metamorpherrat | bb1d46412f17b1a47d05fd4ee3a653a9383f42be64032bd3d57f886858536e41

General

Target

611fbb528be6fde776975a1afea7ae40N.exe
Size

78KB
MD5

611fbb528be6fde776975a1afea7ae40
SHA1

3a3db1f638ce8b6f570e593d8275896bedd5493f
SHA256

bb1d46412f17b1a47d05fd4ee3a653a9383f42be64032bd3d57f886858536e41
SHA512

6c9d6a76421742aed15fe994c2762757b648f70d0fa44290f1233264f8aa157476471d461487f300fb1112ba125e2b8459d33aaf2dc6d53c95eb03a6487f1698
SSDEEP

1536:ItHFo6rdELT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtO+9/5v18:ItHFo8dSE2EwR4uY41HyvY99/M

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

611fbb528be6fde776975a1afea7ae40N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	611fbb528be6fde776975a1afea7ae40N.exe

Deletes itself 1 IoCs

Processes:

tmpD263.tmp.exe

pid process

4852 tmpD263.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmpD263.tmp.exe

pid process

4852 tmpD263.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
4852	tmpD263.tmp.exe

pid	process
4852	tmpD263.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpD263.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmpD263.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

611fbb528be6fde776975a1afea7ae40N.exetmpD263.tmp.exe

description pid process

Token: SeDebugPrivilege 2936 611fbb528be6fde776975a1afea7ae40N.exe
Token: SeDebugPrivilege 4852 tmpD263.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2936	611fbb528be6fde776975a1afea7ae40N.exe
Token: SeDebugPrivilege	4852	tmpD263.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

611fbb528be6fde776975a1afea7ae40N.exevbc.exe

description	pid	process	target process
PID 2936 wrote to memory of 1080	2936	611fbb528be6fde776975a1afea7ae40N.exe	vbc.exe
PID 2936 wrote to memory of 1080	2936	611fbb528be6fde776975a1afea7ae40N.exe	vbc.exe
PID 2936 wrote to memory of 1080	2936	611fbb528be6fde776975a1afea7ae40N.exe	vbc.exe
PID 1080 wrote to memory of 4892	1080	vbc.exe	cvtres.exe
PID 1080 wrote to memory of 4892	1080	vbc.exe	cvtres.exe
PID 1080 wrote to memory of 4892	1080	vbc.exe	cvtres.exe
PID 2936 wrote to memory of 4852	2936	611fbb528be6fde776975a1afea7ae40N.exe	tmpD263.tmp.exe
PID 2936 wrote to memory of 4852	2936	611fbb528be6fde776975a1afea7ae40N.exe	tmpD263.tmp.exe
PID 2936 wrote to memory of 4852	2936	611fbb528be6fde776975a1afea7ae40N.exe	tmpD263.tmp.exe

C:\Users\Admin\AppData\Local\Temp\611fbb528be6fde776975a1afea7ae40N.exe
"C:\Users\Admin\AppData\Local\Temp\611fbb528be6fde776975a1afea7ae40N.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gk4mqbuq.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD409.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5724CE2CD6D8460397C5E2C26D56F17A.TMP"
3⤵
PID:4892

C:\Users\Admin\AppData\Local\Temp\tmpD263.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpD263.tmp.exe" C:\Users\Admin\AppData\Local\Temp\611fbb528be6fde776975a1afea7ae40N.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4852

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD409.tmp
Filesize
1KB

MD5
8b4f14acd2453fdbde561dd53bd00ac6

SHA1
fbbffc943cdcdeebbf90fd7c1dd04d5f68ae90ba

SHA256
c0a5a6ebc612d62d83bda3e95f6bf30dc7a34a0a150f6283ad606c8ee197a2c4

SHA512
573cce55e2a9503b2ce58cb80fb2422276c7a206737b2fb6431dfe8d7557dfcd471b31e3890b892d3b5d88be10e79718386911919dca84449e289760433d9108

Download Submit
C:\Users\Admin\AppData\Local\Temp\gk4mqbuq.0.vb
Filesize
15KB

MD5
0f3c17a7492a19e01070fb45b77e7de2

SHA1
17b8fd4a9a768e93ae1f0129e37f3fc2425e9b37

SHA256
e56c9c8335c398b3d9d23476214a61d2bf6658b655024d63fd912b5505d9298b

SHA512
66b727a92288e6559b4d1bfd8ac846a01cfd8d17a7823dd5926753ab2f8f9be49f2959a1ca2ae8c787eb6139096eabf0159b29187f8e159426f7a66fc374c4b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gk4mqbuq.cmdline
Filesize
266B

MD5
141d44f3bc93a4176629f1c656a8334d

SHA1
90979ca8d3867678b67fcfc647a882a075cd6f92

SHA256
9c53a33870a33fb15a3b428ef89ad1953c035b28b0585a4b50f2638e509241c5

SHA512
85fc2439597d4ffac90fe67c53865dbab73e63833c409e088fffe09fc5955af282278c567bd215d222628407de0d503ecae8a0a1eaed9e13279763fbe7b4f70b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD263.tmp.exe
Filesize
78KB

MD5
be2ffb85c6469106a80add5413ae82e9

SHA1
fd399158397ae20cb9155cebc99977a5a6a584b7

SHA256
34e16e03972605b348e72e3d739b9698d30eaf1211e7ed3c9b9ea5ff9a08d599

SHA512
153391dee058662586da8f8fd39038493bc25c5ad4daeab18e1c93469b888c40b5c5cc4e454141445393cd6a6d4dd30ec33733081a18974f8bec62fe75a15ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5724CE2CD6D8460397C5E2C26D56F17A.TMP
Filesize
660B

MD5
d3e2d5cafc4dd2894f2aa2cafda7aeae

SHA1
cadd15cab019130584ccade9b388c20a804bacfd

SHA256
f07c9ac6afafaeebe9d9348c4f41a74b837527e49b0e1406e3831c3546bec563

SHA512
774f2222c1c34ae515254513a5715fc3c5bae285ab16c57f930352d569c7cc24b07131c0f51549f2bf3002376cadb38f88da995d855447304f00b210e49d5fac

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/1080-9-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/1080-18-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/2936-0-0x0000000075432000-0x0000000075433000-memory.dmp

Filesize
4KB

Download
memory/2936-22-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/2936-2-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/2936-1-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/4852-23-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/4852-24-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/4852-25-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/4852-27-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/4852-28-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/4852-29-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads