metamorpherrat | 0475cbfbd69fbc14a9e9bc895b8afbc1569a01427a92a4b3ce80eb68231647ae

General

Target

38aefafe444a34c9974398a96bb0e100N.exe
Size

78KB
MD5

38aefafe444a34c9974398a96bb0e100
SHA1

e5ba22e6cf4c54a400a777faf09b06da4db6d4d0
SHA256

0475cbfbd69fbc14a9e9bc895b8afbc1569a01427a92a4b3ce80eb68231647ae
SHA512

f7095694da8cf6ad0c1142ae654087f2429844e06c2b3f65e7481f4a98241220dc253e067f37a5444a1d86d847a9c4a94091763dc691a8392be1a9834c61aba6
SSDEEP

1536:imy5gvZv0kH9gDDtWzYCnJPeoYrGQtC6B9/31dO:Ny5gl0Y9MDYrm7J9/C

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

38aefafe444a34c9974398a96bb0e100N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	38aefafe444a34c9974398a96bb0e100N.exe

Executes dropped EXE 1 IoCs

Processes:

tmp801D.tmp.exe

pid process

4016 tmp801D.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
4016	tmp801D.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp801D.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmp801D.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

38aefafe444a34c9974398a96bb0e100N.exevbc.execvtres.exetmp801D.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	38aefafe444a34c9974398a96bb0e100N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp801D.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

38aefafe444a34c9974398a96bb0e100N.exetmp801D.tmp.exe

description pid process

Token: SeDebugPrivilege 4952 38aefafe444a34c9974398a96bb0e100N.exe
Token: SeDebugPrivilege 4016 tmp801D.tmp.exe

description	pid	process
Token: SeDebugPrivilege	4952	38aefafe444a34c9974398a96bb0e100N.exe
Token: SeDebugPrivilege	4016	tmp801D.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

38aefafe444a34c9974398a96bb0e100N.exevbc.exe

description	pid	process	target process
PID 4952 wrote to memory of 2036	4952	38aefafe444a34c9974398a96bb0e100N.exe	vbc.exe
PID 4952 wrote to memory of 2036	4952	38aefafe444a34c9974398a96bb0e100N.exe	vbc.exe
PID 4952 wrote to memory of 2036	4952	38aefafe444a34c9974398a96bb0e100N.exe	vbc.exe
PID 2036 wrote to memory of 2196	2036	vbc.exe	cvtres.exe
PID 2036 wrote to memory of 2196	2036	vbc.exe	cvtres.exe
PID 2036 wrote to memory of 2196	2036	vbc.exe	cvtres.exe
PID 4952 wrote to memory of 4016	4952	38aefafe444a34c9974398a96bb0e100N.exe	tmp801D.tmp.exe
PID 4952 wrote to memory of 4016	4952	38aefafe444a34c9974398a96bb0e100N.exe	tmp801D.tmp.exe
PID 4952 wrote to memory of 4016	4952	38aefafe444a34c9974398a96bb0e100N.exe	tmp801D.tmp.exe

C:\Users\Admin\AppData\Local\Temp\38aefafe444a34c9974398a96bb0e100N.exe
"C:\Users\Admin\AppData\Local\Temp\38aefafe444a34c9974398a96bb0e100N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4952

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3dfc2x3e.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES81F1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1FD6A38A81A7421A88621B5CFE5B25E7.TMP"
3⤵
- System Location Discovery: System Language Discovery
PID:2196

C:\Users\Admin\AppData\Local\Temp\tmp801D.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp801D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\38aefafe444a34c9974398a96bb0e100N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4016

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3dfc2x3e.0.vb
Filesize
14KB

MD5
29d3f59dded7b1b0cda4be19486769aa

SHA1
2bf87970fa4ee224f5298ce4b1757a3bb9152825

SHA256
bc3c4c20c538b7a8067582a44804084157a76e9cc00910daf9e4502040299d43

SHA512
7d97ad0464db5671dd9a3e6ac203c39444501fc4e9ead4ba53f89812f15ea602b1e1488b472efa1616ff6b8d76ee24e03e8b5b0d58e82c7c3c54dcbdd4a8c3b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3dfc2x3e.cmdline
Filesize
266B

MD5
e09fd7941a7391a285770b0a6cd02567

SHA1
922684eb6beb1be25e137fc68ad288d36284a7b9

SHA256
c555c4954f0cdd0816312b95ba37dbfeb47a59d3e29f9ed51e351fb8ebba59b5

SHA512
bae04678fc2e2cc2fd0fd557d3b4a80be1ff20ae5fea985058e6a39b8864385b89986ecea95dc8ee99b5693a4eeb45b3222331976af5915e65075794fac0b9ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES81F1.tmp
Filesize
1KB

MD5
4e7d87b69a5641730fec7c2979b6952a

SHA1
2705c05878fd97a3787d1d9ebdec7438510b9036

SHA256
c812f4be5e257851267727ede86ceaabadd552c272f3923f6875b8cb9c95187e

SHA512
b773498cfeae5bf7f9279bc9f1467b98191ba97707941be06c9d6c9cf8820494ad3a7411cd826976601bf5cf85b928412d6edc880abbb4720710cdcd49b3e4ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp801D.tmp.exe
Filesize
78KB

MD5
d226c68c333241281308318fdee78c63

SHA1
3fbc55eb77529c2f88fa549608c698818e27b534

SHA256
bb59373eec0a79c859d87c6936c194d23b8b33e14f53fec9a3d263f542b464e4

SHA512
d571ba3ccab07e9fc654bf84471a35001f5dff52034b6ba163927f736295b318081ff95036928954396a900f3f56459eb7caf4f3f037ec00f3e6fa5059bb5b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1FD6A38A81A7421A88621B5CFE5B25E7.TMP
Filesize
660B

MD5
a5ada5f00d91d3ff1c6b2937f036908f

SHA1
54c3b9e339a35f7b3fb72c5290546576453a77d1

SHA256
8a42261fa32f829411ab4d1a1112526cc6d0c154a40263b868ea56b468964aec

SHA512
12763f48c941a220e278ae55316f5c9ed000365bb2697953f68e5087a78aa13b036956a85327188a8aca54bb433f4cac3250674b0e4531288932865345e44a71

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/2036-9-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/2036-18-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/4016-23-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/4016-24-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/4016-26-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/4016-27-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/4016-28-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/4952-2-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/4952-0-0x0000000074732000-0x0000000074733000-memory.dmp

Filesize
4KB

Download
memory/4952-1-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/4952-22-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads