metamorpherrat | 9f173afd2aa034e4a10b342e5ec563ff25e2d6454769123a698985594a1a8ca5

General

Target

537592d1e3899ffc46a2cde415c48a80N.exe
Size

78KB
MD5

537592d1e3899ffc46a2cde415c48a80
SHA1

2d827e1e97d2f615c6b7978be57889b5180bd389
SHA256

9f173afd2aa034e4a10b342e5ec563ff25e2d6454769123a698985594a1a8ca5
SHA512

97c4489949293c01be613b6b3775735b28cb5f4485df1d4a98062140d25af3d2b3950af36ccd2d1c00fc932f912db0663b2aa8d841809af4ec9e2c55fe897b7b
SSDEEP

1536:FPWV5sdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtN629/31IL:FPWV5bn7N041Qqhgx9/g

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

537592d1e3899ffc46a2cde415c48a80N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	537592d1e3899ffc46a2cde415c48a80N.exe

Executes dropped EXE 1 IoCs

Processes:

tmpC4D6.tmp.exe

pid process

320 tmpC4D6.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
320	tmpC4D6.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpC4D6.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpC4D6.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

537592d1e3899ffc46a2cde415c48a80N.exetmpC4D6.tmp.exe

description pid process

Token: SeDebugPrivilege 5032 537592d1e3899ffc46a2cde415c48a80N.exe
Token: SeDebugPrivilege 320 tmpC4D6.tmp.exe

description	pid	process
Token: SeDebugPrivilege	5032	537592d1e3899ffc46a2cde415c48a80N.exe
Token: SeDebugPrivilege	320	tmpC4D6.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

537592d1e3899ffc46a2cde415c48a80N.exevbc.exe

description	pid	process	target process
PID 5032 wrote to memory of 4844	5032	537592d1e3899ffc46a2cde415c48a80N.exe	vbc.exe
PID 5032 wrote to memory of 4844	5032	537592d1e3899ffc46a2cde415c48a80N.exe	vbc.exe
PID 5032 wrote to memory of 4844	5032	537592d1e3899ffc46a2cde415c48a80N.exe	vbc.exe
PID 4844 wrote to memory of 3520	4844	vbc.exe	cvtres.exe
PID 4844 wrote to memory of 3520	4844	vbc.exe	cvtres.exe
PID 4844 wrote to memory of 3520	4844	vbc.exe	cvtres.exe
PID 5032 wrote to memory of 320	5032	537592d1e3899ffc46a2cde415c48a80N.exe	tmpC4D6.tmp.exe
PID 5032 wrote to memory of 320	5032	537592d1e3899ffc46a2cde415c48a80N.exe	tmpC4D6.tmp.exe
PID 5032 wrote to memory of 320	5032	537592d1e3899ffc46a2cde415c48a80N.exe	tmpC4D6.tmp.exe

C:\Users\Admin\AppData\Local\Temp\537592d1e3899ffc46a2cde415c48a80N.exe
"C:\Users\Admin\AppData\Local\Temp\537592d1e3899ffc46a2cde415c48a80N.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5032

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vbjehl7t.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC68C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB3455637BD3D48B699651F626A929DC.TMP"
3⤵
PID:3520

C:\Users\Admin\AppData\Local\Temp\tmpC4D6.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpC4D6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\537592d1e3899ffc46a2cde415c48a80N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:320

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC68C.tmp
Filesize
1KB

MD5
112d1e47fa86a3b2be080513aaacc6c4

SHA1
79448c7dc22ef798b8f7ee1086d2e436d8477183

SHA256
0c3751134adb27fc8c24601712c2b59ac10d2d5e6902d696f3f2358d31f69a09

SHA512
bd24700e3a46865b0e5cdcf30355f8ffa0bc92271b1e4132cc1050ee31e13b792cc4c174686065d8fa0a138887de4080985711a06dab455a993f185fbd7d4f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC4D6.tmp.exe
Filesize
78KB

MD5
3581a6a1ee824275b7f1702f7c96c8f8

SHA1
b5fa15e7a240b0b62a2872a4a1867fb9431770a0

SHA256
a67c08ea090d79c022da116d14dfbaf447c84e301f1b0458d7dd1dacc0bcdb71

SHA512
d83e170de6fc1c7aeeb1b49aa773acfe5ca57ef06ee544fce5804036701053159c6591fbd7239ffc31ca3674959329632f769ad9206a7caf70dff1d2af7a75f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB3455637BD3D48B699651F626A929DC.TMP
Filesize
660B

MD5
90c62bcebed5dcd7e2821fe026d740ee

SHA1
c04aff3573bd6013844e4d05564a75944358230b

SHA256
148d75578ee580060d82c1bdc70d8d6328b04ea546bcb68073df7a1e77219f97

SHA512
02b59ef7dd8afc78900dad37de17c2b9effa1e2fa3fa4bbccf102826f8f87b4e5ef6a7d9f6e81e61b384f708a893ffc142ef3ee44bd6b68af2d52e4d8d2224c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbjehl7t.0.vb
Filesize
14KB

MD5
abf4ecc1f4f0cca825661e9dc5d357a1

SHA1
ae0bc77ef2a6f90610c09caf7346133e7f51e3a7

SHA256
bb32be559d0e336753cf1ee3e4f49150070846f929c801b97ba689660a856043

SHA512
296dcbca0486fb90e3f63962f58a5ab29af84f7848e0781f35c0ef79d855934a35559b3f48249bf4e0ac872b0e5fb3d210ac7d9ebd0c6d1ecdd8f4cd21e8f6a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbjehl7t.cmdline
Filesize
266B

MD5
ed6482b99bca516b94b6d120b74746bb

SHA1
cd1bdb092024697397dcd31e3bef34ac8a1f016c

SHA256
861fb74a9aa63717cede1983b7cad4493f63dd5ddcf5a6a618092319d8f416d6

SHA512
91e4d193d51b74c81ed7e19787096f4c23914e6b6325df67eeaa9c4fbe280129f229cf099dbd4f3944a01a0c9e5f949868b1fd16c3f6797498917dc597a106e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/320-23-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download
memory/320-25-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download
memory/320-26-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download
memory/320-27-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download
memory/4844-9-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download
memory/4844-18-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download
memory/5032-0-0x0000000074DB2000-0x0000000074DB3000-memory.dmp

Filesize
4KB

Download
memory/5032-2-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download
memory/5032-1-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download
memory/5032-22-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads