metamorpherrat | 6fbef47651a3f2691585619d9595d834a041abeec1172fd27c7421412c139373

General

Target

c6196e61ccb80be8567c5c1c1f2920d0N.exe
Size

78KB
MD5

c6196e61ccb80be8567c5c1c1f2920d0
SHA1

4aad1a2c82a680a0c783945246934a4900c466bf
SHA256

6fbef47651a3f2691585619d9595d834a041abeec1172fd27c7421412c139373
SHA512

4cc459454e5c0e0299f1eeb2ef8ad2c83670d1d626f3a92a154553fb8205146f79f03391698fb4ec00c978cd3b865ce6b07db02ac65e3787901f191ef953d75a
SSDEEP

1536:CtHY6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtS9/D1st:CtHY53Ln7N041QqhgS9/m

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	c6196e61ccb80be8567c5c1c1f2920d0N.exe

Executes dropped EXE 1 IoCs

pid	Process
2728	tmp51A5.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp51A5.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c6196e61ccb80be8567c5c1c1f2920d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp51A5.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1080	c6196e61ccb80be8567c5c1c1f2920d0N.exe
Token: SeDebugPrivilege	2728	tmp51A5.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 4288	1080	c6196e61ccb80be8567c5c1c1f2920d0N.exe	91
PID 1080 wrote to memory of 4288	1080	c6196e61ccb80be8567c5c1c1f2920d0N.exe	91
PID 1080 wrote to memory of 4288	1080	c6196e61ccb80be8567c5c1c1f2920d0N.exe	91
PID 4288 wrote to memory of 1196	4288	vbc.exe	94
PID 4288 wrote to memory of 1196	4288	vbc.exe	94
PID 4288 wrote to memory of 1196	4288	vbc.exe	94
PID 1080 wrote to memory of 2728	1080	c6196e61ccb80be8567c5c1c1f2920d0N.exe	97
PID 1080 wrote to memory of 2728	1080	c6196e61ccb80be8567c5c1c1f2920d0N.exe	97
PID 1080 wrote to memory of 2728	1080	c6196e61ccb80be8567c5c1c1f2920d0N.exe	97

C:\Users\Admin\AppData\Local\Temp\c6196e61ccb80be8567c5c1c1f2920d0N.exe
"C:\Users\Admin\AppData\Local\Temp\c6196e61ccb80be8567c5c1c1f2920d0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ytbom3wr.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4288
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES537A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF3963FA86D444753B995A37357FBB1AA.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1196
- C:\Users\Admin\AppData\Local\Temp\tmp51A5.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp51A5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c6196e61ccb80be8567c5c1c1f2920d0N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4424,i,6510295916244954942,10164894160290787457,262144 --variations-seed-version --mojo-platform-channel-handle=4444 /prefetch:8
1⤵
PID:5000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES537A.tmp

Filesize
1KB

MD5
f699341c93cb310bc1eb390307d192c6

SHA1
37cedd89744ac3657262ded5b8d75cb7b8449162

SHA256
5c9b1143955cf66d28bc3f44cc2538214c33c1b6c96547dde470170c49689288

SHA512
856d068983a50de603ae3eafb2125c9f16354a081dd1850883a453378ad0361cfe8dbc9b423d910ffa1f9d3a115f5216a774f9a783eeb5c16ce13e2d0e3ed7c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp51A5.tmp.exe

Filesize
78KB

MD5
9a3e973f5a04b9bde261663b3fa057b1

SHA1
6e0e74f07487996d3d881d9f31adb33502e3e8db

SHA256
e63066a32c732ff4bdeb96d4b84f3347f0969ba48bcc1f0d74a77a9d293e9ba4

SHA512
1e2e54959f83749c6473d443a725362e7c2b0e54637f94760be0ee81b55f58986394b15fb4226c9c3e53399798a150e88d50ace1fbb2dbe553f5b1fb801293e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF3963FA86D444753B995A37357FBB1AA.TMP

Filesize
660B

MD5
a68ed766884907369ae7e54ccb7970d0

SHA1
ee7495862538f19becc2b935409bcebc1dbf53f6

SHA256
8788af563821050a9a2ec7fea5683d991ac97f675cce36ee56c23b9666fff70b

SHA512
1cb5d985ac0bdc180c63a247d7cf138b00f10e8da5492bda010cd20db4598ea03f8bc7668b286327e1046dacf002cb4364a1b2599d8180c689fa9bd0252bb3b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytbom3wr.0.vb

Filesize
15KB

MD5
457bba367170ad8045fa5e8a59c95ba5

SHA1
a46cebcb0ad677f227b640921d37119c32da994f

SHA256
b73378c22c52d5b7da59771007cde91c7fc1c5f50942234c6affba002ed14497

SHA512
f4002c0540de45dac510ef6f97c0898f1e8e218df127b0b1b4371f335acac8dd346bd704c3ae0aa38ce5e44b7168f248b84ecb1f6e7836148c6d338e539dd6b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytbom3wr.cmdline

Filesize
266B

MD5
e1b46885b8a9bddcec2990c149073578

SHA1
ced0bbd727220da099218729454c04c793cb95f1

SHA256
4c9ee5d93fd449a31de0a4cb51a06d648e355b4f0a23d05a7e463808b18c2bcb

SHA512
c60f82611a2b3f58ed350362f3647bb0c017e315777654326db68fb6b36ba27273a62131573634983fe0abdf5fb5b9bd00fe2be784e7276ffc6a832c3e102c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/1080-1-0x0000000075260000-0x0000000075811000-memory.dmp

Filesize
5.7MB

Download
memory/1080-2-0x0000000075260000-0x0000000075811000-memory.dmp

Filesize
5.7MB

Download
memory/1080-0-0x0000000075262000-0x0000000075263000-memory.dmp

Filesize
4KB

Download
memory/1080-22-0x0000000075260000-0x0000000075811000-memory.dmp

Filesize
5.7MB

Download
memory/2728-23-0x0000000075260000-0x0000000075811000-memory.dmp

Filesize
5.7MB

Download
memory/2728-25-0x0000000075260000-0x0000000075811000-memory.dmp

Filesize
5.7MB

Download
memory/2728-24-0x0000000075260000-0x0000000075811000-memory.dmp

Filesize
5.7MB

Download
memory/2728-27-0x0000000075260000-0x0000000075811000-memory.dmp

Filesize
5.7MB

Download
memory/2728-28-0x0000000075260000-0x0000000075811000-memory.dmp

Filesize
5.7MB

Download
memory/2728-29-0x0000000075260000-0x0000000075811000-memory.dmp

Filesize
5.7MB

Download
memory/4288-18-0x0000000075260000-0x0000000075811000-memory.dmp

Filesize
5.7MB

Download
memory/4288-8-0x0000000075260000-0x0000000075811000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads