metamorpherrat | 6a1f0457ec907801ab79abcb70c7b1725afa9a000d7995b6d83d13154691a7dc

General

Target

6742d12ccd2243002f975210f9e16f30N.exe
Size

78KB
MD5

6742d12ccd2243002f975210f9e16f30
SHA1

15bd6edb54bd2582f622da4b6c922bf517a772c4
SHA256

6a1f0457ec907801ab79abcb70c7b1725afa9a000d7995b6d83d13154691a7dc
SHA512

23916ca5f8533f9cce0018841c94119451f1ca62eee6589c6923c8e36f8fbcd0f469fcd40f23a8eaac5824ee72b94b508fe418624df0f8d683ede78773f8e46f
SSDEEP

1536:IRWV5jEdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC609/nJ1Op:IRWV5jzn7N041Qqhgs9/nG

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6742d12ccd2243002f975210f9e16f30N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	6742d12ccd2243002f975210f9e16f30N.exe

Executes dropped EXE 1 IoCs

Processes:

tmpC60F.tmp.exe

pid process

60 tmpC60F.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
60	tmpC60F.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpC60F.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpC60F.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

6742d12ccd2243002f975210f9e16f30N.exetmpC60F.tmp.exe

description pid process

Token: SeDebugPrivilege 2948 6742d12ccd2243002f975210f9e16f30N.exe
Token: SeDebugPrivilege 60 tmpC60F.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2948	6742d12ccd2243002f975210f9e16f30N.exe
Token: SeDebugPrivilege	60	tmpC60F.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

6742d12ccd2243002f975210f9e16f30N.exevbc.exe

description	pid	process	target process
PID 2948 wrote to memory of 4936	2948	6742d12ccd2243002f975210f9e16f30N.exe	vbc.exe
PID 2948 wrote to memory of 4936	2948	6742d12ccd2243002f975210f9e16f30N.exe	vbc.exe
PID 2948 wrote to memory of 4936	2948	6742d12ccd2243002f975210f9e16f30N.exe	vbc.exe
PID 4936 wrote to memory of 3020	4936	vbc.exe	cvtres.exe
PID 4936 wrote to memory of 3020	4936	vbc.exe	cvtres.exe
PID 4936 wrote to memory of 3020	4936	vbc.exe	cvtres.exe
PID 2948 wrote to memory of 60	2948	6742d12ccd2243002f975210f9e16f30N.exe	tmpC60F.tmp.exe
PID 2948 wrote to memory of 60	2948	6742d12ccd2243002f975210f9e16f30N.exe	tmpC60F.tmp.exe
PID 2948 wrote to memory of 60	2948	6742d12ccd2243002f975210f9e16f30N.exe	tmpC60F.tmp.exe

C:\Users\Admin\AppData\Local\Temp\6742d12ccd2243002f975210f9e16f30N.exe
"C:\Users\Admin\AppData\Local\Temp\6742d12ccd2243002f975210f9e16f30N.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jud3oby3.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4936

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC709.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD3637A7BCA1C429AB1696AF5C1B5867D.TMP"
3⤵
PID:3020

C:\Users\Admin\AppData\Local\Temp\tmpC60F.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpC60F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6742d12ccd2243002f975210f9e16f30N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:60

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC709.tmp
Filesize
1KB

MD5
cffd08d5e8bdcc5356f1259edd1568b0

SHA1
3676ccb83ac3cb7fe04f5b2224ada69687514fed

SHA256
0dd52885d61515cc8352e300de815adf07ea8ab62c78ee98cdfbc8042050965f

SHA512
d234dbc7b68cbc37af41739778d0590006dd1b0eecfa2f6bac8ea1797153ced83cc719c499d45c71e3312160fb7dd445cad3574c1e75bbd126bf73fa0c944dc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\jud3oby3.0.vb
Filesize
14KB

MD5
717bb9976ca5d957d7c13cd566ea0fe3

SHA1
607c1032cd199830c735ccca13fecf205ef95452

SHA256
3c2aa9e560ae662724aa2ac0ea761e11166f56ca1861cd3f78a3890554bca162

SHA512
346dffd45175389cfc8d4fb0a30939fca25e155ba6a3dadedb71a932829d9a40ba44e3a21d1f93e873d6256d292737274836051b9fe785bd7be36d5dd687def2

Download Submit
C:\Users\Admin\AppData\Local\Temp\jud3oby3.cmdline
Filesize
266B

MD5
18384a764e8950e80ac5ef4fea9bdbed

SHA1
97ac73ad4ca6ce85531a195a7c9b8cf31f0912f2

SHA256
b9cd4d2ca34d60c171bacef359d8f094b5babade27527f88e8d0c67385786b06

SHA512
5a4eab3d89531cbc999101897e2962d56bee505b661abc4dc2e121e76215333182cfb1c6ae86508c2d88bc7833f6f4436e9899deb16bd2334376b72f09170a71

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC60F.tmp.exe
Filesize
78KB

MD5
a3f5a3aa7e613139e90fb4f637bdce4f

SHA1
f4b96ea88ea21f1bda7b64aef674aec4701cb0f5

SHA256
354df2e7626a8dd8fa66a3dd62f75fd5488af8ebb7657efa04bd092290af3713

SHA512
cfcc644678ba246462d79be21b6fdc63c9c3a58835bcbdbb9d0bda095c398c632bd3f1f3960ff7d5fdecffee79ad590e70ec25a55e2a6fa5586a6b1dc0c35075

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD3637A7BCA1C429AB1696AF5C1B5867D.TMP
Filesize
660B

MD5
927098e5a01f72a952fdf8aa1719fdfc

SHA1
48bedbd5ce8de0089849789beea45a10429d4218

SHA256
6d7db10048d4de17cae129bee35aad53f2ce860e3793574e4af318d44b3ec2db

SHA512
b2e304d01493811ad53ea9cd1c30fdd5f3f760a4cbc30da1153dac911e0e5d8c0111bd7e0f29b8309cdea999ea672392ff28ca04009f0c88351659778c5632ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/60-24-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/60-28-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/60-27-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/60-26-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/60-23-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/2948-22-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/2948-1-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/2948-2-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/2948-0-0x0000000074752000-0x0000000074753000-memory.dmp

Filesize
4KB

Download
memory/4936-8-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/4936-18-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads