metamorpherrat | e45adb1bfff5105c3a9e78f551e3a04d59e147584beaa65aca43803e9710f386

General

Target

67dd5acb7ae0086fb4621ed8a72eba96.exe
Size

78KB
MD5

67dd5acb7ae0086fb4621ed8a72eba96
SHA1

68ecf17551df7d9bf52ee41139341e8e8458a8fa
SHA256

e45adb1bfff5105c3a9e78f551e3a04d59e147584beaa65aca43803e9710f386
SHA512

995c2e189e0addc2e3f19dad6da97a65e231783293e22eda8c2e2dcbc37f70f842898c3e82b64cd26653d9f1b013a3bb6cd61c674c402aad66377b889a7bcee4
SSDEEP

1536:buHH638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQte09/B1cn:buHa3Ln7N041Qqhge09/G

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	67dd5acb7ae0086fb4621ed8a72eba96.exe

Executes dropped EXE 1 IoCs

pid	Process
4648	tmp3D81.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp3D81.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4196	67dd5acb7ae0086fb4621ed8a72eba96.exe
Token: SeDebugPrivilege	4648	tmp3D81.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4196 wrote to memory of 808	4196	67dd5acb7ae0086fb4621ed8a72eba96.exe	88
PID 4196 wrote to memory of 808	4196	67dd5acb7ae0086fb4621ed8a72eba96.exe	88
PID 4196 wrote to memory of 808	4196	67dd5acb7ae0086fb4621ed8a72eba96.exe	88
PID 808 wrote to memory of 4496	808	vbc.exe	90
PID 808 wrote to memory of 4496	808	vbc.exe	90
PID 808 wrote to memory of 4496	808	vbc.exe	90
PID 4196 wrote to memory of 4648	4196	67dd5acb7ae0086fb4621ed8a72eba96.exe	91
PID 4196 wrote to memory of 4648	4196	67dd5acb7ae0086fb4621ed8a72eba96.exe	91
PID 4196 wrote to memory of 4648	4196	67dd5acb7ae0086fb4621ed8a72eba96.exe	91

C:\Users\Admin\AppData\Local\Temp\67dd5acb7ae0086fb4621ed8a72eba96.exe
"C:\Users\Admin\AppData\Local\Temp\67dd5acb7ae0086fb4621ed8a72eba96.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4196
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d8rkicte.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:808
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES49C6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc31BACD0E67AE4D9F9849A6BE9FEC4E8.TMP"
    3⤵
    PID:4496
- C:\Users\Admin\AppData\Local\Temp\tmp3D81.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp3D81.tmp.exe" C:\Users\Admin\AppData\Local\Temp\67dd5acb7ae0086fb4621ed8a72eba96.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:4648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES49C6.tmp

Filesize
1KB

MD5
9089b67a6871a4c1db567cea97bde6b5

SHA1
36044a5917aa3a2eb95091ce7ca94747e5495d80

SHA256
205e2eb43dc94409999b21b46f9f80f00d25a4335cb65e47b28f2385079cbad2

SHA512
2622d9670253ed506edc672bc44d9bfc378f2b52ad24efc73338d75ee9510659fa95069f9b9116d9a2dc02c218ad4f04ba25f5445484f6e7f31bf5d3e984d7ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\d8rkicte.0.vb

Filesize
15KB

MD5
9ccc80afbeaad63dbf21c0d925fc3676

SHA1
4d8418a05bfd1328e721a6e3c34953de9eca0926

SHA256
5d43c9dc5602ba2c26e600a8cc1b866457100a4b76ed28a874d06311409e1ded

SHA512
362fce46dcf7732ca1d49c033478e7483c52a00509d1d58bc59715566ec617e4cea2ff57851d909500fbd45941075647be6361259a10d10d8bbeadac6fcc6c90

Download Submit
C:\Users\Admin\AppData\Local\Temp\d8rkicte.cmdline

Filesize
266B

MD5
e6bee3aaa97b9e7c1519fac227355566

SHA1
efcccd62534119036ff786c59e17a6173060a4a9

SHA256
d0e81f013b42d7cd1b8ac94f3fb788e0cb634ebe77cb9ac8d38eb9f0ebc178f4

SHA512
a963ef4fbe322b667aea06018f6cfdbfc02281e4e187aee5bbd8686a6824c8524d6496c2e432c39e4faeda8bcbfc5b8d3ee0e7d5026e5439fb4d961e97a2015b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3D81.tmp.exe

Filesize
78KB

MD5
5fb51286121133dbb61751b09f4cd490

SHA1
c4c0a3cf014258d5a451c87865936e43e7e8bc3c

SHA256
34cfd5ac7e3f56b43c32134a45dc4be6bdd8d3dedff1d63234572bfe4f88ab62

SHA512
32cb9e2567deeff3b57743eb9d7cfb7f375e07f2811b2e3d399e65a517f06a2e4bf62f2b41d29804759346a8c411c539730e05f31b7ef227f5f515aa3156c39c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc31BACD0E67AE4D9F9849A6BE9FEC4E8.TMP

Filesize
660B

MD5
e5f088f030e79348c24d46f44e717380

SHA1
29684ea3ba85de64004ae773b3621de0eb76c326

SHA256
fdbeaf21bdb2420d50ffbb2d8dcbdbaf0fb45e8ea0bbe50d665b3374dd0fc3b7

SHA512
b008c83c093862b79da9b2833e85f1eb00bdd81a176ae9685498a6227bcb1c5714b61462bd7ac0d0bcbff7420409aa6929a65f7f77af888b1deee2425002091e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/808-8-0x0000000000AE0000-0x0000000000AF0000-memory.dmp

Filesize
64KB

Download
memory/4196-0-0x0000000074CF0000-0x00000000752A1000-memory.dmp

Filesize
5.7MB

Download
memory/4196-2-0x0000000001350000-0x0000000001360000-memory.dmp

Filesize
64KB

Download
memory/4196-1-0x0000000074CF0000-0x00000000752A1000-memory.dmp

Filesize
5.7MB

Download
memory/4196-21-0x0000000074CF0000-0x00000000752A1000-memory.dmp

Filesize
5.7MB

Download
memory/4648-22-0x0000000074CF0000-0x00000000752A1000-memory.dmp

Filesize
5.7MB

Download
memory/4648-23-0x0000000001300000-0x0000000001310000-memory.dmp

Filesize
64KB

Download
memory/4648-24-0x0000000074CF0000-0x00000000752A1000-memory.dmp

Filesize
5.7MB

Download
memory/4648-26-0x0000000074CF0000-0x00000000752A1000-memory.dmp

Filesize
5.7MB

Download
memory/4648-27-0x0000000001300000-0x0000000001310000-memory.dmp

Filesize
64KB

Download
memory/4648-28-0x0000000001300000-0x0000000001310000-memory.dmp

Filesize
64KB

Download
memory/4648-29-0x0000000001300000-0x0000000001310000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads