metamorpherrat | d6d9cd872338e7af5bf61c831373d849b34498439e9fb7be2e7efab762012f5a

General

Target

d6d9cd872338e7af5bf61c831373d849b34498439e9fb7be2e7efab762012f5a.exe
Size

78KB
MD5

95667e1d6487c7b60fd3b30d743b3bc0
SHA1

fb049542851b604b3f21b2b6d5fdff6ff32acba6
SHA256

d6d9cd872338e7af5bf61c831373d849b34498439e9fb7be2e7efab762012f5a
SHA512

09cfd80b049ec312f0bbc64a9d53a6212e82bf70a24feb680860e58a7ac9e80ba699a44cc37a189d82d06ff9038ccab85435a5623c2c38566d7b86739dbc05f8
SSDEEP

1536:UuHFo6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtea9/v7g1ya:UuHFonhASyRxvhTzXPvCbW2Uea9/v7s

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	d6d9cd872338e7af5bf61c831373d849b34498439e9fb7be2e7efab762012f5a.exe

Executes dropped EXE 1 IoCs

pid	Process
2144	tmp8DD8.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp8DD8.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8DD8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6d9cd872338e7af5bf61c831373d849b34498439e9fb7be2e7efab762012f5a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3428	d6d9cd872338e7af5bf61c831373d849b34498439e9fb7be2e7efab762012f5a.exe
Token: SeDebugPrivilege	2144	tmp8DD8.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3428 wrote to memory of 1608	3428	d6d9cd872338e7af5bf61c831373d849b34498439e9fb7be2e7efab762012f5a.exe	85
PID 3428 wrote to memory of 1608	3428	d6d9cd872338e7af5bf61c831373d849b34498439e9fb7be2e7efab762012f5a.exe	85
PID 3428 wrote to memory of 1608	3428	d6d9cd872338e7af5bf61c831373d849b34498439e9fb7be2e7efab762012f5a.exe	85
PID 1608 wrote to memory of 4500	1608	vbc.exe	88
PID 1608 wrote to memory of 4500	1608	vbc.exe	88
PID 1608 wrote to memory of 4500	1608	vbc.exe	88
PID 3428 wrote to memory of 2144	3428	d6d9cd872338e7af5bf61c831373d849b34498439e9fb7be2e7efab762012f5a.exe	90
PID 3428 wrote to memory of 2144	3428	d6d9cd872338e7af5bf61c831373d849b34498439e9fb7be2e7efab762012f5a.exe	90
PID 3428 wrote to memory of 2144	3428	d6d9cd872338e7af5bf61c831373d849b34498439e9fb7be2e7efab762012f5a.exe	90

C:\Users\Admin\AppData\Local\Temp\d6d9cd872338e7af5bf61c831373d849b34498439e9fb7be2e7efab762012f5a.exe
"C:\Users\Admin\AppData\Local\Temp\d6d9cd872338e7af5bf61c831373d849b34498439e9fb7be2e7efab762012f5a.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3428
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v8mvbjry.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8F11.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4F228347AC6475F93EA853C80ADDC4B.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4500
- C:\Users\Admin\AppData\Local\Temp\tmp8DD8.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8DD8.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d6d9cd872338e7af5bf61c831373d849b34498439e9fb7be2e7efab762012f5a.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8F11.tmp

Filesize
1KB

MD5
1c9b0d1a6614a7d46abcc38a62862354

SHA1
3ce1caa9ae4da993a6e732e891fd4c6bac5afd52

SHA256
c0ed2c5745608cf4d27d57603359730764c69b45338f3455d1d2ed40d4691d36

SHA512
e1340907451d2c31fc51e482fa1604b8f569222ea3de6e604980ba3bfcc1f63a24f1906bcfbcdc7ca43f0275855d463922969eceee755021d2819573d3d646fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8DD8.tmp.exe

Filesize
78KB

MD5
8a0ac2463927d381c951b036574842b0

SHA1
37021879caa1d7190f81b5066609963d5c0b5d29

SHA256
88db2a8c216957e64ddd615b6c43ed17af079aaa7d5704dae68181bcdf3249ce

SHA512
464cc182e992f14b4ae44f41e9f6a60c1d9d5efded0cbcb081deca3e2a18ed80514c2df19fffe119bda3f2be9f18bc53fdba837a0d656e800f6fbb896866df78

Download Submit
C:\Users\Admin\AppData\Local\Temp\v8mvbjry.0.vb

Filesize
15KB

MD5
6414d8e05515b23101d7d63fe727367f

SHA1
c5c1baba7b1345d353b83d4beded43787f534b3e

SHA256
55d82a39dbe54da5095a3e1ff958847b7c1ed2cca7bd5e9dc6c588e67dd1e960

SHA512
c2da168e2dc460b0e4f2b43ef0f61bec6ac3c2a0a645f392329bee3b2429787b4669f4a7ac74e233183539299040fb455e6200132bfa749b52d30b62da2537d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\v8mvbjry.cmdline

Filesize
266B

MD5
0cf51ed8ca84ff1f3662c6c84b9c155b

SHA1
bf10b333394318bc18ae9a5e292d8b0c1811414d

SHA256
f8ffd6515d68e71f2f251be39c1a47d4ffc5c0547f469ec0c164a8a34a9dec82

SHA512
845c6f1487bf9c87f6e5386701c920de6e7ec05580429e4b8a649d5029456a62266bf8cd83f96cae2f75059beba46db0eef7b092dfda7cd44698ccfb2281cd85

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4F228347AC6475F93EA853C80ADDC4B.TMP

Filesize
660B

MD5
1be35d81f5e36cf5a65c3f2788c655a0

SHA1
1d857170f941d41b3d5c651b1e3365b6a76ad43a

SHA256
cc7e298c2e3650ecb4d300cc580b5dbaf2ef335f100984a4e34383c96f8de10a

SHA512
938fb570927a474f4189e237aaf3fde5e57a62ec41d3970980c6bb200a7d93f09ab076742b79e9f1d7c28ddc2b4901258ace4165f96abc592fdd40f4b5db08b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1608-8-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/1608-18-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/2144-23-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/2144-24-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/2144-25-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/2144-27-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/2144-28-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/2144-29-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/3428-0-0x0000000075432000-0x0000000075433000-memory.dmp

Filesize
4KB

Download
memory/3428-2-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/3428-1-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/3428-22-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads