metamorpherrat | 4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1

General

Target

4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe
Size

78KB
MD5

e5be2462fefba3f6bd0cdbba67410b95
SHA1

f68347fa8b06578487c2141d6d82fb6fd7679c97
SHA256

4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1
SHA512

24fb60c02072a5b0c3cb59aa4a95a9a821043027e8b6fcb77939d2dfdbbafec7f4e5460bf6ad09c31ab2f3cdfe96ef4ef846f4ee5945063088fde60d9eecb0e5
SSDEEP

1536:2y58cdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC659/U1bS:2y58rn7N041QqhgB9/j

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe

Executes dropped EXE 1 IoCs

Processes:

tmp97DB.tmp.exe

pid process

4856 tmp97DB.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
4856	tmp97DB.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp97DB.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp97DB.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exetmp97DB.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1640	4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe
Token: SeDebugPrivilege	4856	tmp97DB.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exevbc.exe

description	pid	process	target process
PID 1640 wrote to memory of 3840	1640	4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe	vbc.exe
PID 1640 wrote to memory of 3840	1640	4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe	vbc.exe
PID 1640 wrote to memory of 3840	1640	4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe	vbc.exe
PID 3840 wrote to memory of 2000	3840	vbc.exe	cvtres.exe
PID 3840 wrote to memory of 2000	3840	vbc.exe	cvtres.exe
PID 3840 wrote to memory of 2000	3840	vbc.exe	cvtres.exe
PID 1640 wrote to memory of 4856	1640	4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe	tmp97DB.tmp.exe
PID 1640 wrote to memory of 4856	1640	4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe	tmp97DB.tmp.exe
PID 1640 wrote to memory of 4856	1640	4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe	tmp97DB.tmp.exe

C:\Users\Admin\AppData\Local\Temp\4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe
"C:\Users\Admin\AppData\Local\Temp\4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\np9vwtjb.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:3840

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9981.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6E4C5A13574542BA91EDCD7F4B85963.TMP"
3⤵
PID:2000

C:\Users\Admin\AppData\Local\Temp\tmp97DB.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp97DB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4856

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9981.tmp
Filesize
1KB

MD5
fdf01e2473e04869582e455e9c491e31

SHA1
515a405e55221ddbbacc9936061a018328069a2c

SHA256
ab8f6b1bc08b771b509723376f21de4eaa949c2d9323f1ae8f47c600039dfe75

SHA512
bce55495c41e9984d1b70923f56e7dd3b698f6f49289fcc1e0b60f405e47add916bad56e510913e402f5d69eca269cc2eb4e31dd8f3f89ea400bde24be77f942

Download Submit
C:\Users\Admin\AppData\Local\Temp\np9vwtjb.0.vb
Filesize
14KB

MD5
cf9301c67ebfca118aac1b4b86dd7fcc

SHA1
63bae5067590958f88b6250848b69884ede779da

SHA256
43e26cc3dc828af80c614becb83e518c48905bb35c4c9421c700080b09118c53

SHA512
0591668e7c3b2a8b7505d9d80a36e9cd81957f3caccf44dd2c7276f6ff32924f739b882e27bce01fb025c390c560b117d54e4a16530fb93cf785e4f8a3295d18

Download Submit
C:\Users\Admin\AppData\Local\Temp\np9vwtjb.cmdline
Filesize
266B

MD5
79f7541caed09367d0f17ab6a8c70419

SHA1
ca721588acc7fbd31f80e109d8a08f891fcb9b5b

SHA256
9cd753e03c47884afb77d49714c7ac8c95c0736808ffbc73b23d98abb76670a3

SHA512
d36d6a448dbb6911d527fbf25b376fa3b30f1dcdf5f0355a7c8b6d02b2a12eff739f0d9147620497f0e0bc0aa8fa1b0acdce948aa15d20e0a448498f8546aa77

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp97DB.tmp.exe
Filesize
78KB

MD5
2d6181f5c43e36dd10402ae143fdf13b

SHA1
600332f7b0a7737dfd644cd89564524c2a96f324

SHA256
766b979b237e7e5000a0660cb26d4d688f8ddaf6a7100a0c5d5a8c74787c98e5

SHA512
68b65350d0eeb5ad3440cc95961e407110de779b8629ed8d218c7dbde7d2f54db2f6295c085962fae4589fb3c273e29b2f54598cdde21afaa8caefb4734224ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6E4C5A13574542BA91EDCD7F4B85963.TMP
Filesize
660B

MD5
2d08e69b9ab419035aae18f8af8df6df

SHA1
9c736f4e1aba3600324731cc04170260d7afff14

SHA256
95010b65f5e97358512788b928e6d59a4667cdfdabd39e5ed8703672bb5c83fe

SHA512
db1e38ae678773850569119c45aa3270c7b570c604fa7cca9fd0bd75b796808dad3f7fae64137c970dc77fbfd4c4f1d7658289545ae25757228c38f970a4adea

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/1640-2-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download
memory/1640-1-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download
memory/1640-0-0x0000000075132000-0x0000000075133000-memory.dmp

Filesize
4KB

Download
memory/1640-22-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download
memory/3840-9-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download
memory/3840-18-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download
memory/4856-23-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download
memory/4856-24-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download
memory/4856-25-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download
memory/4856-27-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download
memory/4856-28-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download
memory/4856-29-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads