metamorpherrat | c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75

General

Target

c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe
Size

78KB
MD5

92b56149bcaa610de8cee54fac72d887
SHA1

c30d7b6bf60600a5fc775c81b735e581b9c42b1d
SHA256

c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75
SHA512

3ea9310e06749d2644518e3ea2d1795aa04a29943a00e4afb4a17adbc4b31a558060859322afd51cc85ce0d82e2453ab9567954a4a4c9d20504f7030b0be3a46
SSDEEP

1536:JRWV5jGXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtC6f9/gu1aaa:JRWV5jOSyRxvhTzXPvCbW2Un9/Ta

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
468	tmpDF48.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2832	c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe
2832	c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpDF48.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpDF48.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2832	c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe
Token: SeDebugPrivilege	468	tmpDF48.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 3024	2832	c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe	31
PID 2832 wrote to memory of 3024	2832	c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe	31
PID 2832 wrote to memory of 3024	2832	c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe	31
PID 2832 wrote to memory of 3024	2832	c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe	31
PID 3024 wrote to memory of 1364	3024	vbc.exe	33
PID 3024 wrote to memory of 1364	3024	vbc.exe	33
PID 3024 wrote to memory of 1364	3024	vbc.exe	33
PID 3024 wrote to memory of 1364	3024	vbc.exe	33
PID 2832 wrote to memory of 468	2832	c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe	34
PID 2832 wrote to memory of 468	2832	c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe	34
PID 2832 wrote to memory of 468	2832	c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe	34
PID 2832 wrote to memory of 468	2832	c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe	34

C:\Users\Admin\AppData\Local\Temp\c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe
"C:\Users\Admin\AppData\Local\Temp\c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gtq4f_nh.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDFF4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDFF3.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1364
- C:\Users\Admin\AppData\Local\Temp\tmpDF48.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpDF48.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESDFF4.tmp

Filesize
1KB

MD5
bf7c4943be5be36075581d6c631412d6

SHA1
1b505a18555fde06efbc2a0cf1c7d9dc94ca2510

SHA256
a09e694ebe7303f1ee74f260c24f5b929e8097abd88f50c9429519e944d3cbbd

SHA512
285a13ad503f49b22aae60b63d548c1dfaa89c5ba5d4e8a14474ad6ce997cd0517d3553454b6bcec51a9c16e655ef5be40a1029f865ca4ff0bdfee73e1df4f61

Download Submit
C:\Users\Admin\AppData\Local\Temp\gtq4f_nh.0.vb

Filesize
14KB

MD5
b09e3bd87c576207f3d3ba2ad922d72e

SHA1
99ff73b1a0e9b789d51af754cd1047d7ddfa4196

SHA256
a9072f9eeada24f6ee24d4e61fb44bd462131d337ea3ab8b21b48a2d2b1618aa

SHA512
1e6f015458c07a15a6c51e12f7b808cee288d0774699581747e037ac1643d44670d3e59b6720ac92d3fa3b35634be6fc19c3200d55df180238b0e6e68ec311a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\gtq4f_nh.cmdline

Filesize
266B

MD5
5bdf032308207cb5ff64c7800917ad19

SHA1
cf0a34e6de5db6cecfa27a8eec03a0bdbed5bf09

SHA256
0cf30d4f6833a7a4e732af939f0f70d2a2a27fc62643fd836dd4a6424567e993

SHA512
bc3bff0e1084e063f2b01388210c52728b6c0287bf022ce083275b6921f5650d2bd5c92294ff4ebbfd4402820f8a28a55fdf7778a7ec24d765635cd55d2a860f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDF48.tmp.exe

Filesize
78KB

MD5
fcb57cd06ad51f1287f568042997c9d5

SHA1
132598af52484c7bbd98019590b8da6906a2ed15

SHA256
f965e369e17223a70c1796a8559d6ae8c15d0bd258304f0d1d248c341042f785

SHA512
fc7ef5d0a7e62a9b024cc185aa4478f51d9f8189f9e6749d5c0fb2f216ede7e3496de0a180a856e4ebcedb0afca5c44b2c9af9393f0f8837748a6ffa348363a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDFF3.tmp

Filesize
660B

MD5
e89aff1157ecf89b0576664951761cc5

SHA1
6757a7e532de6c38083fa187f082d1085ac323b6

SHA256
e11008056b4a302cd7169c43f6066375f536bab734157cd1c91f66c788417131

SHA512
395e10708bc9c52dcb8fe9744c9aab0ec30c89b1b00406b4b7bf19ac7e679d3435d5ca76be40a9803deedb41fe27efdcd859013a74d782d47369e60bd23ac2d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2832-0-0x00000000749D1000-0x00000000749D2000-memory.dmp

Filesize
4KB

Download
memory/2832-1-0x00000000749D0000-0x0000000074F7B000-memory.dmp

Filesize
5.7MB

Download
memory/2832-2-0x00000000749D0000-0x0000000074F7B000-memory.dmp

Filesize
5.7MB

Download
memory/2832-24-0x00000000749D0000-0x0000000074F7B000-memory.dmp

Filesize
5.7MB

Download
memory/3024-8-0x00000000749D0000-0x0000000074F7B000-memory.dmp

Filesize
5.7MB

Download
memory/3024-18-0x00000000749D0000-0x0000000074F7B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads