metamorpherrat | 1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0

General

Target

1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe
Size

78KB
MD5

6720be5e3ae5ab893f0a2c5a882a1299
SHA1

4e6839b86611b77164e8c0916c92e9365ec19f86
SHA256

1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0
SHA512

6d5d61ad6578702a7cb0ca155863454857fb4a78dcff542633e52d781388d8418cbb5144ec6de028404293d528f465da71f2b5277708a8f7faab8b7f942cfdf6
SSDEEP

1536:wc58sXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtC6n9/dw1mN:wc58USyRxvhTzXPvCbW2Uv9/V

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe

Deletes itself 1 IoCs

Processes:

tmpBFB6.tmp.exe

pid process

4088 tmpBFB6.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmpBFB6.tmp.exe

pid process

4088 tmpBFB6.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
4088	tmpBFB6.tmp.exe

pid	process
4088	tmpBFB6.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpBFB6.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpBFB6.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exetmpBFB6.tmp.exe

description	pid	process
Token: SeDebugPrivilege	4832	1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe
Token: SeDebugPrivilege	4088	tmpBFB6.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exevbc.exe

description	pid	process	target process
PID 4832 wrote to memory of 2184	4832	1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe	vbc.exe
PID 4832 wrote to memory of 2184	4832	1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe	vbc.exe
PID 4832 wrote to memory of 2184	4832	1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe	vbc.exe
PID 2184 wrote to memory of 2304	2184	vbc.exe	cvtres.exe
PID 2184 wrote to memory of 2304	2184	vbc.exe	cvtres.exe
PID 2184 wrote to memory of 2304	2184	vbc.exe	cvtres.exe
PID 4832 wrote to memory of 4088	4832	1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe	tmpBFB6.tmp.exe
PID 4832 wrote to memory of 4088	4832	1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe	tmpBFB6.tmp.exe
PID 4832 wrote to memory of 4088	4832	1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe	tmpBFB6.tmp.exe

C:\Users\Admin\AppData\Local\Temp\1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe
"C:\Users\Admin\AppData\Local\Temp\1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4832

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bkyzu9v5.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC18B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6F5935E293E4DD68C2BCDBB9DEAA4.TMP"
3⤵
PID:2304

C:\Users\Admin\AppData\Local\Temp\tmpBFB6.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpBFB6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4088

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC18B.tmp
Filesize
1KB

MD5
7c2c5c8589e2f22456390bd8f1b9ee48

SHA1
8ecb1ed3b82a8ebe5ca813e776002a377eb9fc41

SHA256
f0f6ed3e5860daa0809e511f30f77697d9cfff9723e8420b5cde689dcbf76c8e

SHA512
a454f988857a5707c17550c6d5c66bebd0c5da16b4cced011ccaab1dedce5ac6c311947728b883ad21803ae6ab034254e7f64c85be1380288842fbc08cf18361

Download Submit
C:\Users\Admin\AppData\Local\Temp\bkyzu9v5.0.vb
Filesize
14KB

MD5
8f778391b1234b4e3bb9c0d959b6e8d6

SHA1
65a65d8bc52fb6b0001a27763ebad00a6c38bc44

SHA256
229a1905faeb8cd8e68ba6321e2cbf7a86cc180c166c3fd5bf793c1ed7618aba

SHA512
80bbffce44d1fbf1ad7f87b0ee199b47891fc6e3899803b2760d9c0ec8829e7479664193cc083dbe32eb6697f5e7a8a8337d1dda43896fc217ae9b822fcefad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\bkyzu9v5.cmdline
Filesize
266B

MD5
3f1b759e9be1ef0d102eb999bd8dc4e6

SHA1
d4121d00af8ba6e4769f1ca02b6bc15d7a5115ff

SHA256
f9016cb79596ffc162a9e43359b343904d48b1e43ae3bf5e7ef8efc26dfe354b

SHA512
61285f1fc5c856a227f7398df9cc3cfe73b0764c42ee4f28dd6db227781d903ecbbe8a41f626c12bdca00d94ea1b3c3d3518f8a217b64a81f5c9251d759c3d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBFB6.tmp.exe
Filesize
78KB

MD5
77bece14d2fc91bb861648c99f856c10

SHA1
93d819e04c290002f77cd2b14706f5fc3410c297

SHA256
ca479aeefc42f7dd4358cba7d44227e934370b378598aa0d73f362e1307ae16d

SHA512
30d07ee917786efe4ef1c3d4d82018136968a32b991a645151304e1be3bd66e6802fbe4c992f5c703bb372af0b964076fdf67f7a6b3a9e32bc447fdaf378cbde

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6F5935E293E4DD68C2BCDBB9DEAA4.TMP
Filesize
660B

MD5
5ba9f4cbc96ba3097d284292d045c7da

SHA1
3ef23512a501a43dd06dd40922d88f57b3385b80

SHA256
bf325084b67bf5ec8755dc57ad7dcc03a41ec8a0a8b51104700ed80e4988bea7

SHA512
6aacf2ef01bde92e95dacb5df3d2a60f95efdfb9c540a08f1ac8df4475e945d9f99df5b213f99da1636034aea69299275c6da7ecc7a5c02e9470e0e350992dd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2184-18-0x0000000074760000-0x0000000074D11000-memory.dmp

Filesize
5.7MB

Download
memory/2184-9-0x0000000074760000-0x0000000074D11000-memory.dmp

Filesize
5.7MB

Download
memory/4088-23-0x0000000074760000-0x0000000074D11000-memory.dmp

Filesize
5.7MB

Download
memory/4088-24-0x0000000074760000-0x0000000074D11000-memory.dmp

Filesize
5.7MB

Download
memory/4088-26-0x0000000074760000-0x0000000074D11000-memory.dmp

Filesize
5.7MB

Download
memory/4088-27-0x0000000074760000-0x0000000074D11000-memory.dmp

Filesize
5.7MB

Download
memory/4088-28-0x0000000074760000-0x0000000074D11000-memory.dmp

Filesize
5.7MB

Download
memory/4832-2-0x0000000074760000-0x0000000074D11000-memory.dmp

Filesize
5.7MB

Download
memory/4832-1-0x0000000074760000-0x0000000074D11000-memory.dmp

Filesize
5.7MB

Download
memory/4832-0-0x0000000074762000-0x0000000074763000-memory.dmp

Filesize
4KB

Download
memory/4832-22-0x0000000074760000-0x0000000074D11000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads