metamorpherrat | 9ce97c2d25839e5800d080d886994eabfc3d9027e5d9c04549b3ebf3e09ad190

General

Target

a0f7b6176efdcc6a2bb9f90c3d58d3e0N.exe
Size

78KB
MD5

a0f7b6176efdcc6a2bb9f90c3d58d3e0
SHA1

466310f896964576dc10a1e9d8a1b9b1cad393d1
SHA256

9ce97c2d25839e5800d080d886994eabfc3d9027e5d9c04549b3ebf3e09ad190
SHA512

3afccc80ff20f23e8b29114bd43c797159fca92c980be55105d74acba4f748d0a01a53af4f6914ec61cec6fbf91014c31728e838a7feaf961f0cf9a3a00b603c
SSDEEP

1536:x4HH638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtY9/911b:SHa3Ln7N041QqhgY9/F

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	a0f7b6176efdcc6a2bb9f90c3d58d3e0N.exe

Executes dropped EXE 1 IoCs

pid	Process
1140	tmpA180.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpA180.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA180.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a0f7b6176efdcc6a2bb9f90c3d58d3e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2320	a0f7b6176efdcc6a2bb9f90c3d58d3e0N.exe
Token: SeDebugPrivilege	1140	tmpA180.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 4116	2320	a0f7b6176efdcc6a2bb9f90c3d58d3e0N.exe	85
PID 2320 wrote to memory of 4116	2320	a0f7b6176efdcc6a2bb9f90c3d58d3e0N.exe	85
PID 2320 wrote to memory of 4116	2320	a0f7b6176efdcc6a2bb9f90c3d58d3e0N.exe	85
PID 4116 wrote to memory of 1228	4116	vbc.exe	88
PID 4116 wrote to memory of 1228	4116	vbc.exe	88
PID 4116 wrote to memory of 1228	4116	vbc.exe	88
PID 2320 wrote to memory of 1140	2320	a0f7b6176efdcc6a2bb9f90c3d58d3e0N.exe	89
PID 2320 wrote to memory of 1140	2320	a0f7b6176efdcc6a2bb9f90c3d58d3e0N.exe	89
PID 2320 wrote to memory of 1140	2320	a0f7b6176efdcc6a2bb9f90c3d58d3e0N.exe	89

C:\Users\Admin\AppData\Local\Temp\a0f7b6176efdcc6a2bb9f90c3d58d3e0N.exe
"C:\Users\Admin\AppData\Local\Temp\a0f7b6176efdcc6a2bb9f90c3d58d3e0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3ykflrxi.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4116
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA345.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEBA9A1298A1C445597786449F51761B1.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1228
- C:\Users\Admin\AppData\Local\Temp\tmpA180.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA180.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a0f7b6176efdcc6a2bb9f90c3d58d3e0N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3ykflrxi.0.vb

Filesize
15KB

MD5
d7b30ea61b436806268a259d150a8dc4

SHA1
a58e53b4b58599228a7b047bcb2004fb3a5d630e

SHA256
1b76a6d8aa55be19c190758a8532b4d8db469e144e2b3485674b693c228ff311

SHA512
a69bb9155168adf15d1dff01c90bb62726930b7b57c103fa1e47d7a14d5f25fb6e8d2284902ff4e31d94d29236a37e3a76a27c04ef786471bfbf917f000ab0b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ykflrxi.cmdline

Filesize
266B

MD5
4bfcd9a5294c085a1f860c824e56d034

SHA1
67f6b5e1929a288db66fae739d518ac4b628a351

SHA256
ee779343066a54b68ec0bda992911c385aefe917a13a2983c99d1d4dc375d2aa

SHA512
b9d1a3e07839a2e77492874e252de66f15277d3613ab5fefa5da20744faf51e3a947d9eb10815c95669ac46d9124ae6941bad00978d098ef2cd1cebcc3f58533

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA345.tmp

Filesize
1KB

MD5
8a7fa2429150288b30cf82e2f2441d54

SHA1
76bc797564cf6211d75758511ef8996e41f59418

SHA256
72cf3e6fb3328cc48cf68168297e519b97b7ba35282847dbb28f8f5caaa94a73

SHA512
1e71d2edfd9b12760908cf3a1b387d2a51c3e88ec4ec651fd74f23f74f653d64e2fbb9a353257257e145c926695ffebe7a14625fa1ea51946125a6a4e7bf818c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA180.tmp.exe

Filesize
78KB

MD5
d92e76f6c7a28f21b51b0eef1e097b1f

SHA1
5fe65a04b8382bfbc84e1977e4af08a11ca36213

SHA256
f4b23a2a9d6a5a125fc9930ab55de05068ae498a41d9948d4ccd3987abe33259

SHA512
579985cbbfd58dbab99e118a048f4e672a096e980a9b69ddb2bb41ede33bc0c7e52a1622a5c9ca2a9353069308d0a7687b1eb268dbfd592812286be8863c54e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEBA9A1298A1C445597786449F51761B1.TMP

Filesize
660B

MD5
24754407307edb6368aabba79d19fcb8

SHA1
cd7dcd8065fbe75bdfcdce80d3f169e092ce1ae3

SHA256
c182a755bbae5dc688448d9250c025fd2c8d4140aa5624ac466833f3bb7f821e

SHA512
fb251909156051ae93eab576f11421df189e83e6c31b4ddcd33756e19386d555ffdd94f79e69aa20ae6082d7ed2a1155f8184d645c66d1bcb6a2347eea388d5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/1140-23-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/1140-28-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/1140-27-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/1140-26-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/1140-24-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/2320-22-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/2320-0-0x0000000074782000-0x0000000074783000-memory.dmp

Filesize
4KB

Download
memory/2320-2-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/2320-1-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/4116-18-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/4116-9-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads