metamorpherrat | 69f3d632778bcf461afe7e9288181da90e54473b3a3f2c6be2b56df861f1b7be

General

Target

584c0b6241c94a0bd06ad1be57123a30N.exe
Size

78KB
MD5

584c0b6241c94a0bd06ad1be57123a30
SHA1

70642d38afe2d3054f789ee0138040299f73ee93
SHA256

69f3d632778bcf461afe7e9288181da90e54473b3a3f2c6be2b56df861f1b7be
SHA512

1a6d877dbf42703ffcf339ed955def62fbf2579270ae1d687676d93526e8af9df6215ecfeae1dfc2cc05617737d62f2bedcbd357c09b47e4732e0e4d2a83d0f2
SSDEEP

1536:7HF3638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtl9/W1ad:7HFq3Ln7N041Qqhgl9/N

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

584c0b6241c94a0bd06ad1be57123a30N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	584c0b6241c94a0bd06ad1be57123a30N.exe

Deletes itself 1 IoCs

Processes:

tmp73B9.tmp.exe

pid process

4696 tmp73B9.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp73B9.tmp.exe

pid process

4696 tmp73B9.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
4696	tmp73B9.tmp.exe

pid	process
4696	tmp73B9.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp73B9.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp73B9.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

584c0b6241c94a0bd06ad1be57123a30N.exetmp73B9.tmp.exe

description pid process

Token: SeDebugPrivilege 4588 584c0b6241c94a0bd06ad1be57123a30N.exe
Token: SeDebugPrivilege 4696 tmp73B9.tmp.exe

description	pid	process
Token: SeDebugPrivilege	4588	584c0b6241c94a0bd06ad1be57123a30N.exe
Token: SeDebugPrivilege	4696	tmp73B9.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

584c0b6241c94a0bd06ad1be57123a30N.exevbc.exe

description	pid	process	target process
PID 4588 wrote to memory of 2100	4588	584c0b6241c94a0bd06ad1be57123a30N.exe	vbc.exe
PID 4588 wrote to memory of 2100	4588	584c0b6241c94a0bd06ad1be57123a30N.exe	vbc.exe
PID 4588 wrote to memory of 2100	4588	584c0b6241c94a0bd06ad1be57123a30N.exe	vbc.exe
PID 2100 wrote to memory of 4100	2100	vbc.exe	cvtres.exe
PID 2100 wrote to memory of 4100	2100	vbc.exe	cvtres.exe
PID 2100 wrote to memory of 4100	2100	vbc.exe	cvtres.exe
PID 4588 wrote to memory of 4696	4588	584c0b6241c94a0bd06ad1be57123a30N.exe	tmp73B9.tmp.exe
PID 4588 wrote to memory of 4696	4588	584c0b6241c94a0bd06ad1be57123a30N.exe	tmp73B9.tmp.exe
PID 4588 wrote to memory of 4696	4588	584c0b6241c94a0bd06ad1be57123a30N.exe	tmp73B9.tmp.exe

C:\Users\Admin\AppData\Local\Temp\584c0b6241c94a0bd06ad1be57123a30N.exe
"C:\Users\Admin\AppData\Local\Temp\584c0b6241c94a0bd06ad1be57123a30N.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4588

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pr5oteg0.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2100

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES74D2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc572F2FA62314697A684AD2CB1F7E848.TMP"
3⤵
PID:4100

C:\Users\Admin\AppData\Local\Temp\tmp73B9.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp73B9.tmp.exe" C:\Users\Admin\AppData\Local\Temp\584c0b6241c94a0bd06ad1be57123a30N.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4696

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES74D2.tmp
Filesize
1KB

MD5
99a580fb975a2e53889da5c847bf1a5f

SHA1
4647e38b0f0189fe76e9de5daace0040dd045a5c

SHA256
3eae3a42ce5ff112f34b1d6ca7b7ea7db0135fa1c1e6950d66fb6e140c18a880

SHA512
d39962b06841f9570865e06365de1efd462936c07ac0f265110bd509474f7d9fda3b997246fdcd689b7338a70cad33dd1ebbb4bdd6c03125054ca04547d20858

Download Submit
C:\Users\Admin\AppData\Local\Temp\pr5oteg0.0.vb
Filesize
15KB

MD5
69dae149936ec2beea5cddbaa099da55

SHA1
6fbbd63b8e43fa3a7eb62287306035bed5e4c50b

SHA256
51c35e8d0273a7a822ad8b8bab48869546123f0b4eaf710d5b2b50807ff18bbf

SHA512
951a4afe4a183efb6a6a3ed06492e8203100948d650761cfc7ef02af9bbadce65ebbb8f5468b489f70f6174589a7d4e4157e04fef86af6ef0b2c966f34bc4f27

Download Submit
C:\Users\Admin\AppData\Local\Temp\pr5oteg0.cmdline
Filesize
266B

MD5
7c33db835f646da122f244d71b3cbe6a

SHA1
9b3e8f3e93def8d371c28c7c64dce7c269a871da

SHA256
95c50fbddacb9a68bfb56b8f3c2161ff3736ccf70fb1f32f27cc5e8298ee738a

SHA512
3d1065d3ff0332c687ce2c36ad181e88531ffa7cc66d3e203dd728a9790362a6b106ee0656e83f7c0f9a505a4dcd40ff6edffd67b68f030093c490e3d3987f38

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp73B9.tmp.exe
Filesize
78KB

MD5
da5ded5c3000f967cc91e12fc7647267

SHA1
7d89b88311beb16427f87da534bea464acd4fbb8

SHA256
1a0c200ad1dc381111772291d1379e1217dd02a68d49b2c7e95ef5c8a9603dab

SHA512
df31ba24d75effa324f0386cd489d4244215a7f34e8815189c895c03f6e8aa8c6fe15db715217af6727393658dbc7e6b545c895af6e40c14b32b3a9dc67dafca

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc572F2FA62314697A684AD2CB1F7E848.TMP
Filesize
660B

MD5
b1aa6d0ec96363c4f361a0091a143ffd

SHA1
b4b9bf103490fb315faea7edc47dd280e5b9b057

SHA256
1cd1549c50ef53cb263f93e0d86fea7911910ecf290019c3d0fcf2125a25dc9e

SHA512
902a90c689a7a28238d9a7af5823a69e0d10a33f65ef194a53c76b15c1eeaec46a10bb1ee6fab33b095acf525826423fd3389516f41385fb7302e21653f66e53

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2100-9-0x0000000074D50000-0x0000000075301000-memory.dmp

Filesize
5.7MB

Download
memory/2100-18-0x0000000074D50000-0x0000000075301000-memory.dmp

Filesize
5.7MB

Download
memory/4588-0-0x0000000074D52000-0x0000000074D53000-memory.dmp

Filesize
4KB

Download
memory/4588-2-0x0000000074D50000-0x0000000075301000-memory.dmp

Filesize
5.7MB

Download
memory/4588-1-0x0000000074D50000-0x0000000075301000-memory.dmp

Filesize
5.7MB

Download
memory/4588-22-0x0000000074D50000-0x0000000075301000-memory.dmp

Filesize
5.7MB

Download
memory/4696-23-0x0000000074D50000-0x0000000075301000-memory.dmp

Filesize
5.7MB

Download
memory/4696-24-0x0000000074D50000-0x0000000075301000-memory.dmp

Filesize
5.7MB

Download
memory/4696-26-0x0000000074D50000-0x0000000075301000-memory.dmp

Filesize
5.7MB

Download
memory/4696-27-0x0000000074D50000-0x0000000075301000-memory.dmp

Filesize
5.7MB

Download
memory/4696-28-0x0000000074D50000-0x0000000075301000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads