metamorpherrat | 6ea273d6ad80b5408e1dcc62bd272160101aa68f1379bc7251b8de6b96ede5a7

General

Target

5e33b6299facd682436d9b0d84ad2730N.exe
Size

78KB
MD5

5e33b6299facd682436d9b0d84ad2730
SHA1

d009e6006dcc2d0581f691c7ed8a0d28fef0014e
SHA256

6ea273d6ad80b5408e1dcc62bd272160101aa68f1379bc7251b8de6b96ede5a7
SHA512

69551cbedee43567919cf761e0aead9c9f9147ec2ff9ed451c7e04829e0432cfae13d4a771ba30a5724e0a45f0927c3168d5892345501e62418b701cc0b0982a
SSDEEP

1536:VHY6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtRq9/YD1Si:VHYnhASyRxvhTzXPvCbW2URq9/K

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5e33b6299facd682436d9b0d84ad2730N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	5e33b6299facd682436d9b0d84ad2730N.exe

Executes dropped EXE 1 IoCs

Processes:

tmp8D0D.tmp.exe

pid process

112 tmp8D0D.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
112	tmp8D0D.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp8D0D.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp8D0D.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

5e33b6299facd682436d9b0d84ad2730N.exevbc.execvtres.exetmp8D0D.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5e33b6299facd682436d9b0d84ad2730N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8D0D.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

5e33b6299facd682436d9b0d84ad2730N.exetmp8D0D.tmp.exe

description pid process

Token: SeDebugPrivilege 3104 5e33b6299facd682436d9b0d84ad2730N.exe
Token: SeDebugPrivilege 112 tmp8D0D.tmp.exe

description	pid	process
Token: SeDebugPrivilege	3104	5e33b6299facd682436d9b0d84ad2730N.exe
Token: SeDebugPrivilege	112	tmp8D0D.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

5e33b6299facd682436d9b0d84ad2730N.exevbc.exe

description	pid	process	target process
PID 3104 wrote to memory of 3256	3104	5e33b6299facd682436d9b0d84ad2730N.exe	vbc.exe
PID 3104 wrote to memory of 3256	3104	5e33b6299facd682436d9b0d84ad2730N.exe	vbc.exe
PID 3104 wrote to memory of 3256	3104	5e33b6299facd682436d9b0d84ad2730N.exe	vbc.exe
PID 3256 wrote to memory of 4880	3256	vbc.exe	cvtres.exe
PID 3256 wrote to memory of 4880	3256	vbc.exe	cvtres.exe
PID 3256 wrote to memory of 4880	3256	vbc.exe	cvtres.exe
PID 3104 wrote to memory of 112	3104	5e33b6299facd682436d9b0d84ad2730N.exe	tmp8D0D.tmp.exe
PID 3104 wrote to memory of 112	3104	5e33b6299facd682436d9b0d84ad2730N.exe	tmp8D0D.tmp.exe
PID 3104 wrote to memory of 112	3104	5e33b6299facd682436d9b0d84ad2730N.exe	tmp8D0D.tmp.exe

C:\Users\Admin\AppData\Local\Temp\5e33b6299facd682436d9b0d84ad2730N.exe
"C:\Users\Admin\AppData\Local\Temp\5e33b6299facd682436d9b0d84ad2730N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3104

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hp3l9jfb.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3256

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8E55.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc18AE8C90587946FA894A5C492F851CCC.TMP"
3⤵
- System Location Discovery: System Language Discovery
PID:4880

C:\Users\Admin\AppData\Local\Temp\tmp8D0D.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp8D0D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5e33b6299facd682436d9b0d84ad2730N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:112

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8E55.tmp
Filesize
1KB

MD5
40fa90433f24d16b9452b2449aa9456a

SHA1
3723cdb8fcb6723433d46af15e66ee65862529b3

SHA256
b6688a7d4438d03d3c43c2df65a1a892075dcfa57879c39e4ac6857d5f0bc228

SHA512
bff5499de7e41ece774bd65877915eeefe959f21fa32070b3eecf1c5fc81b405c8359cbef5869734c84a83ccb1d419f711435c8cd4dd975f2f5bcc69e433c8ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\hp3l9jfb.0.vb
Filesize
15KB

MD5
9d62b2836c67038bf5c6df7ca05d9cf9

SHA1
8f3d6808eb9cd4863ad1d0a91b6d696249ae6755

SHA256
8862c84bc6f71aa5dbf658ebcd4e88aaf7fbfeb46a0a70f2319fef3953a421d8

SHA512
012bc0ac4c7a4dab0d8bfd9370cc2263bacc2be172c708a6f5cdae718ad41a61e54a3eed606e0ca56b21b4d2e6cce8e85a7517372607652b3924d3383fa83b57

Download Submit
C:\Users\Admin\AppData\Local\Temp\hp3l9jfb.cmdline
Filesize
266B

MD5
f200fd9a02dc6896f4c60a56335cd05b

SHA1
89ecd45c645acf42436775d7f3c381143853a0f6

SHA256
2015165036304950858e9c48974a2a41386f5d2e8519b73cfd73728cc9158acd

SHA512
5d8a3ad6d79c317685bc3d3ac87d61392ad400f49566d51a322544bafcbe6caba695990bc2a7286cc5362d6e079a1d61634fc445494fea72849d39f2d22b8d5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8D0D.tmp.exe
Filesize
78KB

MD5
d6fc93ddf946d7540c75e4f47e64ed8d

SHA1
5bbf857384e87aa59f92c849b5e79aab2d630a48

SHA256
a3f75b343e69a970464cc3b64025a7703528582ddb7bdd46f064accab33fa2ee

SHA512
09413bf8e9c73d152716f799f8bbca4da246b7bb14208fcd74c8fb59ea67d177f15ed0617ea18fbb3fc3c96475e084509e75f27ac59360f1be6031c0f38d7828

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc18AE8C90587946FA894A5C492F851CCC.TMP
Filesize
660B

MD5
4f8bd209e257d7ad68f28fc182dd934d

SHA1
d61df22e57a71e673ee552f0a518970873120b16

SHA256
43862525f0243afb96dbe596c0c20b7de912c2a4003a85c8cda8b0e83694047c

SHA512
d42b04fa0e80f98da8b096aa7256ce10b61f83f31d2324772192bc1fbbfd15d1cb70dd40b8bb34db7a6a1d1da33cf125a4288c1862c1efdbdb3b3e916feba4f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/112-25-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/112-22-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/112-24-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/112-27-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/112-28-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/112-29-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/3104-2-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/3104-1-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/3104-0-0x0000000075292000-0x0000000075293000-memory.dmp

Filesize
4KB

Download
memory/3104-23-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/3256-8-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/3256-18-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads