metamorpherrat | f9c80082fbf214dd44ef0577fc1d08ba64b8248daca56966561fd09345cb95aa

General

Target

17476bf322467a2315505fc104781270N.exe
Size

78KB
MD5

17476bf322467a2315505fc104781270
SHA1

712f9be5b57aa50618eb87fb1ed0768707666eb9
SHA256

f9c80082fbf214dd44ef0577fc1d08ba64b8248daca56966561fd09345cb95aa
SHA512

4dc9fab650f6b863d2551e5ec2030e559af0185debd2d3282e3bd171ad201c119610e00fc22c2b9ad911374cf4f341d26d7a81906c2d185047dc96170af37899
SSDEEP

1536:fRWV5jiLT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQti6Y9/m91lW:fRWV5jsE2EwR4uY41HyvYg9/mY

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

17476bf322467a2315505fc104781270N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	17476bf322467a2315505fc104781270N.exe

Deletes itself 1 IoCs

Processes:

tmp6B6C.tmp.exe

pid process

4232 tmp6B6C.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp6B6C.tmp.exe

pid process

4232 tmp6B6C.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
4232	tmp6B6C.tmp.exe

pid	process
4232	tmp6B6C.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp6B6C.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmp6B6C.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

17476bf322467a2315505fc104781270N.exevbc.execvtres.exetmp6B6C.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	17476bf322467a2315505fc104781270N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6B6C.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

17476bf322467a2315505fc104781270N.exetmp6B6C.tmp.exe

description pid process

Token: SeDebugPrivilege 1604 17476bf322467a2315505fc104781270N.exe
Token: SeDebugPrivilege 4232 tmp6B6C.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1604	17476bf322467a2315505fc104781270N.exe
Token: SeDebugPrivilege	4232	tmp6B6C.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

17476bf322467a2315505fc104781270N.exevbc.exe

description	pid	process	target process
PID 1604 wrote to memory of 1308	1604	17476bf322467a2315505fc104781270N.exe	vbc.exe
PID 1604 wrote to memory of 1308	1604	17476bf322467a2315505fc104781270N.exe	vbc.exe
PID 1604 wrote to memory of 1308	1604	17476bf322467a2315505fc104781270N.exe	vbc.exe
PID 1308 wrote to memory of 2952	1308	vbc.exe	cvtres.exe
PID 1308 wrote to memory of 2952	1308	vbc.exe	cvtres.exe
PID 1308 wrote to memory of 2952	1308	vbc.exe	cvtres.exe
PID 1604 wrote to memory of 4232	1604	17476bf322467a2315505fc104781270N.exe	tmp6B6C.tmp.exe
PID 1604 wrote to memory of 4232	1604	17476bf322467a2315505fc104781270N.exe	tmp6B6C.tmp.exe
PID 1604 wrote to memory of 4232	1604	17476bf322467a2315505fc104781270N.exe	tmp6B6C.tmp.exe

C:\Users\Admin\AppData\Local\Temp\17476bf322467a2315505fc104781270N.exe
"C:\Users\Admin\AppData\Local\Temp\17476bf322467a2315505fc104781270N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dhmz2_3v.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1308

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6C66.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE99743E989364EC693CBEEABC95970B2.TMP"
3⤵
- System Location Discovery: System Language Discovery
PID:2952

C:\Users\Admin\AppData\Local\Temp\tmp6B6C.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp6B6C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\17476bf322467a2315505fc104781270N.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4232

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6C66.tmp
Filesize
1KB

MD5
a4b7374ab2bed36cdf1d42f75421921a

SHA1
442fe95023bd8ceb4a21800c6ba745c455edca38

SHA256
1f531ccea22247fc70f2fde3ac084ee2ed144ee2fdf8b6352b1b910db2e07d5e

SHA512
5e89bf1d33bd22c45d70e3367120657145b7fcf017f930d9a06ed7305f24582d7f342d017ed329f0d96f7ed109b129542a8bbb663fbece1cb392f2ad1bf60818

Download Submit
C:\Users\Admin\AppData\Local\Temp\dhmz2_3v.0.vb
Filesize
14KB

MD5
b1627c05d89c9bf9ab9e2a69f6768f4b

SHA1
00be84a04809e91c957418910b384a359b90a3eb

SHA256
92ec31ea67c4c24faf55ad47ea5f86ae9a62d58366a13e20d52e26868cb19f2a

SHA512
d72970f521fcd52ce6e08dc9b6eb1536535e4f012fa774d60e57b0bbb220e20d68ed885237ab8a424e37643ee0609026ab7f0332fa5b877d1efe8553a32e08a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\dhmz2_3v.cmdline
Filesize
266B

MD5
37555fead398292d815c8f7bb6cdf27c

SHA1
0b23317dd88d8a144e6d6f06a5c22bf3fc3a7f77

SHA256
368ace56a2691a0912bb4df2206dc2369a4478ade45b8a7f0b48ee5265745964

SHA512
26abed91282ab010358a73e34c6304b8d5a2ad7996445025a2851dfc19455ab669a9d2dd7b47c4c6988aa61aa019a5a005fe36f28b8c09fba50b312e851287d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6B6C.tmp.exe
Filesize
78KB

MD5
a89e5c60ab0237ee36f256e5552182f8

SHA1
33a9879e91b7477f06a9a9e63f4f676bf3ab735b

SHA256
a2bd26a6cb5f96b757f2ad469dc6014537d133054a7891779d64de5c0fa41cb1

SHA512
e970b328c5597605ee2940907a57b24f08aca805f3abb735edbb3678352ea92cfb3a3f9ee8c41efe219d610f3bd562484a0ad9733b8615edd07ad6c71eb65f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE99743E989364EC693CBEEABC95970B2.TMP
Filesize
660B

MD5
69dcb2e8f03b89867e9c81656709ecf5

SHA1
4f57e855d063b400f8ed7b266437ce7aade42202

SHA256
6b2ad9e0cd278f03f740351210ed751c333b3546fe7da5b9f2e5e4caddc7a8c9

SHA512
b7ab65bbaf14ea3cab0d1fb701de6fd4cdcc323417d520f29e12d8584d91406b9f2608c361b68049380211f7d8bab226296ed90a137fca8e102f0781a41c8f8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/1308-18-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/1308-9-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/1604-2-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/1604-1-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/1604-0-0x0000000074B92000-0x0000000074B93000-memory.dmp

Filesize
4KB

Download
memory/1604-22-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/4232-23-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/4232-24-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/4232-26-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/4232-27-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/4232-28-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads