metamorpherrat | 1f2af881da90a27d9ffd6acb1e6ebe296bd5f81a8af07a949a8ca83dfe671fea

General

Target

c12812502364fd0d08e8fe1167f3b1f0N.exe
Size

78KB
MD5

c12812502364fd0d08e8fe1167f3b1f0
SHA1

961b634447da2824d49e8fe9b8a0e146a9b09379
SHA256

1f2af881da90a27d9ffd6acb1e6ebe296bd5f81a8af07a949a8ca83dfe671fea
SHA512

87acfc0908dbb37da6f07c3f049b75b5bf1f518173cb39ac21f8bade11529e42a8da86ae144a499090e82c2e58cbe7cf6f0c18f7be469d7e215a8369a31c2738
SSDEEP

1536:bWV5jSAXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtC67X9/p1H1:bWV5jS4SyRxvhTzXPvCbW2UjX9/5

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	c12812502364fd0d08e8fe1167f3b1f0N.exe

Executes dropped EXE 1 IoCs

pid	Process
32	tmpA6BF.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpA6BF.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA6BF.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c12812502364fd0d08e8fe1167f3b1f0N.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	716	c12812502364fd0d08e8fe1167f3b1f0N.exe
Token: SeDebugPrivilege	32	tmpA6BF.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 716 wrote to memory of 1060	716	c12812502364fd0d08e8fe1167f3b1f0N.exe	87
PID 716 wrote to memory of 1060	716	c12812502364fd0d08e8fe1167f3b1f0N.exe	87
PID 716 wrote to memory of 1060	716	c12812502364fd0d08e8fe1167f3b1f0N.exe	87
PID 1060 wrote to memory of 1720	1060	vbc.exe	89
PID 1060 wrote to memory of 1720	1060	vbc.exe	89
PID 1060 wrote to memory of 1720	1060	vbc.exe	89
PID 716 wrote to memory of 32	716	c12812502364fd0d08e8fe1167f3b1f0N.exe	90
PID 716 wrote to memory of 32	716	c12812502364fd0d08e8fe1167f3b1f0N.exe	90
PID 716 wrote to memory of 32	716	c12812502364fd0d08e8fe1167f3b1f0N.exe	90

C:\Users\Admin\AppData\Local\Temp\c12812502364fd0d08e8fe1167f3b1f0N.exe
"C:\Users\Admin\AppData\Local\Temp\c12812502364fd0d08e8fe1167f3b1f0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:716
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pqmimg86.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1060
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA940.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3BCC6141D0244DDBE01A97B16328FD.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1720
- C:\Users\Admin\AppData\Local\Temp\tmpA6BF.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA6BF.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c12812502364fd0d08e8fe1167f3b1f0N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:32

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA940.tmp

Filesize
1KB

MD5
575e2c78cebad5b416993667e69c0b9c

SHA1
95462a5c5d59a4f3677bef69b9174a30bfbedf87

SHA256
76e76cb6a0ad9f6358913919ad0ed1b5dd586ce529a3d288c583e1fcb10e019a

SHA512
e888d851309f52a62dbfe202124785d91365096cdf5bd30f54a8bf8260f681e5924c8536dc431644c7a051f49b0714ec60a253355e2308740713feafe788b6ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\pqmimg86.0.vb

Filesize
14KB

MD5
fdfdc463319475bc296ee1b9425c7f1f

SHA1
452eeba7e92b63fee5873bbeebfa76df0f2c48d3

SHA256
654d89e3d35ed3df3515cbd7f7e0a9080d1c7d9d3d4e8db48049cfa08961f7b1

SHA512
0a0741275c0bf4bbb703fea3effb0a0cfc8c77607ffcb649ccc942c07a4ed43e1a3a145b4093853903125abff061b2f58a163487bc3176ba7f8bea06805ae926

Download Submit
C:\Users\Admin\AppData\Local\Temp\pqmimg86.cmdline

Filesize
266B

MD5
8e592728df407048ebe23c2ae793ac23

SHA1
eade52b427319ac67cec3a0f1e1e6842a0fd9823

SHA256
e68b2e6df30b726acbf7018be05564925cd0addfee7a4efc850bbc57d4245739

SHA512
0f4374a5696e89bec66e3d1cbfc722146e8c6baeefeb4598a20a296709224aed2ad02ae3b1c397781d5fae09ab026e78234ade5a150b6f1e166854d0948bc970

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA6BF.tmp.exe

Filesize
78KB

MD5
45e43b750a42a522570b77f961cb13e4

SHA1
1a8d7ae38c1953c89256bf36179737ed3079a447

SHA256
3a90762c224374e10ec8028a74176f8f969dfcf4c1e70722b54ef9af84180ced

SHA512
88a0c2e4f74689f8702d56758dde8dbfec1035967e0b0a462ed3fbb4a537c01d53f0d667995699982bf877d9a6f920a68f1c38e96185620762ffae841bbb12e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3BCC6141D0244DDBE01A97B16328FD.TMP

Filesize
660B

MD5
a32371e6a13edb1f31fcc293dc6ed583

SHA1
917675146d311d6e0b1d271bab5e5ff2b217b2ce

SHA256
5b7451ae082f45152f236007059189d751e1ec2857ac9df148b75c41a1aeb5cf

SHA512
e82f68c648971e2e74e93bac82883afd307cb0dbf4f02782b788cd87933ff449cfe29260bca6e90ba58a236aa9388c3aee9029e950c247162d01ae5d871feab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/32-23-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/32-30-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/32-29-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/32-24-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/32-26-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/32-27-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/32-28-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/716-0-0x0000000074652000-0x0000000074653000-memory.dmp

Filesize
4KB

Download
memory/716-2-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/716-1-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/716-22-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/1060-8-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/1060-18-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads