metamorpherrat | 1b1d5bf28e6cd68f4fc5e2daa13d844177151a9dc4ab35a9e7df980d843a6489

General

Target

225c0b4ed49f5896b45033ffcc1de010N.exe
Size

78KB
MD5

225c0b4ed49f5896b45033ffcc1de010
SHA1

bddecbf555997ca0124a86ea7be425c2b0040227
SHA256

1b1d5bf28e6cd68f4fc5e2daa13d844177151a9dc4ab35a9e7df980d843a6489
SHA512

218649e52649cdae274cc3813e1cb3a4f9412dc1b135fd24d583175b8d687a8bc4dc79ddb73c9eb06b11a5e1a7e4267ce766df107d4fbb04f7cdc159811295c0
SSDEEP

1536:U58fXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQty61h9/WG1FT:U58/SyRxvhTzXPvCbW2U9h9/N

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

225c0b4ed49f5896b45033ffcc1de010N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	225c0b4ed49f5896b45033ffcc1de010N.exe

Executes dropped EXE 1 IoCs

Processes:

tmp9357.tmp.exe

pid process

3596 tmp9357.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
3596	tmp9357.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp9357.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp9357.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

225c0b4ed49f5896b45033ffcc1de010N.exevbc.execvtres.exetmp9357.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	225c0b4ed49f5896b45033ffcc1de010N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9357.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

225c0b4ed49f5896b45033ffcc1de010N.exetmp9357.tmp.exe

description pid process

Token: SeDebugPrivilege 1952 225c0b4ed49f5896b45033ffcc1de010N.exe
Token: SeDebugPrivilege 3596 tmp9357.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1952	225c0b4ed49f5896b45033ffcc1de010N.exe
Token: SeDebugPrivilege	3596	tmp9357.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

225c0b4ed49f5896b45033ffcc1de010N.exevbc.exe

description	pid	process	target process
PID 1952 wrote to memory of 2652	1952	225c0b4ed49f5896b45033ffcc1de010N.exe	vbc.exe
PID 1952 wrote to memory of 2652	1952	225c0b4ed49f5896b45033ffcc1de010N.exe	vbc.exe
PID 1952 wrote to memory of 2652	1952	225c0b4ed49f5896b45033ffcc1de010N.exe	vbc.exe
PID 2652 wrote to memory of 1508	2652	vbc.exe	cvtres.exe
PID 2652 wrote to memory of 1508	2652	vbc.exe	cvtres.exe
PID 2652 wrote to memory of 1508	2652	vbc.exe	cvtres.exe
PID 1952 wrote to memory of 3596	1952	225c0b4ed49f5896b45033ffcc1de010N.exe	tmp9357.tmp.exe
PID 1952 wrote to memory of 3596	1952	225c0b4ed49f5896b45033ffcc1de010N.exe	tmp9357.tmp.exe
PID 1952 wrote to memory of 3596	1952	225c0b4ed49f5896b45033ffcc1de010N.exe	tmp9357.tmp.exe

C:\Users\Admin\AppData\Local\Temp\225c0b4ed49f5896b45033ffcc1de010N.exe
"C:\Users\Admin\AppData\Local\Temp\225c0b4ed49f5896b45033ffcc1de010N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\23xogf2z.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2652

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9589.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc973D9C6F44DD46DE958DCC834C1C14.TMP"
3⤵
- System Location Discovery: System Language Discovery
PID:1508

C:\Users\Admin\AppData\Local\Temp\tmp9357.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp9357.tmp.exe" C:\Users\Admin\AppData\Local\Temp\225c0b4ed49f5896b45033ffcc1de010N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3596

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\23xogf2z.0.vb
Filesize
14KB

MD5
0979a4a29166d7c1c9ec80b27cfbad7d

SHA1
988a133298d6a4aa96d18d58509c584085a065ab

SHA256
213016813466d3ec11a9d468effd44436bc5828c38f731c8735c2bd1421adcb8

SHA512
b813729ce780eb01020df160dd9c280a4961a8d0f34728ced04db82f043853fea132b1ca86d2d904cfc3f60a2cb83f85def6f689ca67cf9724f195863e01a58a

Download Submit
C:\Users\Admin\AppData\Local\Temp\23xogf2z.cmdline
Filesize
266B

MD5
04f193c3e2102e2f4f2bf5c77bc79443

SHA1
844a12bdadc6fd560de478be33c8a87d76586501

SHA256
b2071e4629f7f48cb62993e972d7e11f4f57c85d5c3279a10d1e1548c1fa5581

SHA512
a575eb3d01b36e97206b91aa9e1c0ed1f804bc8f91b4a4146991d75475e17f485575c9ae11381e9047ce9b39c0f770e4dea5d8f7fb170d3a6c7ab45768cedacf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9589.tmp
Filesize
1KB

MD5
6965df5bfd5ae2439cfd226a891fabda

SHA1
c89a76dca03b05df7fc0e120a8a608c9d3ae058f

SHA256
7b8c0b7fcb0bfea1ad5e0ed4a442d5c1281870b4de7b6ce02b7416ccdb27feda

SHA512
fe1fdd2cc8acde7f4c77a36b63481d2dab60f908142e25c2b48749ee9be9e02a696db302d471141fb3792b727f932f32182654ff3e782cc6f8b5952b2428d1f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9357.tmp.exe
Filesize
78KB

MD5
46d073b24046a7c6e2f4652d20493d57

SHA1
1d3602e86c940227fa1c1fd2a25f2c5b0ab11931

SHA256
5870be4a4387c148b7642ff703b1f9c4a0648ae194770e931b300d4c1fb14c4c

SHA512
ff2c55cd49fbd1a36e20081de04c2155573d31c51f0a98d92bf1164c7badb499a08200c8c4c8222481ac1e767d5d369182aeae5736949ec19da5751ed19a4d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc973D9C6F44DD46DE958DCC834C1C14.TMP
Filesize
660B

MD5
a78d8ab7aaeb3859bf7e23674a012db5

SHA1
73893f6f00774e8600723e0ca3fd7e8db51a7b9e

SHA256
8f76741ca1f95d0616aeecad1d50fa2352985c3a2a2f69c227e959005c51812d

SHA512
e3513b6b8d9b79b522ef847561fa5040a7e8e3a9a1e3585b6a6827651758fcf00ec3c10352fd9de4a5392d70a58ef93169b59a14044dc94bf56ff5610d0f5b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1952-1-0x0000000074920000-0x0000000074ED1000-memory.dmp

Filesize
5.7MB

Download
memory/1952-0-0x0000000074922000-0x0000000074923000-memory.dmp

Filesize
4KB

Download
memory/1952-21-0x0000000074920000-0x0000000074ED1000-memory.dmp

Filesize
5.7MB

Download
memory/2652-8-0x0000000074920000-0x0000000074ED1000-memory.dmp

Filesize
5.7MB

Download
memory/2652-17-0x0000000074920000-0x0000000074ED1000-memory.dmp

Filesize
5.7MB

Download
memory/3596-23-0x0000000074920000-0x0000000074ED1000-memory.dmp

Filesize
5.7MB

Download
memory/3596-22-0x0000000074920000-0x0000000074ED1000-memory.dmp

Filesize
5.7MB

Download
memory/3596-24-0x0000000074920000-0x0000000074ED1000-memory.dmp

Filesize
5.7MB

Download
memory/3596-26-0x0000000074920000-0x0000000074ED1000-memory.dmp

Filesize
5.7MB

Download
memory/3596-27-0x0000000074920000-0x0000000074ED1000-memory.dmp

Filesize
5.7MB

Download
memory/3596-28-0x0000000074920000-0x0000000074ED1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads