metamorpherrat | f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467

General

Target

f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe
Size

78KB
MD5

17890bed103398d6ec4b31c1b1fec255
SHA1

0e318c585a2612df55b9990d3aae0a519222558c
SHA256

f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467
SHA512

10b1c592be924f98473344d54ff6fabaa3ac76ca88bb886038975dc775e47c84b65fb9e144340b0f52d63dbc7e013eae9575f0ceaba19070096817f18b5044e9
SSDEEP

1536:nuHFo6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtRb9/eR1ac:nuHFonhASyRxvhTzXPvCbW2URb9/e/

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe

Executes dropped EXE 1 IoCs

Processes:

tmp8D5B.tmp.exe

pid process

416 tmp8D5B.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
416	tmp8D5B.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp8D5B.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp8D5B.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exevbc.execvtres.exetmp8D5B.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8D5B.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exetmp8D5B.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1580	f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe
Token: SeDebugPrivilege	416	tmp8D5B.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exevbc.exe

description	pid	process	target process
PID 1580 wrote to memory of 4252	1580	f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe	vbc.exe
PID 1580 wrote to memory of 4252	1580	f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe	vbc.exe
PID 1580 wrote to memory of 4252	1580	f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe	vbc.exe
PID 4252 wrote to memory of 1880	4252	vbc.exe	cvtres.exe
PID 4252 wrote to memory of 1880	4252	vbc.exe	cvtres.exe
PID 4252 wrote to memory of 1880	4252	vbc.exe	cvtres.exe
PID 1580 wrote to memory of 416	1580	f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe	tmp8D5B.tmp.exe
PID 1580 wrote to memory of 416	1580	f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe	tmp8D5B.tmp.exe
PID 1580 wrote to memory of 416	1580	f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe	tmp8D5B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe
"C:\Users\Admin\AppData\Local\Temp\f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0ciqc03k.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4252

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8F8E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA29D574DBEE84BB3ABA983074B42D6A.TMP"
3⤵
- System Location Discovery: System Language Discovery
PID:1880

C:\Users\Admin\AppData\Local\Temp\tmp8D5B.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp8D5B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:416

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0ciqc03k.0.vb
Filesize
15KB

MD5
55036c8387a7858a769962da2f10c9e4

SHA1
d086f2ec9d010a339da8ae8fecd27b3bed9bd895

SHA256
70af606213f22298708afe2a95bb6a0a068f0f084b07501be1a7610f989d9cb1

SHA512
aaf38c7a9526630d0ef47a1b3fdd64ef4f827debe1d9670ebe3cee9191f444bdeea7c2f3e11634538bca115a0c86935cac85fb51c811529642f37f2e09c0ce2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ciqc03k.cmdline
Filesize
266B

MD5
f318e231ded29ebf7ef81807f0bbb1b2

SHA1
7efcf99e35481a33ef0c020fe651532af0d4f34f

SHA256
479d30047c4e92e825145226bbd2c4c062bbe57d435ce52cd353a205830db81b

SHA512
c737fd81bc7c295c4d0adac2882735f920499a0869428270f011a47ddd4bd6422bf250938a1a6eda3dc504ca40cdc2013da624459955cef87bfaf049a521224c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8F8E.tmp
Filesize
1KB

MD5
fcf269c570fa2fee3533bf8d7d6816da

SHA1
a9a5c1c4ad42e0e3a687963f345cc42082a15298

SHA256
9b736b5e747414d5bca2d1594f4e94b89cf6b9f490537ff5b893377d2db441a4

SHA512
eb4922be5538fe89087f2bb266e384f57755a3a014dcdd3a918bd2513eb0a801ddd192825fb8dc9909827df51f6730bb9a39b04ae983a0ce2b526d77bff1b786

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8D5B.tmp.exe
Filesize
78KB

MD5
693cbad9ebed55b98bb89e79aa22ddfb

SHA1
d084f17bb863c786a79084b4d7cff719e008955b

SHA256
593e03c8dfacd9aa4a3ecb1072c12575eb66ec0284f5b2752e70537655f2c224

SHA512
d512df8572960bd99949ecf14af34a83f28a04215696016e565000fcd69a2cd227870c563f88082129b4e3a41386e30474f8ede3a8248e852ed56ce30463e902

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA29D574DBEE84BB3ABA983074B42D6A.TMP
Filesize
660B

MD5
6272107cb5ee6d747199e9f936509694

SHA1
ad5d515cda5b486b02203d42fa4b6a9bda02189e

SHA256
8dd7c8a48d4ee47a4b600a5c1d43cbfc7f2e4412bf545d0e9c8f2442d54cbe80

SHA512
737a4d12cdf411ec6f36cd8bb373209c6e5dd3073c45b617d8c8676171f44e796c0022de97727a54d28c0c4d5551bce264e11fb398b8e78509ed70ac63f00410

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/416-23-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/416-22-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/416-25-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/416-27-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/416-28-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/416-29-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/1580-2-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/1580-0-0x0000000074FC2000-0x0000000074FC3000-memory.dmp

Filesize
4KB

Download
memory/1580-1-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/1580-24-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/4252-18-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/4252-9-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads