metamorpherrat | 5d029d827c3af7a0465416c60385d09c72ad34a600a6c1ba7e3ebf12d3ff0e22

General

Target

2561b7a1603462034ddf1da1bd2fed20N.exe
Size

78KB
MD5

2561b7a1603462034ddf1da1bd2fed20
SHA1

634c9f4bfa9073ac5a68676ea7fdf1f260fde473
SHA256

5d029d827c3af7a0465416c60385d09c72ad34a600a6c1ba7e3ebf12d3ff0e22
SHA512

876a89488c7dd5aa0cec2e32d4171dd77750ca6e6132ecdeac01e1247be14c94c93ed6a048013c8ef7057c76c1471e4b5d305bab3e27f7187c46b89396a00e03
SSDEEP

1536:KsHFo6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtt9/X1tn:KsHFo53Ln7N041Qqhgt9/n

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2561b7a1603462034ddf1da1bd2fed20N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	2561b7a1603462034ddf1da1bd2fed20N.exe

Executes dropped EXE 1 IoCs

Processes:

tmpB229.tmp.exe

pid process

2600 tmpB229.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2600	tmpB229.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpB229.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpB229.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2561b7a1603462034ddf1da1bd2fed20N.exetmpB229.tmp.exe

description pid process

Token: SeDebugPrivilege 232 2561b7a1603462034ddf1da1bd2fed20N.exe
Token: SeDebugPrivilege 2600 tmpB229.tmp.exe

description	pid	process
Token: SeDebugPrivilege	232	2561b7a1603462034ddf1da1bd2fed20N.exe
Token: SeDebugPrivilege	2600	tmpB229.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2561b7a1603462034ddf1da1bd2fed20N.exevbc.exe

description	pid	process	target process
PID 232 wrote to memory of 5036	232	2561b7a1603462034ddf1da1bd2fed20N.exe	vbc.exe
PID 232 wrote to memory of 5036	232	2561b7a1603462034ddf1da1bd2fed20N.exe	vbc.exe
PID 232 wrote to memory of 5036	232	2561b7a1603462034ddf1da1bd2fed20N.exe	vbc.exe
PID 5036 wrote to memory of 956	5036	vbc.exe	cvtres.exe
PID 5036 wrote to memory of 956	5036	vbc.exe	cvtres.exe
PID 5036 wrote to memory of 956	5036	vbc.exe	cvtres.exe
PID 232 wrote to memory of 2600	232	2561b7a1603462034ddf1da1bd2fed20N.exe	tmpB229.tmp.exe
PID 232 wrote to memory of 2600	232	2561b7a1603462034ddf1da1bd2fed20N.exe	tmpB229.tmp.exe
PID 232 wrote to memory of 2600	232	2561b7a1603462034ddf1da1bd2fed20N.exe	tmpB229.tmp.exe

C:\Users\Admin\AppData\Local\Temp\2561b7a1603462034ddf1da1bd2fed20N.exe
"C:\Users\Admin\AppData\Local\Temp\2561b7a1603462034ddf1da1bd2fed20N.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:232

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gu0wwysg.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:5036

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB45C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc837E273DE06A46C7AEF2622A8885B830.TMP"
3⤵
PID:956

C:\Users\Admin\AppData\Local\Temp\tmpB229.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpB229.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2561b7a1603462034ddf1da1bd2fed20N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2600

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB45C.tmp
Filesize
1KB

MD5
84bd34d1dfaa1ec2cd3d7a5b3a7cfead

SHA1
c3c775fa363aee7359d4823b318e34707a5f54fe

SHA256
7a0fece925c2e8015efa39afac8e1cc1cb2670ffb8a0a9ca387fd693cbd6311d

SHA512
f65f9aae2594f5c1b557f0ac3cacc6a512b6a1c509e745b9e8056b831c94c413fdf161bbbdca80e8d44743674ca9b53bdccf8a2682019f1b7270c501aaf1bb3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gu0wwysg.0.vb
Filesize
15KB

MD5
2a891c7779e816a4589248b5845e102d

SHA1
951206e71273a7e80165f3eb591c2498f7e1ae36

SHA256
3a5dfdac29f427b96dca7bfb1c5b705d1bd968c735b2cd0ffa21e5a89bbf3c26

SHA512
42174c8649964be4d5e3232a40eeea83b056f4353d25f3db2e1458c85f88a08c750188942391e9572ef7c2d2999d2e85e93cf389733f5b0fbb85045566d94ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\gu0wwysg.cmdline
Filesize
266B

MD5
2f1a97054f868935f7104987cdaaf765

SHA1
1c0c3eef53d3813446c14f44ac010cd81430bc50

SHA256
6e8a7f4fd2250ab75f988bd35135cb3b85d710093471e30813f3b888e65881d3

SHA512
6354ab7be509ca97f76057fefe4ab68b70fd02fdbcdae4545bac1f44f79294c696f43e83c1cb8fc79dff242cab578cb720db35a756b8cd60a6d8b60ac4584768

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB229.tmp.exe
Filesize
78KB

MD5
174b878cf321f33f817fdc678b8f61fc

SHA1
1da5557a956f9325dc1d588665725ad94e613d95

SHA256
0b2e652a06babc3de46c19523ed77719640afd24289f9542b8d7fa85e83c8cce

SHA512
66d9736b9f268649136a1782c136146e6c5bf8c5b23952ff600ef3af7951cedfd1b9adc8c5724aa53aa5e38a8718b0ac02d4000620a7ca497246b9295502d8a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc837E273DE06A46C7AEF2622A8885B830.TMP
Filesize
660B

MD5
323bc8c8d1a1b5d33728f9f01db6ab34

SHA1
9e58ceaf69d552f137e9f7dad414b402ae4fefe7

SHA256
94b16f86326080303dda152a516b71c25f3548a71fd0efbc40e67299b3d04f2a

SHA512
d1233fd6c688df4f8b8a63813426008c622c8e60b9acf8e89540716bedc18cfa978761451f836678ce1982711635e3e088269522b688fc0b7cda9b655c95b119

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/232-1-0x0000000074DF0000-0x00000000753A1000-memory.dmp

Filesize
5.7MB

Download
memory/232-2-0x0000000074DF0000-0x00000000753A1000-memory.dmp

Filesize
5.7MB

Download
memory/232-0-0x0000000074DF2000-0x0000000074DF3000-memory.dmp

Filesize
4KB

Download
memory/232-22-0x0000000074DF0000-0x00000000753A1000-memory.dmp

Filesize
5.7MB

Download
memory/2600-23-0x0000000074DF0000-0x00000000753A1000-memory.dmp

Filesize
5.7MB

Download
memory/2600-24-0x0000000074DF0000-0x00000000753A1000-memory.dmp

Filesize
5.7MB

Download
memory/2600-25-0x0000000074DF0000-0x00000000753A1000-memory.dmp

Filesize
5.7MB

Download
memory/2600-27-0x0000000074DF0000-0x00000000753A1000-memory.dmp

Filesize
5.7MB

Download
memory/2600-28-0x0000000074DF0000-0x00000000753A1000-memory.dmp

Filesize
5.7MB

Download
memory/2600-29-0x0000000074DF0000-0x00000000753A1000-memory.dmp

Filesize
5.7MB

Download
memory/5036-18-0x0000000074DF0000-0x00000000753A1000-memory.dmp

Filesize
5.7MB

Download
memory/5036-9-0x0000000074DF0000-0x00000000753A1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads