metamorpherrat | f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff

General

Target

f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe
Size

78KB
MD5

6decbc4c1e25065e0b08cd3cc00c5193
SHA1

582f4c9820129ce54bd5c74e545099a0d5eb2c68
SHA256

f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff
SHA512

7ae6290028171de3f86d2cf9e174c6604e57f5e5cb3e19e091ee5aceeab8547c063cc92d74834a35447db47538331b9fdc2d85501555618681df50941d7d2071
SSDEEP

1536:mHY6rdELT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtLI9/9O1Yv:mHY8dSE2EwR4uY41HyvYLI9/H

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe

Executes dropped EXE 1 IoCs

Processes:

tmpB035.tmp.exe

pid process

1316 tmpB035.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1316	tmpB035.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpB035.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmpB035.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exevbc.execvtres.exetmpB035.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB035.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exetmpB035.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1756	f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe
Token: SeDebugPrivilege	1316	tmpB035.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exevbc.exe

description	pid	process	target process
PID 1756 wrote to memory of 1964	1756	f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe	vbc.exe
PID 1756 wrote to memory of 1964	1756	f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe	vbc.exe
PID 1756 wrote to memory of 1964	1756	f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe	vbc.exe
PID 1964 wrote to memory of 4780	1964	vbc.exe	cvtres.exe
PID 1964 wrote to memory of 4780	1964	vbc.exe	cvtres.exe
PID 1964 wrote to memory of 4780	1964	vbc.exe	cvtres.exe
PID 1756 wrote to memory of 1316	1756	f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe	tmpB035.tmp.exe
PID 1756 wrote to memory of 1316	1756	f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe	tmpB035.tmp.exe
PID 1756 wrote to memory of 1316	1756	f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe	tmpB035.tmp.exe

C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe
"C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\etflx7_s.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB16E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7B58DEAC7A2B41089190DBC0AA458C7D.TMP"
3⤵
- System Location Discovery: System Language Discovery
PID:4780

C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1316

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB16E.tmp
Filesize
1KB

MD5
cccd1afad03e6d6c6b6c756ae943ea09

SHA1
740fd4744f1c27b311167f3b23e0b2e5367d9a8f

SHA256
ef06eb833b90ea025446ddff566d0c234689c2a9be10c75e15a4f8e8a0140ccd

SHA512
dd8edcda325e433e71fbb905e0639da39e38375a4046bdb57d38cf614d7bcb8fc8e7ab3ed371ca50f462e3388d8a4d618498bd4fc8736d47ade0398257e2143d

Download Submit
C:\Users\Admin\AppData\Local\Temp\etflx7_s.0.vb
Filesize
15KB

MD5
b6e076569014c1504f10f402b4500bf1

SHA1
2d946dde31e3cac560dd3695a8c0d928c547c45b

SHA256
840b439b955f3aade074b149ccb1bc49d6e2bed72599a9cadeafdecb1008043e

SHA512
d5cfefb7372d8df28296b26d88d160c3ddadac05d746bb8fa5840590ed19b4b3233aca0e3941916b2ccbd8c9de16a0526aca118ac51ebcee0c3caf75da60a814

Download Submit
C:\Users\Admin\AppData\Local\Temp\etflx7_s.cmdline
Filesize
266B

MD5
de6785abee22a787c242bb23c60568d6

SHA1
0cfc2c20e1b8227bc074fd63baab7be179e7e2c9

SHA256
3bb0a7f3eaf624fda9feb401c9f763036174f13068e16137145bdd8d362a26f7

SHA512
d55c5feb6b12e317a38c7bbff1b35587e44c03d720307e7d1d12acb5f479aec140508675f82b6a5fffc45bb4c4c72020a538b427cdf1f866e55f4cc2edba7298

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe
Filesize
78KB

MD5
3bea4c1dab266d43a2c2b145ccdb570a

SHA1
a1f64d4fe16970ddb52a101e3aa052fd628efcae

SHA256
8e20258dfac87f7906abb66111616d0baf0cd08db4944c84766a9629846a2369

SHA512
e3e61c53126af8669c767b0371a13f25bfba88fd6376da52f9401071977c469c690fcda2ae4f356afd0d9d96ae8efd4b161ecaa255f2074e445d00c3a7699431

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7B58DEAC7A2B41089190DBC0AA458C7D.TMP
Filesize
660B

MD5
31786bb106ce27678c8cf47292f6e23e

SHA1
8a1a798561a172f4a31c2a05ebb53f971ae0ddca

SHA256
e6e7babc0014aae8eeacf913253a4700ba363a2ea37926169bea56a923c80ac0

SHA512
7a20a8b02d9d51e1442da55877bd67a79201ff4bc4efed796512f45463fc26f67cbfc7dba662609c98f382a359ca6ba6e373f3b64d37b34c4d79f7924c34c726

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/1316-28-0x0000000074840000-0x0000000074DF1000-memory.dmp

Filesize
5.7MB

Download
memory/1316-27-0x0000000074840000-0x0000000074DF1000-memory.dmp

Filesize
5.7MB

Download
memory/1316-22-0x0000000074840000-0x0000000074DF1000-memory.dmp

Filesize
5.7MB

Download
memory/1316-24-0x0000000074840000-0x0000000074DF1000-memory.dmp

Filesize
5.7MB

Download
memory/1316-23-0x0000000074840000-0x0000000074DF1000-memory.dmp

Filesize
5.7MB

Download
memory/1316-26-0x0000000074840000-0x0000000074DF1000-memory.dmp

Filesize
5.7MB

Download
memory/1756-0-0x0000000074842000-0x0000000074843000-memory.dmp

Filesize
4KB

Download
memory/1756-1-0x0000000074840000-0x0000000074DF1000-memory.dmp

Filesize
5.7MB

Download
memory/1756-21-0x0000000074840000-0x0000000074DF1000-memory.dmp

Filesize
5.7MB

Download
memory/1964-8-0x0000000074840000-0x0000000074DF1000-memory.dmp

Filesize
5.7MB

Download
memory/1964-17-0x0000000074840000-0x0000000074DF1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads