metamorpherrat | e5f5674965e6c00dc2cacf1bfcad2641bc868ceb0d9511d051d910368c42f1e6

General

Target

e5f5674965e6c00dc2cacf1bfcad2641bc868ceb0d9511d051d910368c42f1e6.exe
Size

78KB
MD5

a2d86a5d190b79d2466f4cbe601b4742
SHA1

b3a59344e7e847b2a5cd7ac6df750bf2c792b0b2
SHA256

e5f5674965e6c00dc2cacf1bfcad2641bc868ceb0d9511d051d910368c42f1e6
SHA512

97c842c825034b64bc2a3524672f7438a6192a225aa5cd483d892061494a02c68cba13f91f4af48d8ad82724b9f49c9f635c42a9758b35c5dc0c3807cfcba6f1
SSDEEP

1536:5e58Gdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC689/t1Jx:5e58xn7N041Qqhg09//

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	e5f5674965e6c00dc2cacf1bfcad2641bc868ceb0d9511d051d910368c42f1e6.exe

Executes dropped EXE 1 IoCs

pid	Process
4060	tmp4BCE.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp4BCE.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	180	e5f5674965e6c00dc2cacf1bfcad2641bc868ceb0d9511d051d910368c42f1e6.exe
Token: SeDebugPrivilege	4060	tmp4BCE.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 180 wrote to memory of 4876	180	e5f5674965e6c00dc2cacf1bfcad2641bc868ceb0d9511d051d910368c42f1e6.exe	85
PID 180 wrote to memory of 4876	180	e5f5674965e6c00dc2cacf1bfcad2641bc868ceb0d9511d051d910368c42f1e6.exe	85
PID 180 wrote to memory of 4876	180	e5f5674965e6c00dc2cacf1bfcad2641bc868ceb0d9511d051d910368c42f1e6.exe	85
PID 4876 wrote to memory of 1484	4876	vbc.exe	88
PID 4876 wrote to memory of 1484	4876	vbc.exe	88
PID 4876 wrote to memory of 1484	4876	vbc.exe	88
PID 180 wrote to memory of 4060	180	e5f5674965e6c00dc2cacf1bfcad2641bc868ceb0d9511d051d910368c42f1e6.exe	89
PID 180 wrote to memory of 4060	180	e5f5674965e6c00dc2cacf1bfcad2641bc868ceb0d9511d051d910368c42f1e6.exe	89
PID 180 wrote to memory of 4060	180	e5f5674965e6c00dc2cacf1bfcad2641bc868ceb0d9511d051d910368c42f1e6.exe	89

C:\Users\Admin\AppData\Local\Temp\e5f5674965e6c00dc2cacf1bfcad2641bc868ceb0d9511d051d910368c42f1e6.exe
"C:\Users\Admin\AppData\Local\Temp\e5f5674965e6c00dc2cacf1bfcad2641bc868ceb0d9511d051d910368c42f1e6.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:180
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bz3aaj25.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4876
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4DC2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc25831E5DDFD3442A91DEBA3FBBC0727.TMP"
    3⤵
    PID:1484
- C:\Users\Admin\AppData\Local\Temp\tmp4BCE.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4BCE.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e5f5674965e6c00dc2cacf1bfcad2641bc868ceb0d9511d051d910368c42f1e6.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:4060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4DC2.tmp

Filesize
1KB

MD5
9dda4756fdca8f3cce58132b9cadfbb9

SHA1
a5392ecafc68e299c668e6d4e01460a65903f32d

SHA256
731a96054d4f58f62bebc92bb612a3407352ca4a487e0bc4fa535c73be2b4dcb

SHA512
aab3e591097718037381885c66af3b9ddf14e886a2c003582acf66e1d124a02c2dd3eb2e713d0ae7debacf87fb1aad9d7e2689afbf7954fe58af1847714d3930

Download Submit
C:\Users\Admin\AppData\Local\Temp\bz3aaj25.0.vb

Filesize
14KB

MD5
02d97a695c14eb414cdb1ff582c491f3

SHA1
1ab3fe6eb68f611064caff17ddaaa2ef266bbb1f

SHA256
4c8307de38ce7fdbb88a807ca284c892100803f8409324a889857a936ea6827b

SHA512
11058927faac03581cabdc105321954ae54a71b9b4a2b76905235a4aa6adbb20710256c77bea48a4f4fbd5e74efe2521a054150bf5cc5f8d468b1e0a8a824d46

Download Submit
C:\Users\Admin\AppData\Local\Temp\bz3aaj25.cmdline

Filesize
266B

MD5
0e2758f4c1641b3dd2a5c2f99e2d3268

SHA1
a34ccf282d8fc39d72da033a3e78ef0ab562716f

SHA256
2c31516a83f1f9bbaa5c4274f4e4b75a719ede5041196d909f49fc3dd60e9f01

SHA512
c962feeccd514667d96a52b3921af8badf450b55021c585681cea8e0cad9e01d0ae907b73d50b11860dd84efc2febf3f7d938a70487d3e3b3f6307f0aa840569

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4BCE.tmp.exe

Filesize
78KB

MD5
8eb333bb08518ffe7e0bca3903b0792a

SHA1
4aa552b0b32909a384f59dffc191370b94451d1f

SHA256
e59dd6224439b0cf324333232b41ddf1c286a336b9b1f5ae55189e8bbca524cf

SHA512
346c9738376beb67bedff81d36ab01fb299fa6747e9f115e8b844ed397c1195de950372eaaa1c1b226d020f35d57a1aaa3847ad89430cd454786fc534745e7a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc25831E5DDFD3442A91DEBA3FBBC0727.TMP

Filesize
660B

MD5
1c8fcdc7a58b63b5d71e9cb25f1a20f5

SHA1
d9365ddb8736fe74533850fb56aeaac01f6a6ad2

SHA256
39ac198ccd9135e1fecdba8c333a1020e496913f9937b6b30132e3fdeb598fac

SHA512
699879c3fc2083a1762de583be830fef194e6e9f10bab50fc6348c91419915dab8fb8bd41e670fee6b106abb89ca70b2ac2c4e055604745197592ef0f0802bc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/180-21-0x0000000074EE0000-0x0000000075491000-memory.dmp

Filesize
5.7MB

Download
memory/180-1-0x0000000074EE0000-0x0000000075491000-memory.dmp

Filesize
5.7MB

Download
memory/180-2-0x0000000001710000-0x0000000001720000-memory.dmp

Filesize
64KB

Download
memory/180-0-0x0000000074EE0000-0x0000000075491000-memory.dmp

Filesize
5.7MB

Download
memory/4060-24-0x0000000074EE0000-0x0000000075491000-memory.dmp

Filesize
5.7MB

Download
memory/4060-23-0x0000000001270000-0x0000000001280000-memory.dmp

Filesize
64KB

Download
memory/4060-22-0x0000000074EE0000-0x0000000075491000-memory.dmp

Filesize
5.7MB

Download
memory/4060-26-0x0000000001270000-0x0000000001280000-memory.dmp

Filesize
64KB

Download
memory/4060-27-0x0000000074EE0000-0x0000000075491000-memory.dmp

Filesize
5.7MB

Download
memory/4060-28-0x0000000001270000-0x0000000001280000-memory.dmp

Filesize
64KB

Download
memory/4060-29-0x0000000001270000-0x0000000001280000-memory.dmp

Filesize
64KB

Download
memory/4876-8-0x00000000009F0000-0x0000000000A00000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads