metamorpherrat | 655584d79282fc1d930fefde09cf190ae2e9ff72cab59a828b73f6e86101b316

General

Target

a159cb41fb774addaa90dcd79ad5bdc3.exe
Size

78KB
MD5

a159cb41fb774addaa90dcd79ad5bdc3
SHA1

a5440ae698758676f7a9cfad55969f898b45e9f2
SHA256

655584d79282fc1d930fefde09cf190ae2e9ff72cab59a828b73f6e86101b316
SHA512

f1ca3b602a01f5f7aecc848bf4519e6e1927fa94d59ad54126ffcbf51e8e66d86093df6612761ab7c17d5ad5c504f15611b01cc6638eb84668c2a3b1d1ff942c
SSDEEP

1536:EPWV5jScdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6j9/2S1EP:EPWV5jSrn7N041QqhgL9/I

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	a159cb41fb774addaa90dcd79ad5bdc3.exe

Executes dropped EXE 1 IoCs

pid	Process
4424	tmp5B5E.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp5B5E.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1600	a159cb41fb774addaa90dcd79ad5bdc3.exe
Token: SeDebugPrivilege	4424	tmp5B5E.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 2436	1600	a159cb41fb774addaa90dcd79ad5bdc3.exe	85
PID 1600 wrote to memory of 2436	1600	a159cb41fb774addaa90dcd79ad5bdc3.exe	85
PID 1600 wrote to memory of 2436	1600	a159cb41fb774addaa90dcd79ad5bdc3.exe	85
PID 2436 wrote to memory of 2004	2436	vbc.exe	89
PID 2436 wrote to memory of 2004	2436	vbc.exe	89
PID 2436 wrote to memory of 2004	2436	vbc.exe	89
PID 1600 wrote to memory of 4424	1600	a159cb41fb774addaa90dcd79ad5bdc3.exe	91
PID 1600 wrote to memory of 4424	1600	a159cb41fb774addaa90dcd79ad5bdc3.exe	91
PID 1600 wrote to memory of 4424	1600	a159cb41fb774addaa90dcd79ad5bdc3.exe	91

C:\Users\Admin\AppData\Local\Temp\a159cb41fb774addaa90dcd79ad5bdc3.exe
"C:\Users\Admin\AppData\Local\Temp\a159cb41fb774addaa90dcd79ad5bdc3.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\k4uquudb.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D62.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8934D8CD17E44DCF91BD938AE33423E4.TMP"
    3⤵
    PID:2004
- C:\Users\Admin\AppData\Local\Temp\tmp5B5E.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp5B5E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a159cb41fb774addaa90dcd79ad5bdc3.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:4424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5D62.tmp

Filesize
1KB

MD5
edf020e33121d981df86f2ad3a035f96

SHA1
2f2f1022040e857a192557db41aa032013cf38e5

SHA256
cc2a442cde659d4754aae57ce980c520e1b106ad4e16c779e111464fe62f3bcf

SHA512
d71ac69b03651751662cd86dec4be8a88d9561dbf0c1c46610bf17e4d2aa1041acb7e0535169e67357e9e613d7e3076f838cc981d53fb34b22307b326f459538

Download Submit
C:\Users\Admin\AppData\Local\Temp\k4uquudb.0.vb

Filesize
14KB

MD5
95a4e8db4c77f3180027fa15c5f56893

SHA1
85c3825d8894e5b93192e9fe94a880b757bcc659

SHA256
9e7cfa2c6da2d8574eb194ae00e8dee622afa703160c13c73e6158b175dcc3e9

SHA512
f6282487221f98900a04fed196c942d49f8aaf6d64fba9d6b2b5dd247ff0534ca1566561059eb8ba234a3e23f0965653e0c7594a4375bdae0560980cf234b75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\k4uquudb.cmdline

Filesize
266B

MD5
916269e2068a82a0e87b5e486adcca5e

SHA1
b55fd42c3aed286bef5e295f1f03f3bb57a7fcee

SHA256
eb19fac27cd78b0d73e6c2352548adccecc1f231f9f906b94375c28ac67045c9

SHA512
5f9dacf3505e0105162cc18c4dd0e64e1c881a43738015ddc322b863f7d54558ff6cb81f98d80594d5b2c59dc4749c20e68e1607b10317db94a2a6eb69f7a9e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5B5E.tmp.exe

Filesize
78KB

MD5
bf25b5c89e81d01bd4758abe451b18db

SHA1
fdb9899af63910697e5ff28a9b601dae91f8f251

SHA256
85ab99a34efe8cc7dfa49a2c0c0feb0a2c125e9544b7106543517203ae2717c8

SHA512
037652ce8258f88e15d946b0ef30aa79751e014bfac2a67f55f6fdb104773b5ba41c6d08fbb1f2cf1067b816e1b19cd481996daaa40ee159ac1ff355d3fa882b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8934D8CD17E44DCF91BD938AE33423E4.TMP

Filesize
660B

MD5
e28757499a7f82ec56d7be2ca87e5402

SHA1
730700daf4eb6db5cf3897d5e5d4d1c4d421b517

SHA256
31b6ddbc57a0bdf3289d373bbd80b6b424c2451d1419a71d618631d4a56255ba

SHA512
96719e7c3c762f2179d41582fd258199cd4e3a84d37cd1616e0107177bfcf70858828abb0961f2bfc3396c99226ffafd99ea715d71ce208239b4c503a9944808

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/1600-21-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/1600-1-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/1600-2-0x0000000001800000-0x0000000001810000-memory.dmp

Filesize
64KB

Download
memory/1600-0-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/2436-8-0x0000000002550000-0x0000000002560000-memory.dmp

Filesize
64KB

Download
memory/4424-22-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/4424-23-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/4424-24-0x00000000019D0000-0x00000000019E0000-memory.dmp

Filesize
64KB

Download
memory/4424-26-0x00000000019D0000-0x00000000019E0000-memory.dmp

Filesize
64KB

Download
memory/4424-27-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/4424-28-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/4424-29-0x00000000019D0000-0x00000000019E0000-memory.dmp

Filesize
64KB

Download
memory/4424-30-0x00000000019D0000-0x00000000019E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads