metamorpherrat | ff52de1ef16a9c1f4fcbc1747b2991f4c4ced1917719ec16404e393bd792e0aa

General

Target

dd868c65b9cb2b674e275d9cdbaf0e10N.exe
Size

78KB
MD5

dd868c65b9cb2b674e275d9cdbaf0e10
SHA1

9651bba10b11253f50510dd02d7481aa5ac20053
SHA256

ff52de1ef16a9c1f4fcbc1747b2991f4c4ced1917719ec16404e393bd792e0aa
SHA512

c1cfe52762cd6c69d7a88c3fcb86adf78d24ef160da8cf9a7b7d5b620dce647ea8a366f0974e4e96a681bf88a2ac97917fa71267d50249b8c353d77f592f411e
SSDEEP

1536:NWV586dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC67g9/QR1hR:NWV581n7N041Qqhgjg9/6

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dd868c65b9cb2b674e275d9cdbaf0e10N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	dd868c65b9cb2b674e275d9cdbaf0e10N.exe

Executes dropped EXE 1 IoCs

Processes:

tmpA98E.tmp.exe

pid process

2944 tmpA98E.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2944	tmpA98E.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpA98E.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpA98E.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

vbc.execvtres.exetmpA98E.tmp.exedd868c65b9cb2b674e275d9cdbaf0e10N.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA98E.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd868c65b9cb2b674e275d9cdbaf0e10N.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

dd868c65b9cb2b674e275d9cdbaf0e10N.exetmpA98E.tmp.exe

description pid process

Token: SeDebugPrivilege 3704 dd868c65b9cb2b674e275d9cdbaf0e10N.exe
Token: SeDebugPrivilege 2944 tmpA98E.tmp.exe

description	pid	process
Token: SeDebugPrivilege	3704	dd868c65b9cb2b674e275d9cdbaf0e10N.exe
Token: SeDebugPrivilege	2944	tmpA98E.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

dd868c65b9cb2b674e275d9cdbaf0e10N.exevbc.exe

description	pid	process	target process
PID 3704 wrote to memory of 1708	3704	dd868c65b9cb2b674e275d9cdbaf0e10N.exe	vbc.exe
PID 3704 wrote to memory of 1708	3704	dd868c65b9cb2b674e275d9cdbaf0e10N.exe	vbc.exe
PID 3704 wrote to memory of 1708	3704	dd868c65b9cb2b674e275d9cdbaf0e10N.exe	vbc.exe
PID 1708 wrote to memory of 816	1708	vbc.exe	cvtres.exe
PID 1708 wrote to memory of 816	1708	vbc.exe	cvtres.exe
PID 1708 wrote to memory of 816	1708	vbc.exe	cvtres.exe
PID 3704 wrote to memory of 2944	3704	dd868c65b9cb2b674e275d9cdbaf0e10N.exe	tmpA98E.tmp.exe
PID 3704 wrote to memory of 2944	3704	dd868c65b9cb2b674e275d9cdbaf0e10N.exe	tmpA98E.tmp.exe
PID 3704 wrote to memory of 2944	3704	dd868c65b9cb2b674e275d9cdbaf0e10N.exe	tmpA98E.tmp.exe

C:\Users\Admin\AppData\Local\Temp\dd868c65b9cb2b674e275d9cdbaf0e10N.exe
"C:\Users\Admin\AppData\Local\Temp\dd868c65b9cb2b674e275d9cdbaf0e10N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3704

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wyaca2ro.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB82.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBBB92536155E457FA7A4E3C0E6C4E260.TMP"
3⤵
- System Location Discovery: System Language Discovery
PID:816

C:\Users\Admin\AppData\Local\Temp\tmpA98E.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpA98E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\dd868c65b9cb2b674e275d9cdbaf0e10N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2944

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESAB82.tmp
Filesize
1KB

MD5
67afe07813a6a7526d520611eb969322

SHA1
046b42b6b07b4ebf4e4169357c90a8b3ec8270e8

SHA256
aed063d5ec8b34044bd59482d85955ca79775db0520c72ba43c61f5dedb886bc

SHA512
cc1abddb74a0dc5daa69c8a06f649c2bb3e2de25de5578269f50166966b6bfda57c03b08c7a0425fd96b10d4c5b1af60deef96d4d0d252876457b9662522a704

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA98E.tmp.exe
Filesize
78KB

MD5
6f1d8ff7bfb63c256a06a448f11c1bdc

SHA1
b9dda00d618b2ecb470b3cdeae1c595f0177dee1

SHA256
f2f3b5f485796eb5ee6d7925fe91da5527a745ba72f4169c84888d0d191c9319

SHA512
928c26a03e8b2d8ff9010a0719fdcb3ab7d0c8cb16517a9280cde8ec608835d29e229f1c442b0f3844c5aa4e4909b6c42d76c61bd8f882205d4edd46b2ea9bb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBBB92536155E457FA7A4E3C0E6C4E260.TMP
Filesize
660B

MD5
0d361ee7a5a6d722b546ce9ce3ea036f

SHA1
ed6afdd5ba1bb4859991caa69a058b16285660e2

SHA256
6c3efb0f0d058801ce1bfa76b71bbd4f15e964addf747a924da1c8792562b0fb

SHA512
db881c656840f9323f72f556c7589814f2fb3adcc4df43039feb3465a30a1a526ce12b68863c5883c04bcac3d5173849d3eef63068d36fb2b4d781948e7d26bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\wyaca2ro.0.vb
Filesize
14KB

MD5
b5fb5e555eebe39f22afe4fd00520573

SHA1
3a4c5a95e7ce63411214c7546b7018698a807c44

SHA256
c49d57ac5626206599aac3a0e7a10e1c00edcfb5221bcde729a919863fcf3a57

SHA512
dcfcec68b1c8da632d10a2d5adfe405316f30ed7b781822c4a0e6011ba7fec7658b50359dca443595ff8772a334e2e5afac9e530254c23622ad7279a261adb79

Download Submit
C:\Users\Admin\AppData\Local\Temp\wyaca2ro.cmdline
Filesize
266B

MD5
d97776278a99cc4f33747f48cfd5d710

SHA1
5ea33bf362faa561e696cf1bf396ed2adb659b34

SHA256
9cbfdc1dbb8ff5262c1a05ca8c6f3e47844643c829aa155cb9c644be67f6a93e

SHA512
d2628f3ed690c342a164b4c9e8dd8e9b4baec6b72d86e81aa4181c73c1e4204436cc5983c2b0b51e57d0d1c44f671e71c8e19b22910caabc99851a1232bc8d7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/1708-18-0x00000000752C0000-0x0000000075871000-memory.dmp

Filesize
5.7MB

Download
memory/1708-9-0x00000000752C0000-0x0000000075871000-memory.dmp

Filesize
5.7MB

Download
memory/2944-24-0x00000000752C0000-0x0000000075871000-memory.dmp

Filesize
5.7MB

Download
memory/2944-23-0x00000000752C0000-0x0000000075871000-memory.dmp

Filesize
5.7MB

Download
memory/2944-26-0x00000000752C0000-0x0000000075871000-memory.dmp

Filesize
5.7MB

Download
memory/2944-27-0x00000000752C0000-0x0000000075871000-memory.dmp

Filesize
5.7MB

Download
memory/2944-28-0x00000000752C0000-0x0000000075871000-memory.dmp

Filesize
5.7MB

Download
memory/3704-2-0x00000000752C0000-0x0000000075871000-memory.dmp

Filesize
5.7MB

Download
memory/3704-1-0x00000000752C0000-0x0000000075871000-memory.dmp

Filesize
5.7MB

Download
memory/3704-22-0x00000000752C0000-0x0000000075871000-memory.dmp

Filesize
5.7MB

Download
memory/3704-0-0x00000000752C2000-0x00000000752C3000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads