74724d8745d04b068eda6e136598f1d659

General

Target

61c02081dac3602ce3b073298aff8c74724d8745d04b068eda6e136598f1d659.exe
Size

78KB
MD5

e4897a8be1034d542242980607e943bf
SHA1

e36b731bcce9b5a998c5f6977171b53941eb4441
SHA256

61c02081dac3602ce3b073298aff8c74724d8745d04b068eda6e136598f1d659
SHA512

5d0fed165da8812f4c6320591826bcffd5120c83bec0e4e3e9c8905b5c3f171e20b1ba15af83493e5774e65cb2fff6f555da89f6ee9728683cd90d0186350933
SSDEEP

1536:lWV58BXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtC6G9/kD1u5:lWV58BSyRxvhTzXPvCbW2UO9/N

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Deletes itself 1 IoCs

pid	Process
2924	tmpC783.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2924	tmpC783.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2296	61c02081dac3602ce3b073298aff8c74724d8745d04b068eda6e136598f1d659.exe
2296	61c02081dac3602ce3b073298aff8c74724d8745d04b068eda6e136598f1d659.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpC783.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61c02081dac3602ce3b073298aff8c74724d8745d04b068eda6e136598f1d659.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC783.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2296	61c02081dac3602ce3b073298aff8c74724d8745d04b068eda6e136598f1d659.exe
Token: SeDebugPrivilege	2924	tmpC783.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2436	2296	61c02081dac3602ce3b073298aff8c74724d8745d04b068eda6e136598f1d659.exe	30
PID 2296 wrote to memory of 2436	2296	61c02081dac3602ce3b073298aff8c74724d8745d04b068eda6e136598f1d659.exe	30
PID 2296 wrote to memory of 2436	2296	61c02081dac3602ce3b073298aff8c74724d8745d04b068eda6e136598f1d659.exe	30
PID 2296 wrote to memory of 2436	2296	61c02081dac3602ce3b073298aff8c74724d8745d04b068eda6e136598f1d659.exe	30
PID 2436 wrote to memory of 2192	2436	vbc.exe	32
PID 2436 wrote to memory of 2192	2436	vbc.exe	32
PID 2436 wrote to memory of 2192	2436	vbc.exe	32
PID 2436 wrote to memory of 2192	2436	vbc.exe	32
PID 2296 wrote to memory of 2924	2296	61c02081dac3602ce3b073298aff8c74724d8745d04b068eda6e136598f1d659.exe	33
PID 2296 wrote to memory of 2924	2296	61c02081dac3602ce3b073298aff8c74724d8745d04b068eda6e136598f1d659.exe	33
PID 2296 wrote to memory of 2924	2296	61c02081dac3602ce3b073298aff8c74724d8745d04b068eda6e136598f1d659.exe	33
PID 2296 wrote to memory of 2924	2296	61c02081dac3602ce3b073298aff8c74724d8745d04b068eda6e136598f1d659.exe	33

C:\Users\Admin\AppData\Local\Temp\61c02081dac3602ce3b073298aff8c74724d8745d04b068eda6e136598f1d659.exe
"C:\Users\Admin\AppData\Local\Temp\61c02081dac3602ce3b073298aff8c74724d8745d04b068eda6e136598f1d659.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\boxqhtbc.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC87E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC87D.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2192
- C:\Users\Admin\AppData\Local\Temp\tmpC783.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpC783.tmp.exe" C:\Users\Admin\AppData\Local\Temp\61c02081dac3602ce3b073298aff8c74724d8745d04b068eda6e136598f1d659.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC87E.tmp

Filesize
1KB

MD5
fa54dd2ccea3883010fbe6233fc488c0

SHA1
5b304718aa54086626897f45df4a0e599b5a78fd

SHA256
36d1cc26726f3f7d49637a245ccd6b64eea535355e32273bdefa1401f254918e

SHA512
055f0d411d2d1439b7e8de79f00ab94cb8d94b53fa9ccd196ae239b596845ccd42a5997215773ef7c25879aa697234cd20e5490120d2163438987501509794e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\boxqhtbc.0.vb

Filesize
14KB

MD5
17bc7b275c80a7d0b04ff3ee05e3e420

SHA1
41ed955fbf53c3044baea63ba928bd54a8e50a18

SHA256
cdc91f03e6a961d35e2c8f044194fdebb9442f8ccad6abeba8edbc34db5a09e0

SHA512
842d563995f523b13883b426ceb3b652c6a7e38c95eb770efa0ff4f7011fda7a9d1f71a8c78c6f0182aa6dce78ea7a315f7e1b5b2b9920dd6c3266a446a78a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\boxqhtbc.cmdline

Filesize
266B

MD5
b38936c1a3e785de0bdb71506353073c

SHA1
adbb545c8c5847040a09c2739124ed6f42282014

SHA256
78456a1250b4675f429c5881d01a577fd35c8b0e773b4e198326aa452b0ab79c

SHA512
130046f8f73918e44443a3f9336487a0a2635cea3175764d0486e45efeb486680069400e37d16caa7bc387ed6cf5a7883fa3737bd1675bf4d3b667e0a24d3d30

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC783.tmp.exe

Filesize
78KB

MD5
d7856a026be5e621479fdefb665a4a10

SHA1
b199cd3dbe8e0bcdc0d472eb8a9c4bccc09a34fe

SHA256
96ec6ec9a5ed68bc8b3ddadbc295af84c6a8f7e74a8a910a593571c55c603298

SHA512
258d27b01a51d5b5e8af2f14c9f55de9053c2be396e9938a3b54afef8d7eeaad30445925481516b3a90a6b1cd20d87214b8e0821c528ac0f0780f5e2ceb69fe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC87D.tmp

Filesize
660B

MD5
232ee4ffcc1346bc1b26c7ecf208b098

SHA1
c41842816600d31f1c468374f8ed3053fcda5190

SHA256
ea28f259b8d7f916f0b94da2c7cb1a639896c26bbda204d6f6b1ba2c2b6af519

SHA512
5140e98c09934bd99fdbfbac1e68f5828d02ee2ad24918fa2273d7eeeda59c6d3b7576048614ee6dc6157d6f845526f4078b737b94c2490e1ebb94d410cd2a29

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2296-0-0x00000000742A1000-0x00000000742A2000-memory.dmp

Filesize
4KB

Download
memory/2296-1-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/2296-2-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/2296-23-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/2436-8-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/2436-18-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads