metamorpherrat | d855ed74332ae7f1517bca3361e90a63180f79f18029efe0394d36d88fc22d61

General

Target

d855ed74332ae7f1517bca3361e90a63180f79f18029efe0394d36d88fc22d61.exe
Size

78KB
MD5

2cdf9b73fb1cb9ef82bed171e245daec
SHA1

6d1da6afcba47a11ad5c1d20c9df8c168d9b1a18
SHA256

d855ed74332ae7f1517bca3361e90a63180f79f18029efe0394d36d88fc22d61
SHA512

e12e93be3087c28cba543084df3d3d253f1b65862e9da77087a47bcac8d13a848edc24f8401a013df4cb97feb94486bcd3b55c8438ef576c5f0b73b05b99767a
SSDEEP

1536:URWtHH638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtRx9/O19p:URWtHa3Ln7N041QqhgRx9/U

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	d855ed74332ae7f1517bca3361e90a63180f79f18029efe0394d36d88fc22d61.exe

Executes dropped EXE 1 IoCs

pid	Process
4304	tmpB4C9.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpB4C9.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB4C9.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d855ed74332ae7f1517bca3361e90a63180f79f18029efe0394d36d88fc22d61.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4368	d855ed74332ae7f1517bca3361e90a63180f79f18029efe0394d36d88fc22d61.exe
Token: SeDebugPrivilege	4304	tmpB4C9.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4368 wrote to memory of 4920	4368	d855ed74332ae7f1517bca3361e90a63180f79f18029efe0394d36d88fc22d61.exe	85
PID 4368 wrote to memory of 4920	4368	d855ed74332ae7f1517bca3361e90a63180f79f18029efe0394d36d88fc22d61.exe	85
PID 4368 wrote to memory of 4920	4368	d855ed74332ae7f1517bca3361e90a63180f79f18029efe0394d36d88fc22d61.exe	85
PID 4920 wrote to memory of 4632	4920	vbc.exe	88
PID 4920 wrote to memory of 4632	4920	vbc.exe	88
PID 4920 wrote to memory of 4632	4920	vbc.exe	88
PID 4368 wrote to memory of 4304	4368	d855ed74332ae7f1517bca3361e90a63180f79f18029efe0394d36d88fc22d61.exe	89
PID 4368 wrote to memory of 4304	4368	d855ed74332ae7f1517bca3361e90a63180f79f18029efe0394d36d88fc22d61.exe	89
PID 4368 wrote to memory of 4304	4368	d855ed74332ae7f1517bca3361e90a63180f79f18029efe0394d36d88fc22d61.exe	89

C:\Users\Admin\AppData\Local\Temp\d855ed74332ae7f1517bca3361e90a63180f79f18029efe0394d36d88fc22d61.exe
"C:\Users\Admin\AppData\Local\Temp\d855ed74332ae7f1517bca3361e90a63180f79f18029efe0394d36d88fc22d61.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ni5iskax.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB65F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1433DC05D7BA41B4A2E6512F81296C45.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4632
- C:\Users\Admin\AppData\Local\Temp\tmpB4C9.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB4C9.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d855ed74332ae7f1517bca3361e90a63180f79f18029efe0394d36d88fc22d61.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB65F.tmp

Filesize
1KB

MD5
187a799568000c9619b3900eb8b61369

SHA1
de9b65eec4675adfe4b6f514c67233320abd0698

SHA256
5f42c3b9b25e590f6010aaa2f02b0622c7a14dda6a9a2a3292dbf103bba28d71

SHA512
d408517d8aa133b724b539b0b350e714d9a3adc7ad9f05ae919599c94f9a37710ab55fa0f651691e50959e3fc30f15428a46542646b4f38e01978816674c743e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ni5iskax.0.vb

Filesize
15KB

MD5
ce03a2b0c02e3af973a6881cda194571

SHA1
5fe072985f5db739867d000fd9da6eb5089e6b33

SHA256
e807429a9be7cb3b0c4387feb4f6847c63b2225734373a83a36823ee51a48a65

SHA512
a04e0e9471c774be75a1fb3a6ff67ff64753c8af15e2f7ef32b5b2cfbd3fff608daab1aaa620ce83a5a80dcd2362e5c57751be32b466ca4b6075ba320df6ac99

Download Submit
C:\Users\Admin\AppData\Local\Temp\ni5iskax.cmdline

Filesize
266B

MD5
7240ecb6d8e890964b7316bc7d9e6f4a

SHA1
5ad81bc1bb934e4f83e589f176dd6030518f6194

SHA256
110c6cb60c47cc2507c4b266fafecce1c5890c1f8d129c527ec26106b6f75643

SHA512
cd6a9a950c96f67ad28c1b449c5a3c1833ecdd1cc2912f58f82349436c2e4b25246270fd58a1611d46f662dcb18a275eca847d328cc2377d905956cc7ccf43e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB4C9.tmp.exe

Filesize
78KB

MD5
3bad22b9da2fe5a92f95c808fe119af0

SHA1
5e7fec28f7cc67a93356773dd2b4e72d36f18706

SHA256
05a15ddd633ea0b81a409a305d97481d3594fb1f0d5284cc148045e882d36812

SHA512
04337c13c5821121a83fc35c7dee717dd123ff0f4b49f9e107620cfa11769b594eb821c0a8d0f0f9b91e75db089789e41c83510c0652a924cd5f02b14dd7eca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1433DC05D7BA41B4A2E6512F81296C45.TMP

Filesize
660B

MD5
d0d953b0e257531819a1293526d40e34

SHA1
2e0eee39e6f253db843970305d142199ee1a02d6

SHA256
0704e9f6ac118ea51994e2ce195ce45456fe0c00a2bf459cabc699e4dabf735b

SHA512
70ce17c54d424eb4477415762c7b1848f4dfef5986e7a84f849b3437ea1d2006718edd49cc5c515c3300310de2e679008657fbd05dc7d1e22919b12d5f222a7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/4304-26-0x0000000074D60000-0x0000000075311000-memory.dmp

Filesize
5.7MB

Download
memory/4304-27-0x0000000074D60000-0x0000000075311000-memory.dmp

Filesize
5.7MB

Download
memory/4304-23-0x0000000074D60000-0x0000000075311000-memory.dmp

Filesize
5.7MB

Download
memory/4304-25-0x0000000074D60000-0x0000000075311000-memory.dmp

Filesize
5.7MB

Download
memory/4368-0-0x0000000074D62000-0x0000000074D63000-memory.dmp

Filesize
4KB

Download
memory/4368-1-0x0000000074D60000-0x0000000075311000-memory.dmp

Filesize
5.7MB

Download
memory/4368-2-0x0000000074D60000-0x0000000075311000-memory.dmp

Filesize
5.7MB

Download
memory/4368-22-0x0000000074D60000-0x0000000075311000-memory.dmp

Filesize
5.7MB

Download
memory/4920-9-0x0000000074D60000-0x0000000075311000-memory.dmp

Filesize
5.7MB

Download
memory/4920-18-0x0000000074D60000-0x0000000075311000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads