metamorpherrat | 662ae2b794e8775927d6f8af0d7df19514dd2e3958db545dd048f2b79d4dda6d

General

Target

56fda1a225279bc1a477cd3f82fd34a0N.exe
Size

78KB
MD5

56fda1a225279bc1a477cd3f82fd34a0
SHA1

c9a62f04247fad125ed89e95e7c452ba0a75ebdf
SHA256

662ae2b794e8775927d6f8af0d7df19514dd2e3958db545dd048f2b79d4dda6d
SHA512

ac053631dd1808072071ad0d9975ad3fe738550a266517d1d07c32171b0143881ce3b830434c82abf75ca7a1bd8143d05bd89ebd3e31e30c7d4e569331b368f2
SSDEEP

1536:YuHY6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQteh9/XyJ1sA:YuHYnhASyRxvhTzXPvCbW2Ueh9/XyV

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

56fda1a225279bc1a477cd3f82fd34a0N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	56fda1a225279bc1a477cd3f82fd34a0N.exe

Executes dropped EXE 1 IoCs

Processes:

tmp5DCF.tmp.exe

pid process

3284 tmp5DCF.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
3284	tmp5DCF.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp5DCF.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp5DCF.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

56fda1a225279bc1a477cd3f82fd34a0N.exetmp5DCF.tmp.exe

description pid process

Token: SeDebugPrivilege 4696 56fda1a225279bc1a477cd3f82fd34a0N.exe
Token: SeDebugPrivilege 3284 tmp5DCF.tmp.exe

description	pid	process
Token: SeDebugPrivilege	4696	56fda1a225279bc1a477cd3f82fd34a0N.exe
Token: SeDebugPrivilege	3284	tmp5DCF.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

56fda1a225279bc1a477cd3f82fd34a0N.exevbc.exe

description	pid	process	target process
PID 4696 wrote to memory of 2752	4696	56fda1a225279bc1a477cd3f82fd34a0N.exe	vbc.exe
PID 4696 wrote to memory of 2752	4696	56fda1a225279bc1a477cd3f82fd34a0N.exe	vbc.exe
PID 4696 wrote to memory of 2752	4696	56fda1a225279bc1a477cd3f82fd34a0N.exe	vbc.exe
PID 2752 wrote to memory of 464	2752	vbc.exe	cvtres.exe
PID 2752 wrote to memory of 464	2752	vbc.exe	cvtres.exe
PID 2752 wrote to memory of 464	2752	vbc.exe	cvtres.exe
PID 4696 wrote to memory of 3284	4696	56fda1a225279bc1a477cd3f82fd34a0N.exe	tmp5DCF.tmp.exe
PID 4696 wrote to memory of 3284	4696	56fda1a225279bc1a477cd3f82fd34a0N.exe	tmp5DCF.tmp.exe
PID 4696 wrote to memory of 3284	4696	56fda1a225279bc1a477cd3f82fd34a0N.exe	tmp5DCF.tmp.exe

C:\Users\Admin\AppData\Local\Temp\56fda1a225279bc1a477cd3f82fd34a0N.exe
"C:\Users\Admin\AppData\Local\Temp\56fda1a225279bc1a477cd3f82fd34a0N.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4696

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\idoncn1a.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2752

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F37.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD246494BF4D44482A034A1173C3C98.TMP"
3⤵
PID:464

C:\Users\Admin\AppData\Local\Temp\tmp5DCF.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp5DCF.tmp.exe" C:\Users\Admin\AppData\Local\Temp\56fda1a225279bc1a477cd3f82fd34a0N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3284

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5F37.tmp
Filesize
1KB

MD5
730e6d1d97b52ea2eefda626fe327303

SHA1
08759df5234f97b9a1490facad661f69aff18c3f

SHA256
f801334c7e2edcfce47b54e56dadf6a2ef4573731b273cbf6bd2944c86038bbf

SHA512
35648a4f5e99d618cc0c1efeff2645005cc9b4a79a03546ac84ce70199f0d2bd693ff055d3290d5f1f94998a6aef5eab03568fa0c323090c2d342a4c1d00abad

Download Submit
C:\Users\Admin\AppData\Local\Temp\idoncn1a.0.vb
Filesize
15KB

MD5
4fe832a34dbf8b56e644500eab069feb

SHA1
bc8c1219dc0ff4ef56b6a406b63649d12000230c

SHA256
842237ea012d711b84756c1642d194fa34107c3e7f98c3fc929aff3383a9f64e

SHA512
304ebfada44e38fc5711acbf0efa94b1d49b2a5fbdf99aba230bcdd0b5b2415c79cf746595e83a5ca6d5906c97ccec658bcec3daf3a05e45df6a1f7197c68925

Download Submit
C:\Users\Admin\AppData\Local\Temp\idoncn1a.cmdline
Filesize
266B

MD5
8d1ced5a993fd2eb7bc8bea9c7813b25

SHA1
f6baebc60814266a0799bc72a4a9a0c757d64346

SHA256
85f1f0b8ae0a32075a9f761fc27587e6fbd4e39b697e518e52f76f734d94b079

SHA512
b36bc4602784b1ca5570d95e14403fe577495e9078366900202aa64ca8a1594470f14bb61ad6d7cc8e121b1afc8c633c591e49ecfd50a867c5424686ec00fed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5DCF.tmp.exe
Filesize
78KB

MD5
9cb6c77df4a94aaf2f201fddf5df7fb7

SHA1
6af721d47f162c554fd9791ca9036520c8a5f6bc

SHA256
d80253bfd652c85dbbc8af45785294bf21d58e91a3112165cbe3d5dd84887642

SHA512
21c09496999960c314025425694b33ff42baf0dd47c7d9572576411c0963f8f049154ca507edb985b96e981c47e3103aaabcbe491ad957bcfa047dbeb11a83a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD246494BF4D44482A034A1173C3C98.TMP
Filesize
660B

MD5
e1efbb7095f3bddfdac0465aa4208f97

SHA1
b03d989a200c8a36d54288e216d595a72a89bd66

SHA256
9bf9faa3254bde28eccc92e45c58c05b2c6a438ab87c1a145e1127999e220ea0

SHA512
ea2a8f58bcb39d75cb9f268c622e01efbc7951b5d7b8394cb951a58c68dcdc706fa4bc970e87b36587d86c82d157c05c21c341fe08347c8deb05af60f7391f00

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2752-18-0x00000000750F0000-0x00000000756A1000-memory.dmp

Filesize
5.7MB

Download
memory/2752-9-0x00000000750F0000-0x00000000756A1000-memory.dmp

Filesize
5.7MB

Download
memory/3284-23-0x00000000750F0000-0x00000000756A1000-memory.dmp

Filesize
5.7MB

Download
memory/3284-24-0x00000000750F0000-0x00000000756A1000-memory.dmp

Filesize
5.7MB

Download
memory/3284-26-0x00000000750F0000-0x00000000756A1000-memory.dmp

Filesize
5.7MB

Download
memory/3284-27-0x00000000750F0000-0x00000000756A1000-memory.dmp

Filesize
5.7MB

Download
memory/3284-28-0x00000000750F0000-0x00000000756A1000-memory.dmp

Filesize
5.7MB

Download
memory/4696-2-0x00000000750F0000-0x00000000756A1000-memory.dmp

Filesize
5.7MB

Download
memory/4696-1-0x00000000750F0000-0x00000000756A1000-memory.dmp

Filesize
5.7MB

Download
memory/4696-0-0x00000000750F2000-0x00000000750F3000-memory.dmp

Filesize
4KB

Download
memory/4696-22-0x00000000750F0000-0x00000000756A1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads