metamorpherrat | 62fff19daf26f0eabeb7f64b8261ce206b5568478bf26e56d49b7c6ecec26feb

General

Target

86ef2a66c72c1d358578f09b15ae4dc0N.exe
Size

78KB
MD5

86ef2a66c72c1d358578f09b15ae4dc0
SHA1

b84d8932f011b1f3a2b923af8ae2a2359142a4a5
SHA256

62fff19daf26f0eabeb7f64b8261ce206b5568478bf26e56d49b7c6ecec26feb
SHA512

7ca899f0df1d3e605f2a7443e578fa382f091b0e5fd6f70f1287bd4315210a6373fae6283cd8da664e556a8d4f68332ce7d10be0214654f252f3833902547fe8
SSDEEP

1536:Yy58fXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt96b9/Qd1W2:Yy58/SyRxvhTzXPvCbW2UI9/8

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

86ef2a66c72c1d358578f09b15ae4dc0N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	86ef2a66c72c1d358578f09b15ae4dc0N.exe

Executes dropped EXE 1 IoCs

Processes:

tmp827E.tmp.exe

pid process

5052 tmp827E.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
5052	tmp827E.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp827E.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp827E.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

vbc.execvtres.exetmp827E.tmp.exe86ef2a66c72c1d358578f09b15ae4dc0N.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp827E.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	86ef2a66c72c1d358578f09b15ae4dc0N.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

86ef2a66c72c1d358578f09b15ae4dc0N.exetmp827E.tmp.exe

description pid process

Token: SeDebugPrivilege 4756 86ef2a66c72c1d358578f09b15ae4dc0N.exe
Token: SeDebugPrivilege 5052 tmp827E.tmp.exe

description	pid	process
Token: SeDebugPrivilege	4756	86ef2a66c72c1d358578f09b15ae4dc0N.exe
Token: SeDebugPrivilege	5052	tmp827E.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

86ef2a66c72c1d358578f09b15ae4dc0N.exevbc.exe

description	pid	process	target process
PID 4756 wrote to memory of 1220	4756	86ef2a66c72c1d358578f09b15ae4dc0N.exe	vbc.exe
PID 4756 wrote to memory of 1220	4756	86ef2a66c72c1d358578f09b15ae4dc0N.exe	vbc.exe
PID 4756 wrote to memory of 1220	4756	86ef2a66c72c1d358578f09b15ae4dc0N.exe	vbc.exe
PID 1220 wrote to memory of 3144	1220	vbc.exe	cvtres.exe
PID 1220 wrote to memory of 3144	1220	vbc.exe	cvtres.exe
PID 1220 wrote to memory of 3144	1220	vbc.exe	cvtres.exe
PID 4756 wrote to memory of 5052	4756	86ef2a66c72c1d358578f09b15ae4dc0N.exe	tmp827E.tmp.exe
PID 4756 wrote to memory of 5052	4756	86ef2a66c72c1d358578f09b15ae4dc0N.exe	tmp827E.tmp.exe
PID 4756 wrote to memory of 5052	4756	86ef2a66c72c1d358578f09b15ae4dc0N.exe	tmp827E.tmp.exe

C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe
"C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4756

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oclwcmj5.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES83D6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4AA8D4E49F3D47938168462F8634E78.TMP"
3⤵
- System Location Discovery: System Language Discovery
PID:3144

C:\Users\Admin\AppData\Local\Temp\tmp827E.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp827E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5052

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES83D6.tmp
Filesize
1KB

MD5
718bc1875cb07bb34f66c9ed8d670998

SHA1
4fe288b3d134e38bec9f2c19261d79de8eec24b4

SHA256
cf435a53a1057560e9402e06d8c781fd29acfac6d1816b5bf1e1657f92b3e222

SHA512
f37eba047abd5bf099372bfb81bc6c73924c4a3d3341ead431d22b083eb2e5a023aa12e19658b6ab423218c174a2700ebf9532c9725e69cb6dd532ee6d0a9f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\oclwcmj5.0.vb
Filesize
14KB

MD5
c70d1b126ece345cdc1b520b9de4d44b

SHA1
9948a71a5cd368fa016f2fa51919911844f5a527

SHA256
a059ee0b3237894a86867417bb7f574aa8eaec3df094f8410cbecc804059d2cc

SHA512
df38f5172f5a0548dc9d670706899014065d47b20b1dd09ba7b17c4d540ca22e8fdb8d80f52e08949adf074379cf619c3334657f1ab0aba5fae25aea04f4575d

Download Submit
C:\Users\Admin\AppData\Local\Temp\oclwcmj5.cmdline
Filesize
266B

MD5
4208fde24fd65bc29771d23d059e9060

SHA1
ad9753147c9c6255e7444d335bbddb02171528c9

SHA256
a0b197d4c9982fb083cf9dade170ac41fc228d89f0aa71340a1b2726d5849c04

SHA512
9dbafe72aa317616300d10d89d7afb9e4b3f35b87d877a6770355880358aa7ab62fd0ea511f8b81f57d57c7287f72e6bd412ecd3581b3bce5c241373c29c805b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp827E.tmp.exe
Filesize
78KB

MD5
d8fc893955e9d679af56d747b6bc505f

SHA1
06cdf47d043c28fcd16a1b518a902c8d0ae084e7

SHA256
51773199890b4022eb57636ef332e88eb7efdbbfc86cdac57ca338638b387140

SHA512
0b3fbf2c564a6e868a62164512c721b8b1d4b50b09191813b21d17b22d7ca601ed833b02eb2e6a49eb55d05cd0a7a7c53f1a9222c903030692ebee8a81f25cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4AA8D4E49F3D47938168462F8634E78.TMP
Filesize
660B

MD5
856be03052d04c9b5ac0e32fa2a653a2

SHA1
28efe39b92c88dc4dbb59f8252228fad7cf076cf

SHA256
9750f919419e034d9edb70cb054a00d57329082dfd6da6ea2cd30e403cf3b689

SHA512
b3422b4d504f600457c54a12f153ce56c7880540576527c8a9a5fb3e51c5910eb34696653e72d4f33ad6fd462dbe971df1c67d7b3b7139b87541522cff70d53e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1220-9-0x0000000075440000-0x00000000759F1000-memory.dmp

Filesize
5.7MB

Download
memory/1220-18-0x0000000075440000-0x00000000759F1000-memory.dmp

Filesize
5.7MB

Download
memory/4756-0-0x0000000075442000-0x0000000075443000-memory.dmp

Filesize
4KB

Download
memory/4756-22-0x0000000075440000-0x00000000759F1000-memory.dmp

Filesize
5.7MB

Download
memory/4756-2-0x0000000075440000-0x00000000759F1000-memory.dmp

Filesize
5.7MB

Download
memory/4756-1-0x0000000075440000-0x00000000759F1000-memory.dmp

Filesize
5.7MB

Download
memory/5052-23-0x0000000075440000-0x00000000759F1000-memory.dmp

Filesize
5.7MB

Download
memory/5052-24-0x0000000075440000-0x00000000759F1000-memory.dmp

Filesize
5.7MB

Download
memory/5052-25-0x0000000075440000-0x00000000759F1000-memory.dmp

Filesize
5.7MB

Download
memory/5052-27-0x0000000075440000-0x00000000759F1000-memory.dmp

Filesize
5.7MB

Download
memory/5052-28-0x0000000075440000-0x00000000759F1000-memory.dmp

Filesize
5.7MB

Download
memory/5052-29-0x0000000075440000-0x00000000759F1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads