metamorpherrat | 6be3cdd0c096a9b0b5e1a16bac34abe731d3ceb3eb183b0dbad1707f21204817

General

Target

6be3cdd0c096a9b0b5e1a16bac34abe731d3ceb3eb183b0dbad1707f21204817.exe
Size

78KB
MD5

fac04255ae20a86fce9728aca8265b20
SHA1

8795f8c7f845319a981eeb2ffa42a380dee479ec
SHA256

6be3cdd0c096a9b0b5e1a16bac34abe731d3ceb3eb183b0dbad1707f21204817
SHA512

5320b1d1b2457efaa4c5725dabddacd5fdd6dae0f7b8e6fb3251669df56049b379a5b3f233c8e902ec483b419294efdd08d43d7d476b5fd52aaadc51b1cf756a
SSDEEP

1536:Xe5jSILT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtt6e9/YCGo1W:Xe5jSuE2EwR4uY41HyvYp9/YCGv

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6be3cdd0c096a9b0b5e1a16bac34abe731d3ceb3eb183b0dbad1707f21204817.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	6be3cdd0c096a9b0b5e1a16bac34abe731d3ceb3eb183b0dbad1707f21204817.exe

Deletes itself 1 IoCs

Processes:

tmp96B2.tmp.exe

pid process

2248 tmp96B2.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp96B2.tmp.exe

pid process

2248 tmp96B2.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2248	tmp96B2.tmp.exe

pid	process
2248	tmp96B2.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp96B2.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmp96B2.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

6be3cdd0c096a9b0b5e1a16bac34abe731d3ceb3eb183b0dbad1707f21204817.exevbc.execvtres.exetmp96B2.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6be3cdd0c096a9b0b5e1a16bac34abe731d3ceb3eb183b0dbad1707f21204817.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp96B2.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

6be3cdd0c096a9b0b5e1a16bac34abe731d3ceb3eb183b0dbad1707f21204817.exetmp96B2.tmp.exe

description	pid	process
Token: SeDebugPrivilege	3180	6be3cdd0c096a9b0b5e1a16bac34abe731d3ceb3eb183b0dbad1707f21204817.exe
Token: SeDebugPrivilege	2248	tmp96B2.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

6be3cdd0c096a9b0b5e1a16bac34abe731d3ceb3eb183b0dbad1707f21204817.exevbc.exe

description	pid	process	target process
PID 3180 wrote to memory of 4188	3180	6be3cdd0c096a9b0b5e1a16bac34abe731d3ceb3eb183b0dbad1707f21204817.exe	vbc.exe
PID 3180 wrote to memory of 4188	3180	6be3cdd0c096a9b0b5e1a16bac34abe731d3ceb3eb183b0dbad1707f21204817.exe	vbc.exe
PID 3180 wrote to memory of 4188	3180	6be3cdd0c096a9b0b5e1a16bac34abe731d3ceb3eb183b0dbad1707f21204817.exe	vbc.exe
PID 4188 wrote to memory of 4828	4188	vbc.exe	cvtres.exe
PID 4188 wrote to memory of 4828	4188	vbc.exe	cvtres.exe
PID 4188 wrote to memory of 4828	4188	vbc.exe	cvtres.exe
PID 3180 wrote to memory of 2248	3180	6be3cdd0c096a9b0b5e1a16bac34abe731d3ceb3eb183b0dbad1707f21204817.exe	tmp96B2.tmp.exe
PID 3180 wrote to memory of 2248	3180	6be3cdd0c096a9b0b5e1a16bac34abe731d3ceb3eb183b0dbad1707f21204817.exe	tmp96B2.tmp.exe
PID 3180 wrote to memory of 2248	3180	6be3cdd0c096a9b0b5e1a16bac34abe731d3ceb3eb183b0dbad1707f21204817.exe	tmp96B2.tmp.exe

C:\Users\Admin\AppData\Local\Temp\6be3cdd0c096a9b0b5e1a16bac34abe731d3ceb3eb183b0dbad1707f21204817.exe
"C:\Users\Admin\AppData\Local\Temp\6be3cdd0c096a9b0b5e1a16bac34abe731d3ceb3eb183b0dbad1707f21204817.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3180

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iznweoww.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4188

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES97EA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF71A67EFF1954D2B8B94C2DA1F6265D.TMP"
3⤵
- System Location Discovery: System Language Discovery
PID:4828

C:\Users\Admin\AppData\Local\Temp\tmp96B2.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp96B2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6be3cdd0c096a9b0b5e1a16bac34abe731d3ceb3eb183b0dbad1707f21204817.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2248

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES97EA.tmp
Filesize
1KB

MD5
c348562355e6b0635a2b6e969741b5e0

SHA1
cf434c8fe80ccb12efd0c25da066cee9fd0049e5

SHA256
744febb25968645a6c6c41d266983c4a58cb66b0f648723aea2b5454b4f54618

SHA512
0427f8e1cfaef90c323843529579a63023a80f5d83ce44b0091dc028e9498fedf6030a32974718a2bcc0e71e3ead2b00152487c22330cc65b3571b1dfb8c6eac

Download Submit
C:\Users\Admin\AppData\Local\Temp\iznweoww.0.vb
Filesize
14KB

MD5
5108146b77b7ebcce2712c808dd08173

SHA1
2142850646360d9386c506c82fa525958ccb948d

SHA256
ceecaf92b77a3b4bb06ac9b6cc88a3c6fd9206baf9cf6de382275246abb291d3

SHA512
d410bf60a205fd1e2c40150aeb1eec33906a5b604f8250cb3466378ac8fa2bbc1f17fc2dcbaf57f3b66ccd4841d34769ca617594a7b78429a410f1521c203520

Download Submit
C:\Users\Admin\AppData\Local\Temp\iznweoww.cmdline
Filesize
266B

MD5
1d85b4fe2dca2a3f557a499d0b71f05f

SHA1
64a41aa3b3d773f02fb9148c7cdd821a42a8f3e9

SHA256
a12d2ee4bad7c3a583f8dee979ce4b77d8a17c8fcf0317d4b682a7df93027e89

SHA512
11d5dcdd6bc627d3a06030dc58493f2c646ec191a30f57633f19fddb1cff23b209380384437f1395a0f4b1b39d9b0c81e8a7ad29bc6863838a329908cc6d2b5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp96B2.tmp.exe
Filesize
78KB

MD5
2ba65ed42fc9d3b7d3c402e8b530c7d5

SHA1
3440bd7067bf117e063cacbe8fac63c88c389417

SHA256
90402580e521f1e45db3c2f5857d0f443b3063561851df289bdbb87ccadeee50

SHA512
032d9e94198acf38c82fecc785788eb241d7747f0b496711117e544228a9e5b5956bcd17eed0682732a6dca0a36eaa81a20f8a71d7aa471d28448b7cb3bd8d30

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF71A67EFF1954D2B8B94C2DA1F6265D.TMP
Filesize
660B

MD5
2bbacbee8c9eaf25307eca747fca9e79

SHA1
5fb4bdac118a0b0394f653c14f7ebcdfea354db7

SHA256
4f62c922dab781e89692925f3b6c653ea01dc09dd828ec474b7da1cf992e7fd5

SHA512
204e5b35e8dc5a52576583f6ad3f156b110bd5a26642de2da64968884dce46dc9bf603aee9680b4b5659f72e262dadce3bbcd60bf098036c50b825481dbc1a14

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/2248-23-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download
memory/2248-24-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download
memory/2248-26-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download
memory/2248-27-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download
memory/2248-28-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download
memory/3180-2-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download
memory/3180-0-0x0000000074DB2000-0x0000000074DB3000-memory.dmp

Filesize
4KB

Download
memory/3180-1-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download
memory/3180-22-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download
memory/4188-18-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download
memory/4188-9-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads