metamorpherrat | 384e3970d7a4d9a1644f47ba61bef95a6687a3d9c2345aa52899c3ac9d556959

General

Target

4055902531fb7712981860ed1279b730N.exe
Size

78KB
MD5

4055902531fb7712981860ed1279b730
SHA1

f900ddadbcb024f2c285d18d3eb88e1553967b42
SHA256

384e3970d7a4d9a1644f47ba61bef95a6687a3d9c2345aa52899c3ac9d556959
SHA512

fa73bc74ed256b7fd7fce0eb9ce20b6c38de7920c202720d6ab3c7e354cf33c4c9d81ad6187a095689703763e0468d9294a83883d5166ced743d8698cb591222
SSDEEP

1536:1e58cdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC64w9/a/k1+Q:1e58rn7N041Qqhggw9/ay

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4055902531fb7712981860ed1279b730N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	4055902531fb7712981860ed1279b730N.exe

Deletes itself 1 IoCs

Processes:

tmpE6F5.tmp.exe

pid process

4756 tmpE6F5.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmpE6F5.tmp.exe

pid process

4756 tmpE6F5.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
4756	tmpE6F5.tmp.exe

pid	process
4756	tmpE6F5.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpE6F5.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpE6F5.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

4055902531fb7712981860ed1279b730N.exetmpE6F5.tmp.exe

description pid process

Token: SeDebugPrivilege 2704 4055902531fb7712981860ed1279b730N.exe
Token: SeDebugPrivilege 4756 tmpE6F5.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2704	4055902531fb7712981860ed1279b730N.exe
Token: SeDebugPrivilege	4756	tmpE6F5.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

4055902531fb7712981860ed1279b730N.exevbc.exe

description	pid	process	target process
PID 2704 wrote to memory of 4004	2704	4055902531fb7712981860ed1279b730N.exe	vbc.exe
PID 2704 wrote to memory of 4004	2704	4055902531fb7712981860ed1279b730N.exe	vbc.exe
PID 2704 wrote to memory of 4004	2704	4055902531fb7712981860ed1279b730N.exe	vbc.exe
PID 4004 wrote to memory of 2196	4004	vbc.exe	cvtres.exe
PID 4004 wrote to memory of 2196	4004	vbc.exe	cvtres.exe
PID 4004 wrote to memory of 2196	4004	vbc.exe	cvtres.exe
PID 2704 wrote to memory of 4756	2704	4055902531fb7712981860ed1279b730N.exe	tmpE6F5.tmp.exe
PID 2704 wrote to memory of 4756	2704	4055902531fb7712981860ed1279b730N.exe	tmpE6F5.tmp.exe
PID 2704 wrote to memory of 4756	2704	4055902531fb7712981860ed1279b730N.exe	tmpE6F5.tmp.exe

C:\Users\Admin\AppData\Local\Temp\4055902531fb7712981860ed1279b730N.exe
"C:\Users\Admin\AppData\Local\Temp\4055902531fb7712981860ed1279b730N.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\viehy7gk.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4004

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE8AA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5A43A115838B42F4972F27F5C72E46AB.TMP"
3⤵
PID:2196

C:\Users\Admin\AppData\Local\Temp\tmpE6F5.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpE6F5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4055902531fb7712981860ed1279b730N.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4756

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE8AA.tmp
Filesize
1KB

MD5
fcdb3d512e3eae776ecae9c7013eba3c

SHA1
e18ebc2480b4e7472d7550740c5d1a8494d81e63

SHA256
4bb5eda03c1acf309148a0678c146af075c103af38cb78a8156db2812f316bd4

SHA512
af9cee8c4a88825c43d8193d70e01bb07bcb3affbee72f76a3e3af2ff42259c63f85dc0530cd5e920da7c98e19e953182024e8b25686f9dc4625f11e347da294

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE6F5.tmp.exe
Filesize
78KB

MD5
974a67b71cc35a0c6b60577ffa7aa125

SHA1
8feb15a0bb559cbe1acf89633945009d279fda2c

SHA256
882bcb80e9b83277f7c3c6d3f9669731c6dc8245c40177373b6f6faa0a84b8a8

SHA512
709baea2f4873a76ae545de873e3633146b32b36b3fa14073f5b8468faeacfeb131a37b7509089b3b246d1b7d4115eaa9198ad72ffb46f14fc730a869380d342

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5A43A115838B42F4972F27F5C72E46AB.TMP
Filesize
660B

MD5
223a0a70a43c302f105e2668b2b0d59f

SHA1
aad8e316b55ab586fe8eb1cb6fe64ae62278b08b

SHA256
15839e7c0e4280b8f57a8e0d8eab6e80291af0d90ad8c7c6177ab7db03b9f5f1

SHA512
b399593e67d09a599ff018766c2c7ad78de53854abcfdb8df7f874faca13f5239559868fad002dfdbdd2aaca5f3c121014fd58d673671e607af58e3572cdbae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\viehy7gk.0.vb
Filesize
14KB

MD5
0c0962cb88e119e1fb9caa8955cbb1e9

SHA1
bb0a4e060b4b9a45f44483d9672a4fda2910f072

SHA256
820f3c5d6f2ebd6ffb4a4226d713b048e980b23ab2943b69984c43bb69902592

SHA512
847ec65b25cddc0078bdb187b02da4d8848de882730e7aeeb379a59a2769b40d8ce25c42254ae8ddaf9c769c7c8e78f5f71866b0c19ae6e8e1bbf127d8e4ca77

Download Submit
C:\Users\Admin\AppData\Local\Temp\viehy7gk.cmdline
Filesize
266B

MD5
ef780615974dba04c569efe5b30ea825

SHA1
0086e506d75e5c14e668a5133ab6dac4b6f25b8a

SHA256
d1b68dbffd1e0c4ac19bbd279df80a73d1a576f8ff30f63a0b1aa8f739267d25

SHA512
01680527adfa34ea1edf9bdb64e066dc954fd9aa84465745e35424a808f166a93b0f7050002b760db5fb1d26b9fb3dfa0aa4ddc87b0a3e5841ebc99ca6e90d2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2704-1-0x0000000074E50000-0x0000000075401000-memory.dmp

Filesize
5.7MB

Download
memory/2704-2-0x0000000074E50000-0x0000000075401000-memory.dmp

Filesize
5.7MB

Download
memory/2704-0-0x0000000074E52000-0x0000000074E53000-memory.dmp

Filesize
4KB

Download
memory/2704-22-0x0000000074E50000-0x0000000075401000-memory.dmp

Filesize
5.7MB

Download
memory/4004-8-0x0000000074E50000-0x0000000075401000-memory.dmp

Filesize
5.7MB

Download
memory/4004-18-0x0000000074E50000-0x0000000075401000-memory.dmp

Filesize
5.7MB

Download
memory/4756-23-0x0000000074E50000-0x0000000075401000-memory.dmp

Filesize
5.7MB

Download
memory/4756-24-0x0000000074E50000-0x0000000075401000-memory.dmp

Filesize
5.7MB

Download
memory/4756-25-0x0000000074E50000-0x0000000075401000-memory.dmp

Filesize
5.7MB

Download
memory/4756-27-0x0000000074E50000-0x0000000075401000-memory.dmp

Filesize
5.7MB

Download
memory/4756-28-0x0000000074E50000-0x0000000075401000-memory.dmp

Filesize
5.7MB

Download
memory/4756-29-0x0000000074E50000-0x0000000075401000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads