metamorpherrat | c1bc78e0106917bb6d326e6a3ed94310e865135b75185c709f8286381de33db4

General

Target

c1bc78e0106917bb6d326e6a3ed94310e865135b75185c709f8286381de33db4.exe
Size

78KB
MD5

ea191a74e1c2bbcf50687d16fb91cc12
SHA1

cfcb47bdd113a323289c94ea83fca8e1171a653e
SHA256

c1bc78e0106917bb6d326e6a3ed94310e865135b75185c709f8286381de33db4
SHA512

690fcd546fc3673b51f068a58d78f4c25dc278c9a2f0278ff4944430fa8083b859f1e70e6c28e4d16ddbaff1870b0a707086268c561cb466a620b406f3a577a6
SSDEEP

1536:OPy5jqXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQty699//+1xxb:OPy5jSSyRxvhTzXPvCbW2UV9//0b

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2880	tmpEAEB.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2140	c1bc78e0106917bb6d326e6a3ed94310e865135b75185c709f8286381de33db4.exe
2140	c1bc78e0106917bb6d326e6a3ed94310e865135b75185c709f8286381de33db4.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpEAEB.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpEAEB.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c1bc78e0106917bb6d326e6a3ed94310e865135b75185c709f8286381de33db4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2140	c1bc78e0106917bb6d326e6a3ed94310e865135b75185c709f8286381de33db4.exe
Token: SeDebugPrivilege	2880	tmpEAEB.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2848	2140	c1bc78e0106917bb6d326e6a3ed94310e865135b75185c709f8286381de33db4.exe	31
PID 2140 wrote to memory of 2848	2140	c1bc78e0106917bb6d326e6a3ed94310e865135b75185c709f8286381de33db4.exe	31
PID 2140 wrote to memory of 2848	2140	c1bc78e0106917bb6d326e6a3ed94310e865135b75185c709f8286381de33db4.exe	31
PID 2140 wrote to memory of 2848	2140	c1bc78e0106917bb6d326e6a3ed94310e865135b75185c709f8286381de33db4.exe	31
PID 2848 wrote to memory of 2876	2848	vbc.exe	33
PID 2848 wrote to memory of 2876	2848	vbc.exe	33
PID 2848 wrote to memory of 2876	2848	vbc.exe	33
PID 2848 wrote to memory of 2876	2848	vbc.exe	33
PID 2140 wrote to memory of 2880	2140	c1bc78e0106917bb6d326e6a3ed94310e865135b75185c709f8286381de33db4.exe	34
PID 2140 wrote to memory of 2880	2140	c1bc78e0106917bb6d326e6a3ed94310e865135b75185c709f8286381de33db4.exe	34
PID 2140 wrote to memory of 2880	2140	c1bc78e0106917bb6d326e6a3ed94310e865135b75185c709f8286381de33db4.exe	34
PID 2140 wrote to memory of 2880	2140	c1bc78e0106917bb6d326e6a3ed94310e865135b75185c709f8286381de33db4.exe	34

C:\Users\Admin\AppData\Local\Temp\c1bc78e0106917bb6d326e6a3ed94310e865135b75185c709f8286381de33db4.exe
"C:\Users\Admin\AppData\Local\Temp\c1bc78e0106917bb6d326e6a3ed94310e865135b75185c709f8286381de33db4.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y2k2makd.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC82.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEC81.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2876
- C:\Users\Admin\AppData\Local\Temp\tmpEAEB.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpEAEB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c1bc78e0106917bb6d326e6a3ed94310e865135b75185c709f8286381de33db4.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESEC82.tmp

Filesize
1KB

MD5
a55726f16e943e1c0641ee5ae3cc1a9b

SHA1
5b167854f812966d91d6d079a249318cd7a4ce55

SHA256
604048a788abca2f61ebcca410eb290546a688039b5fb2dc84557e903d517537

SHA512
c86b4d291ee41341e6d558c2b3bd0d77c1d8b89a2178edf15f45bdb37cb0bf8e14b0df9f2b647ddb9caac291da2e95f80b77abd28ebb946dcdd4e4d0a25c23e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEAEB.tmp.exe

Filesize
78KB

MD5
251948b196b9b802f6838bc37f3260c3

SHA1
4bf9248aac2b08933dab8f50cfdc40e640d36c16

SHA256
496a3b35db8b203a28476e960a1185bc3d9c2df9ca7b33bf33a31c7a04d3c77f

SHA512
f19c2aa3bc14b67b97598c4fb76d3f6f8f9a9502fcbe3fbd9b311dbda1e67d2e414d442a016c9e5bc20ed52fe234c30ab3f0ac08589d31431abdd43ddeedafbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEC81.tmp

Filesize
660B

MD5
1da596554990bbdea25e0c5e29b63d6e

SHA1
579831bda1b2e45537740e33df7b0a52517422f2

SHA256
894292030ba79cafc6a2dcf8e1d5146bfb2f739984c756d30205c230af2135c3

SHA512
b2c5837708bfa0ea17699b4023c4c9d6f721c013e4167a4b973241e6a9795c794ed26b2341179240395ba5e015d09daad2dfaf591f33531d7dc7ae68ab0ecd83

Download Submit
C:\Users\Admin\AppData\Local\Temp\y2k2makd.0.vb

Filesize
14KB

MD5
94146620a4613a75a5eab369fff2070b

SHA1
67d8f628695b9fab0c85b885208df235f173bfd1

SHA256
2b1d9e85ed3a154a0fedfbb9dfa3a11079f84b2e43900d2f8b1137d8d714377b

SHA512
69fa48758da3cc5685fb4d78568c76c44cec0c42c065dc6e32454081be99db55cef8c78e10190763f89da084473a3001f74d8a698f941f7011e17c3478cc9a95

Download Submit
C:\Users\Admin\AppData\Local\Temp\y2k2makd.cmdline

Filesize
266B

MD5
25989a7c3956e15dd6c41fa4ca45272e

SHA1
25bc94fb732ccb616d815eb2c24710a85722ef18

SHA256
0023cc0d96240cc2f200a3a6dc9ecb22d616de2e7e83493f400bd44ded47acc0

SHA512
35db45ea9e9d797408f830ec6d195e17c57e6568816daa441cc567006c31f1c117ac09635eb71ad9d6a164a7d1bfec1d7c4bc2f9680078c0fa91b9474bd97cda

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2140-0-0x00000000746E1000-0x00000000746E2000-memory.dmp

Filesize
4KB

Download
memory/2140-1-0x00000000746E0000-0x0000000074C8B000-memory.dmp

Filesize
5.7MB

Download
memory/2140-2-0x00000000746E0000-0x0000000074C8B000-memory.dmp

Filesize
5.7MB

Download
memory/2140-24-0x00000000746E0000-0x0000000074C8B000-memory.dmp

Filesize
5.7MB

Download
memory/2848-8-0x00000000746E0000-0x0000000074C8B000-memory.dmp

Filesize
5.7MB

Download
memory/2848-18-0x00000000746E0000-0x0000000074C8B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads