metamorpherrat | c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75

General

Target

c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe
Size

78KB
MD5

92b56149bcaa610de8cee54fac72d887
SHA1

c30d7b6bf60600a5fc775c81b735e581b9c42b1d
SHA256

c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75
SHA512

3ea9310e06749d2644518e3ea2d1795aa04a29943a00e4afb4a17adbc4b31a558060859322afd51cc85ce0d82e2453ab9567954a4a4c9d20504f7030b0be3a46
SSDEEP

1536:JRWV5jGXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtC6f9/gu1aaa:JRWV5jOSyRxvhTzXPvCbW2Un9/Ta

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2748	tmp8298.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1704	c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe
1704	c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp8298.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8298.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1704	c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe
Token: SeDebugPrivilege	2748	tmp8298.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2076	1704	c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe	30
PID 1704 wrote to memory of 2076	1704	c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe	30
PID 1704 wrote to memory of 2076	1704	c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe	30
PID 1704 wrote to memory of 2076	1704	c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe	30
PID 2076 wrote to memory of 2060	2076	vbc.exe	32
PID 2076 wrote to memory of 2060	2076	vbc.exe	32
PID 2076 wrote to memory of 2060	2076	vbc.exe	32
PID 2076 wrote to memory of 2060	2076	vbc.exe	32
PID 1704 wrote to memory of 2748	1704	c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe	33
PID 1704 wrote to memory of 2748	1704	c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe	33
PID 1704 wrote to memory of 2748	1704	c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe	33
PID 1704 wrote to memory of 2748	1704	c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe	33

C:\Users\Admin\AppData\Local\Temp\c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe
"C:\Users\Admin\AppData\Local\Temp\c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1cjv1dnt.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES83B2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc83B1.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2060
- C:\Users\Admin\AppData\Local\Temp\tmp8298.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8298.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1cjv1dnt.0.vb

Filesize
14KB

MD5
fcde65a4984238112505b22e299c2dd5

SHA1
b2015b93e4cefc9955908581ee82a992d40b91e2

SHA256
a6b13e17b2da853701593638ece4edec724afbb68fa6fa7adc0be3bf9bd8118d

SHA512
b35133bf5af13fd442ce1764170fd83726227a9388b39cc8085e9b1801aee286ec2f756bfd18923dfbd2e76d62fac4927b5ac48fd38f79c93670eb9b28618b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\1cjv1dnt.cmdline

Filesize
266B

MD5
0c789f65498994498a5f40d0514a0d62

SHA1
fb4bb8cae191e887454e046a328bfe68f1f6c185

SHA256
fc49ed971968f94a1f98dbbf90ec0cc8e1fdbd6a9ac45dffea6ae0a7b36e582c

SHA512
36a08d9c3433a8f0d8a5b55d9077456ef34de2ff1e55397a9b88aa80713726fe4ec66d5a2fca88c29171ca785248589a81a1cfe1ca2c83429e45d287c57854f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES83B2.tmp

Filesize
1KB

MD5
2a980ae82d8205b5bed2ca7cfb726544

SHA1
4659cd8536ad62dc16079e468799451c2f98a736

SHA256
b8044ff6662b075570cb25469be26c5e2e1d3f4b618e5e61366b217e7865c261

SHA512
2b48bbdfb3e758273198b0e75d46c86e42b908aab078caba29bcad497e8e5618e460fdd1685cc50e6393914fd94f5b60e473fc3bfffa4024170101986b311cdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8298.tmp.exe

Filesize
78KB

MD5
c28c19b58d8c107073724a7d5f9226cb

SHA1
78019950c3968ddc58c3b533c4203dc231e085c1

SHA256
d7c9a10ab06c856e5752b0570686e944cd3b837478499889094535c76b305fba

SHA512
29d481572e1687f2fa5e8e3fd8426b4fb200bb306bc9ef24ab30f041e4780a6fa6bdec54ca854f151c60e4fb6e16d896435ac19727e66ae55e98190603437bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc83B1.tmp

Filesize
660B

MD5
6c7b788472744e20cfd5562e520b6bc3

SHA1
65c3f66f0af8bddf885d990e8df8f431e7fe23d4

SHA256
ab4ec9fa4af01d5d79e7964982ca71fc328d9ae2e5f5d2d1fc522c64a9f991c9

SHA512
1cde29bbb92a63ca9a2428b0e0b658171b3c30ea8baf8be7e696e81d83a5c6ec4eeda394f40742dd3abcbdb0d9c91fb5032a7a00231deb878fa37c439c378069

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1704-0-0x00000000749F1000-0x00000000749F2000-memory.dmp

Filesize
4KB

Download
memory/1704-2-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/1704-1-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/1704-24-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2076-8-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2076-18-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads