metamorpherrat | 92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a

General

Target

92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe
Size

122KB
MD5

c9d37054a8372b74f0de27dbdb4b7436
SHA1

083bcbd248bcfe4735f3785cb789647dcf02e7cd
SHA256

92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a
SHA512

4525e6acc3f4e118f315059f152a362dbed3a81e87fb46a1b6d388c53d9d547c0125db2a3c19814d559611e07150e5141d8d854a992d4e5a5a3f95dc7a1bdd28
SSDEEP

3072:+vCTDGgFwxgc0MwWvEsqfEcDemBXw6UoamxoF9CoTEgnShXAFKa2rMJt3cMtPRG5:lBgvoCRJvR36+dDZon9

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmpF69A.tmp.exe

pid process

4964 tmpF69A.tmp.exe

pid	process
4964	tmpF69A.tmp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmpF69A.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\normalization = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.VisualBasic.Vsa.exe\""	tmpF69A.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exetmpF69A.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1988	92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe
Token: SeDebugPrivilege	4964	tmpF69A.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exevbc.exe

description	pid	process	target process
PID 1988 wrote to memory of 4920	1988	92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe	vbc.exe
PID 1988 wrote to memory of 4920	1988	92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe	vbc.exe
PID 1988 wrote to memory of 4920	1988	92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe	vbc.exe
PID 4920 wrote to memory of 512	4920	vbc.exe	cvtres.exe
PID 4920 wrote to memory of 512	4920	vbc.exe	cvtres.exe
PID 4920 wrote to memory of 512	4920	vbc.exe	cvtres.exe
PID 1988 wrote to memory of 4964	1988	92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe	tmpF69A.tmp.exe
PID 1988 wrote to memory of 4964	1988	92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe	tmpF69A.tmp.exe
PID 1988 wrote to memory of 4964	1988	92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe	tmpF69A.tmp.exe

C:\Users\Admin\AppData\Local\Temp\92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe
"C:\Users\Admin\AppData\Local\Temp\92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q7vwahnj.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4920

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFFF0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC6C485993404432899F6A53CF6ECC178.TMP"
3⤵
PID:512

C:\Users\Admin\AppData\Local\Temp\tmpF69A.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpF69A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESFFF0.tmp
Filesize
1KB

MD5
95f2ec1c93d4aad5813558fea395956c

SHA1
efd5a89d854b9801e0655a8a2e596c5f98f542f3

SHA256
9a70dd30231753ad17579013d0506682d1733a6b7738a35138c1e28470842f0f

SHA512
0db120d577ef797db741f2810afed2ddb49173abbaef4dba9b64cb1ba7d5af234bfe98be9c37b09917c20500e2803c7b3bd73ca547c640e729d59fedf21852b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\q7vwahnj.0.vb
Filesize
85KB

MD5
b7396f26ea95e1bf93beb2e306048ce8

SHA1
f37ae83e9336f2c1ea666de6ce83bb25c2a46ca2

SHA256
afc76454c7bf4561af36289ed86e7f70fb28a215fcc70dbb12a848a640a1d30a

SHA512
d66dd754575acccc5d0143a0b84dbf40f11bff1c45b0eca177e1ff1adaabdeb09739f9775cd32b2a899a2e4f1a059fda970e89664204baa3b4a9724aead590e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\q7vwahnj.cmdline
Filesize
266B

MD5
d7acb7cf51ebfa78423ca4485fbb72eb

SHA1
fb04d672d48fe7724448415407dc56f9e6021b59

SHA256
fce482ec793d661a1132842d0456def8fe98eaf63861ada3b7743cb06120ffbf

SHA512
e2caeaa21189594f6c5414f24f432382c3157ee7ab02a55107942add52355b051ce7d16d7fd16b5a503b6400fd9b5963b26acf3cfdaa2a27bc5a3e9f4e6bbc1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF69A.tmp.exe
Filesize
105KB

MD5
ba80dc36701859fe403b4aeebbd02df0

SHA1
0b7d9b944448ecb6a1ccef77dadd89a65093b93a

SHA256
dfc0899d653f274c686b6d329684826c96ff41b7ffa44d1d1f2f80ff32cec8d4

SHA512
52b8f5260f21a157a0645b982396c5f63d81800f320d6582e595fa2bbad1c7cc63168ca6a41f539a5ab8bb4c2cccd6e61a2b2b41e5c6500f2e4a3c49d9b0dfff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF69A.tmp.exe
Filesize
105KB

MD5
ba80dc36701859fe403b4aeebbd02df0

SHA1
0b7d9b944448ecb6a1ccef77dadd89a65093b93a

SHA256
dfc0899d653f274c686b6d329684826c96ff41b7ffa44d1d1f2f80ff32cec8d4

SHA512
52b8f5260f21a157a0645b982396c5f63d81800f320d6582e595fa2bbad1c7cc63168ca6a41f539a5ab8bb4c2cccd6e61a2b2b41e5c6500f2e4a3c49d9b0dfff

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC6C485993404432899F6A53CF6ECC178.TMP
Filesize
660B

MD5
03abed65c2108101b93e991ead7884cf

SHA1
02fec4050ef3b3458cc9e58ae2ce7bae0cb507e3

SHA256
084e26c8106c9d95f64f74f1bd4617eb42bac2aa7ceb818faabdec43ff434806

SHA512
3d4dac4f503c2c40842dcb932a8539d1fa53a6ce88555fcd614a6a78f020d9268529043295685a3d1669bfe9b5614e3781738104e5ba63125f78ace8153fac78

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
ab2ae34957da340df62e391e4c787903

SHA1
bbc36baa919c8bd54848f942b1649085fc0e7f69

SHA256
9dab1334b4275bd3c2b051f79cc66eb8854f808eea4892617668c634842fe669

SHA512
ff676f0ce26a2b867b2d37847fccdee6a25a99d3003490166673c8ba3048e79c50e9247ecd91287c638bfa42dc4e240df8ba076f6dc2b0a44b9f4fdc6c4941b3

Download Submit
memory/512-137-0x0000000000000000-mapping.dmp

Download
memory/1988-132-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/1988-143-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/4920-133-0x0000000000000000-mapping.dmp

Download
memory/4964-141-0x0000000000000000-mapping.dmp

Download
memory/4964-144-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/4964-145-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads