metamorpherrat | 41eea9d21d8f7d3c8b168fc1ec6387ee4c5686455a941559c82ad8c9f1e1730b

General

Target

11289a05fb5a3741bd4a83bbc083e210N.exe
Size

78KB
MD5

11289a05fb5a3741bd4a83bbc083e210
SHA1

ade9f086f15a970b8031cbd2d047b65b4ed7e844
SHA256

41eea9d21d8f7d3c8b168fc1ec6387ee4c5686455a941559c82ad8c9f1e1730b
SHA512

8bfbeab532958f35b6a0d57d17670a123b3c664a2112b3110150c16d64512d54cb9c5824d144599c215ca072fd45c8029fdf56a9dcde9ca9a0818f7da99a6da3
SSDEEP

1536:Hy5jYXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtU6D9/U1db:Hy5jgSyRxvhTzXPvCbW2Uh9/A

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

11289a05fb5a3741bd4a83bbc083e210N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	11289a05fb5a3741bd4a83bbc083e210N.exe

Executes dropped EXE 1 IoCs

Processes:

tmp9EB1.tmp.exe

pid process

3940 tmp9EB1.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
3940	tmp9EB1.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp9EB1.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp9EB1.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

11289a05fb5a3741bd4a83bbc083e210N.exevbc.execvtres.exetmp9EB1.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11289a05fb5a3741bd4a83bbc083e210N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9EB1.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

11289a05fb5a3741bd4a83bbc083e210N.exetmp9EB1.tmp.exe

description pid process

Token: SeDebugPrivilege 1604 11289a05fb5a3741bd4a83bbc083e210N.exe
Token: SeDebugPrivilege 3940 tmp9EB1.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1604	11289a05fb5a3741bd4a83bbc083e210N.exe
Token: SeDebugPrivilege	3940	tmp9EB1.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

11289a05fb5a3741bd4a83bbc083e210N.exevbc.exe

description	pid	process	target process
PID 1604 wrote to memory of 1080	1604	11289a05fb5a3741bd4a83bbc083e210N.exe	vbc.exe
PID 1604 wrote to memory of 1080	1604	11289a05fb5a3741bd4a83bbc083e210N.exe	vbc.exe
PID 1604 wrote to memory of 1080	1604	11289a05fb5a3741bd4a83bbc083e210N.exe	vbc.exe
PID 1080 wrote to memory of 4580	1080	vbc.exe	cvtres.exe
PID 1080 wrote to memory of 4580	1080	vbc.exe	cvtres.exe
PID 1080 wrote to memory of 4580	1080	vbc.exe	cvtres.exe
PID 1604 wrote to memory of 3940	1604	11289a05fb5a3741bd4a83bbc083e210N.exe	tmp9EB1.tmp.exe
PID 1604 wrote to memory of 3940	1604	11289a05fb5a3741bd4a83bbc083e210N.exe	tmp9EB1.tmp.exe
PID 1604 wrote to memory of 3940	1604	11289a05fb5a3741bd4a83bbc083e210N.exe	tmp9EB1.tmp.exe

C:\Users\Admin\AppData\Local\Temp\11289a05fb5a3741bd4a83bbc083e210N.exe
"C:\Users\Admin\AppData\Local\Temp\11289a05fb5a3741bd4a83bbc083e210N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5hrp_3gz.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA1AE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc799AC87543E743A2869DAA33C084E3D6.TMP"
3⤵
- System Location Discovery: System Language Discovery
PID:4580

C:\Users\Admin\AppData\Local\Temp\tmp9EB1.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp9EB1.tmp.exe" C:\Users\Admin\AppData\Local\Temp\11289a05fb5a3741bd4a83bbc083e210N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3940

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5hrp_3gz.0.vb
Filesize
14KB

MD5
910ab51893db0700a4810dde30bd7401

SHA1
c06c9946245b32213aabd78cc63df204b49ba1b9

SHA256
0dbb39012d7cef18617bc56f1b549e33da442e3fa9405fa3613041ef2706e910

SHA512
61eb243833111c0cbdd972dc776908e5849a3e9e93d94b76a813e312c9eb6d994d5b9dbdd8aaf5e8f100aebe15c99fa1eb455c790d089f958ce1bdbd91c6a780

Download Submit
C:\Users\Admin\AppData\Local\Temp\5hrp_3gz.cmdline
Filesize
266B

MD5
6e65567a99474ff13af361b526a7bd89

SHA1
9c789ede10aadb71d148b7acb524371b3bcb87a7

SHA256
656b743b0a4f7cc4bec1ffc4dc23771a2589f74b78ad3abdc95757889db0c0fe

SHA512
fcfc8ef3fcfdc819aabaff615e4bc8c4705feb10c6bf694d196f7d0603e65967ae21f0bc305723b1705f4b9ea14a59aed905fa7d11b91d536bb15121cae81425

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA1AE.tmp
Filesize
1KB

MD5
1fd1e7b2c7fa31a50196480fa66dc802

SHA1
3393f47473b0af803fb69c48eb8d0f3195a6ce21

SHA256
119c2a916cccf9d88e5ffa2173559d7032b9ae6d031e1303c8eb873222bd00e4

SHA512
57936343b80d227d9ded1eba3b05eaaabb0edb63bb00e0d03acb63d090c81565e46955d3c2c7172439ad46cdfa54957d2a359a034c6d0e5023a05855289081ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9EB1.tmp.exe
Filesize
78KB

MD5
26b7add58936d6977827ed47fbe63d2b

SHA1
623972a93a089bda488844438dd48f0e90fd826f

SHA256
8c82f76ed5305517203c454e70b5012b8604b01edb858942b524a015e2c66176

SHA512
fa3cd374d84ad4b6d49a0b089447d2d2bf619fe75eea6f7ea00d8951a3ea8f67cd5851de5fa6a3e7c1602ed7c7a766686f631e2653d0e5eae038a4449a8affcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc799AC87543E743A2869DAA33C084E3D6.TMP
Filesize
660B

MD5
5d70e77a815d303ebf985b116e88af71

SHA1
f1bb8fe83061aa029dab5e0b88b8f118fd58ccd4

SHA256
a2a24cfb23505d2457ea0f1865a2ab386752f0b5b20abab7514c3b7866cb976d

SHA512
6fabd3b7964c9d9af0189d032284691be3cad5b48b5cf653f1ebcab1c350efbe234ad95a247b5c04918963130847095b9c34cf7354f28b4252a6709c3b1aa11d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1080-18-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/1080-9-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/1604-0-0x00000000750A2000-0x00000000750A3000-memory.dmp

Filesize
4KB

Download
memory/1604-2-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/1604-1-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/1604-23-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/3940-24-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/3940-22-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/3940-26-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/3940-27-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/3940-28-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads