metamorpherrat | 9f0e6950d67a024b4a67615f2ba277e6c9b2e8ae4856241cbaf7ead986b94a66

General

Target

c1535523bdbc63a13d5845519e25fd00N.exe
Size

78KB
MD5

c1535523bdbc63a13d5845519e25fd00
SHA1

8b0b47e7de1e89fb9eb6d9b10cd64a12a99389ae
SHA256

9f0e6950d67a024b4a67615f2ba277e6c9b2e8ae4856241cbaf7ead986b94a66
SHA512

57708b9e3a9967d6759dac4c265380c40d9efa1cd4daa85c2008c48ffeaa884de6d973d51bdc0fc76aac29e031f0e1a0378aeb6015f2412bac08ee33ed1a9741
SSDEEP

1536:wc5MXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt961o9/j1jg:wc50SyRxvhTzXPvCbW2UGo9/6

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	c1535523bdbc63a13d5845519e25fd00N.exe

Executes dropped EXE 1 IoCs

pid	Process
3356	tmpCEAA.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpCEAA.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpCEAA.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c1535523bdbc63a13d5845519e25fd00N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2676	c1535523bdbc63a13d5845519e25fd00N.exe
Token: SeDebugPrivilege	3356	tmpCEAA.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 1804	2676	c1535523bdbc63a13d5845519e25fd00N.exe	87
PID 2676 wrote to memory of 1804	2676	c1535523bdbc63a13d5845519e25fd00N.exe	87
PID 2676 wrote to memory of 1804	2676	c1535523bdbc63a13d5845519e25fd00N.exe	87
PID 1804 wrote to memory of 3624	1804	vbc.exe	91
PID 1804 wrote to memory of 3624	1804	vbc.exe	91
PID 1804 wrote to memory of 3624	1804	vbc.exe	91
PID 2676 wrote to memory of 3356	2676	c1535523bdbc63a13d5845519e25fd00N.exe	92
PID 2676 wrote to memory of 3356	2676	c1535523bdbc63a13d5845519e25fd00N.exe	92
PID 2676 wrote to memory of 3356	2676	c1535523bdbc63a13d5845519e25fd00N.exe	92

C:\Users\Admin\AppData\Local\Temp\c1535523bdbc63a13d5845519e25fd00N.exe
"C:\Users\Admin\AppData\Local\Temp\c1535523bdbc63a13d5845519e25fd00N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dzmdmwz7.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF85.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc96802576E21648F1BAD5E822D78142.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3624
- C:\Users\Admin\AppData\Local\Temp\tmpCEAA.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpCEAA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c1535523bdbc63a13d5845519e25fd00N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESCF85.tmp

Filesize
1KB

MD5
b26bab20e582603aaaa5fad27e7b7999

SHA1
0ddf1189d67bb5e36321c202a178dccc5afa3b0c

SHA256
f5a1ab7631cd5575885529f42be71376039ca24aa6bf1d70a5761956739df8d2

SHA512
a8bcdb10b3294738aa7a0b8e874b7b90174301cb7f63d2c192dca289fac3138f3e67dcece422b57a0ded20cce13cfcbcca4c478e63c528314803282be68e4e82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dzmdmwz7.0.vb

Filesize
14KB

MD5
52b92733764a7e9ee31291dd5eb51df9

SHA1
662ad0695027711487adf0c2ff0fde2bd2e359db

SHA256
4782dc1335f949e9bc6fd25ed93aae0f49bba871afaf4795fdd5fedf5613262d

SHA512
1611f3190936fb4bdf9af74aa9d4cfadde16130142ed237eceeae7e47a6751a56ee76693266e6fe4fd21d02d67aaf35a8a114fa5fb9d739ba8953389c1c90053

Download Submit
C:\Users\Admin\AppData\Local\Temp\dzmdmwz7.cmdline

Filesize
266B

MD5
ef737c41174b41b121f8b6c3b0cd6f4c

SHA1
92483c014c56cc98fcd199b98c712ec5f121ca54

SHA256
4b4a301d7a083c918bafee2b92752a21d263820f8bda38eb5f43764ea248054c

SHA512
f31c13f823bca7b3e3b78ab0ad81e3c493b503fa8f09f52ff638657205049f20f8f82b9bc5b989b21a374aaeb19e801269577614dfa9489a3547272d7044d734

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCEAA.tmp.exe

Filesize
78KB

MD5
77a299c1bf25085a6cba457c3be90f6e

SHA1
773e1e7a8c831dca27d6da862ede70ff78613544

SHA256
59249d4bc83e39d2a7e489a5c55dac1f60e6deb0421f72f1f4b8f7abeee0a510

SHA512
4ebed2829557b9d4b0f7fdea1fb7e1f29b6bbd973b5061821343bdac438656c472059627f5b52510f2b5512cdefdfbcb60cfa3b332cd7b66724519b4fbcad315

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc96802576E21648F1BAD5E822D78142.TMP

Filesize
660B

MD5
4abf32eee2cb5d2e313b5740f53df960

SHA1
42ae18cf28938dda4acd3cbddddac3ea1b12d81b

SHA256
e0880df38c6d66e8e280467b3324a5dd4e49cd34fc2fb2f52db52647310f6f65

SHA512
5dc133314ab01d06080508b8b7b5e2ecd23789b66cbac225f12df66ea6bad70401275f0b49a56d7c25af872bfb18b0dc103e106880fab7a52b4e82daa0fb82af

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1804-18-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/1804-9-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/2676-2-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/2676-1-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/2676-0-0x0000000074CA2000-0x0000000074CA3000-memory.dmp

Filesize
4KB

Download
memory/2676-22-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/3356-23-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/3356-24-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/3356-26-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/3356-27-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/3356-28-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads