metamorpherrat | 1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7

General

Target

1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe
Size

78KB
MD5

4ac1291fc0ec8ea3291ef6144b7df361
SHA1

d91139e68eb52f92e0508f37c83712c5c6321f60
SHA256

1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7
SHA512

807adef244d28dc56dc0453edb409af047cd96ec2a623d4a4b3a5b0d46f4471a901c5391f2d902d9ea17111bda7080040046b8d026de876e4d43a013df840caf
SSDEEP

1536:StHHM7t/vZv0kH9gDDtWzYCnJPeoYrGQt/Wy9/QA19v:StHsh/l0Y9MDYrm7/Wy9/L

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe

Executes dropped EXE 1 IoCs

Processes:

tmp7F03.tmp.exe

pid process

2116 tmp7F03.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2116	tmp7F03.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp7F03.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmp7F03.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exevbc.execvtres.exetmp7F03.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7F03.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exetmp7F03.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1168	1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe
Token: SeDebugPrivilege	2116	tmp7F03.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exevbc.exe

description	pid	process	target process
PID 1168 wrote to memory of 4364	1168	1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe	vbc.exe
PID 1168 wrote to memory of 4364	1168	1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe	vbc.exe
PID 1168 wrote to memory of 4364	1168	1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe	vbc.exe
PID 4364 wrote to memory of 3704	4364	vbc.exe	cvtres.exe
PID 4364 wrote to memory of 3704	4364	vbc.exe	cvtres.exe
PID 4364 wrote to memory of 3704	4364	vbc.exe	cvtres.exe
PID 1168 wrote to memory of 2116	1168	1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe	tmp7F03.tmp.exe
PID 1168 wrote to memory of 2116	1168	1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe	tmp7F03.tmp.exe
PID 1168 wrote to memory of 2116	1168	1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe	tmp7F03.tmp.exe

C:\Users\Admin\AppData\Local\Temp\1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe
"C:\Users\Admin\AppData\Local\Temp\1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w7euzobh.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4364

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7FEE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7C7A3A0D77664D1BA355C993996DE6AA.TMP"
3⤵
- System Location Discovery: System Language Discovery
PID:3704

C:\Users\Admin\AppData\Local\Temp\tmp7F03.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp7F03.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2116

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7FEE.tmp
Filesize
1KB

MD5
02743cef34323788a9ddcf2151449d8f

SHA1
6d53afd34060caac471074c52c92f24540498bb7

SHA256
a0a55e986e228743c0ce51092e5d0bbf0d07a66c6b1d12910a13be7a7953ce6f

SHA512
216f60d345b79a6c9851936d196207660b4bb056146954f183557bf34267c7cc09909c1ef9751ff9ff7f1722858cba39af43b81ada1d50dd446b680ca4d219a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7F03.tmp.exe
Filesize
78KB

MD5
492b939c48cf442822aafff73903a0c2

SHA1
d2ffa2a4d83979774cf657b4e725ed0c04b1962d

SHA256
508f515adee7c08bd1f870492520d66484843587677b51275c8ac456783a3847

SHA512
ea52294a566543e8b93c7a0c0f0c679b38535142b3c9d595b10f92ac12a6b98ee6bf2596e52214fc5ecc1a7d6a748c801ae0bcbd41c11f8d8e4405afb0b32801

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7C7A3A0D77664D1BA355C993996DE6AA.TMP
Filesize
660B

MD5
b9a83166228a3daaaf604b9302741bb9

SHA1
552619300079783c0a73482823757a8c84ebe6dd

SHA256
055d061d73a296da6d8715fcb32b05d7959ebc23f2f58bb691a7a0a2afd2a81e

SHA512
e37f3850d3edcb53b2491ef1c1a959e4240f3bd657bf8375ee824b3474f529ea5fc5c9d341a61af6abb47505a74819ca9b44e1ac0f06b3c25d189a400858cf3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\w7euzobh.0.vb
Filesize
15KB

MD5
5312747f88ffaeb5a001083e73ba844b

SHA1
f4dd5527b02a9f006ccd7c15a9c854884a531e0d

SHA256
06e0daa79fe1cc0c99707f84cad3c01ac13e2b672fadbb6e21e9956ac9387054

SHA512
d8b0da9ea189264b9ac3442086f186c6d0832d68a573be7d08baf7c68c71abeaaf02c5da85430126140b4bbbc7559719e9957230942484d633df65b6041a5476

Download Submit
C:\Users\Admin\AppData\Local\Temp\w7euzobh.cmdline
Filesize
266B

MD5
9a583fdf7eeefa6976fe1c1be0fa4091

SHA1
2b587443a494ecf27a4496141a3f00e9a1f16531

SHA256
1192509295682b5afc875667439acf66b300677e1b2ca8efc5f78b4c616f34e6

SHA512
f259619edd7f6c621a9a0e72bb466bb11fc2687a3c33dfb6c6f637b3c2c519ab4c1880653f68d77e3c6cbf0ccbb07aef9a9551b89b7bcd19c509c0a5071b60e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/1168-1-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/1168-2-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/1168-0-0x0000000074D42000-0x0000000074D43000-memory.dmp

Filesize
4KB

Download
memory/1168-22-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/2116-23-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/2116-25-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/2116-26-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/2116-27-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/4364-18-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/4364-9-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads