metamorpherrat | 4cd56fce4bd6a123badda4c73dfc639dd0c6bca8a7758b28a74a45ba99fc3cf5

General

Target

5a00ad9bae3650a22a15789d0b1229e0N.exe
Size

78KB
MD5

5a00ad9bae3650a22a15789d0b1229e0
SHA1

b934d3a1631b75fe99f114ba46751519da546074
SHA256

4cd56fce4bd6a123badda4c73dfc639dd0c6bca8a7758b28a74a45ba99fc3cf5
SHA512

b3a14419228146535e3baab9d0e6f1f2d6edbde969e2611223eefaf39dcacb3a7781ecb86648c8f747dfe3db59f56c3da1b18e351696a6246c00d448776b3b5d
SSDEEP

1536:Rmy58XvZv0kH9gDDtWzYCnJPeoYrGQtC6e9/dn1mc:Ey58Xl0Y9MDYrm729/P

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	5a00ad9bae3650a22a15789d0b1229e0N.exe

Executes dropped EXE 1 IoCs

pid	Process
4576	tmp2BED.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmp2BED.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5a00ad9bae3650a22a15789d0b1229e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp2BED.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4908	5a00ad9bae3650a22a15789d0b1229e0N.exe
Token: SeDebugPrivilege	4576	tmp2BED.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 648	4908	5a00ad9bae3650a22a15789d0b1229e0N.exe	89
PID 4908 wrote to memory of 648	4908	5a00ad9bae3650a22a15789d0b1229e0N.exe	89
PID 4908 wrote to memory of 648	4908	5a00ad9bae3650a22a15789d0b1229e0N.exe	89
PID 648 wrote to memory of 4832	648	vbc.exe	92
PID 648 wrote to memory of 4832	648	vbc.exe	92
PID 648 wrote to memory of 4832	648	vbc.exe	92
PID 4908 wrote to memory of 4576	4908	5a00ad9bae3650a22a15789d0b1229e0N.exe	94
PID 4908 wrote to memory of 4576	4908	5a00ad9bae3650a22a15789d0b1229e0N.exe	94
PID 4908 wrote to memory of 4576	4908	5a00ad9bae3650a22a15789d0b1229e0N.exe	94

C:\Users\Admin\AppData\Local\Temp\5a00ad9bae3650a22a15789d0b1229e0N.exe
"C:\Users\Admin\AppData\Local\Temp\5a00ad9bae3650a22a15789d0b1229e0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yadkyyah.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:648
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E7D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF9F49B5EED994C4484A4B2FF6B1E5DB2.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4832
- C:\Users\Admin\AppData\Local\Temp\tmp2BED.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp2BED.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5a00ad9bae3650a22a15789d0b1229e0N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3980,i,3239535018877284530,3457823197501312703,262144 --variations-seed-version --mojo-platform-channel-handle=4420 /prefetch:8
1⤵
PID:3760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES2E7D.tmp

Filesize
1KB

MD5
17c99e83fe68b8a53234bf381ac92532

SHA1
85e7d0b13c0f2749bd3b8c7c02ac006002ce7a60

SHA256
b12c9e8c0b815cab954a5c9b1b353c001f79fff586f5ff0af8789bea28d143b9

SHA512
c25d7693001f92d551caf6ce463b3e866bfd7761a024b519186a3661a4f63d87ac2418e9295fc9763fd86706a0d94803306c24fdb54a5397e3f36c42e4798f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2BED.tmp.exe

Filesize
78KB

MD5
511eec42cbb0e0181080fff9ce91e355

SHA1
423b7087b7c074dbd4366fb87a088135adc341b5

SHA256
40c68037565c9a1c55e1139cd595aa9d9db4d99d2379e3d43c97d3bfa4245c72

SHA512
1adfc6b378966efb59277ab78bda6ea58ae69016f7516fa62ca0ec17777520dcec7940906ccae313eb5c7e386dbf985c664038df615d1f2f918da561bfceaf34

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF9F49B5EED994C4484A4B2FF6B1E5DB2.TMP

Filesize
660B

MD5
58cee47e86557fe097e36aa41460e796

SHA1
ddb6c11e419fc7d1442803945dc9881ba40c832f

SHA256
8c98d935d80ca0357f075e14bec62f5908a575afe75eb0e2109fa86308176f72

SHA512
7bf9fbae51f6ae906aa3675ac5d0e14fb02c0b0ba46061cabbe05e5692e964276ed90c10929bd06926df2472263b1f1a4a0da865c4187aefef1cd086ff337926

Download Submit
C:\Users\Admin\AppData\Local\Temp\yadkyyah.0.vb

Filesize
14KB

MD5
251bb121baf9e6c61ef5a1dbd86ce987

SHA1
a1c63ce78107c85758915ca006b4fadd9b5649c6

SHA256
22c69b22127d0df569fe914516fa2288c80680473b63f5c50a127d9f11581ba6

SHA512
8e9e25c105545469c3ef07f9bf0ad46d614b5dc31fd9589d4b39706584b5f6e58e982a08a8ed28ae005b6a0408bb24ce8f2aac27901deebca3ff2bdb4d3088e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\yadkyyah.cmdline

Filesize
266B

MD5
9ef88033e42130bea33363705b8bdb96

SHA1
953a77d16e143a394b109399ef2d9a52f36323d2

SHA256
7a302f2d74e20b15c275a9496733783190e1459662d795a967a032163ccb77ce

SHA512
35446d074a65a8412f732160dfa38523178941424188c5a47a7a4668bd035b55a972565337aeed29ffdd96727a40edea2e3ca9f0c08ece4a986214d3b6d5728a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/648-18-0x00000000747B0000-0x0000000074D61000-memory.dmp

Filesize
5.7MB

Download
memory/648-9-0x00000000747B0000-0x0000000074D61000-memory.dmp

Filesize
5.7MB

Download
memory/4576-24-0x00000000747B0000-0x0000000074D61000-memory.dmp

Filesize
5.7MB

Download
memory/4576-23-0x00000000747B0000-0x0000000074D61000-memory.dmp

Filesize
5.7MB

Download
memory/4576-26-0x00000000747B0000-0x0000000074D61000-memory.dmp

Filesize
5.7MB

Download
memory/4576-27-0x00000000747B0000-0x0000000074D61000-memory.dmp

Filesize
5.7MB

Download
memory/4576-29-0x00000000747B0000-0x0000000074D61000-memory.dmp

Filesize
5.7MB

Download
memory/4576-28-0x00000000747B0000-0x0000000074D61000-memory.dmp

Filesize
5.7MB

Download
memory/4576-30-0x00000000747B0000-0x0000000074D61000-memory.dmp

Filesize
5.7MB

Download
memory/4908-2-0x00000000747B0000-0x0000000074D61000-memory.dmp

Filesize
5.7MB

Download
memory/4908-1-0x00000000747B0000-0x0000000074D61000-memory.dmp

Filesize
5.7MB

Download
memory/4908-22-0x00000000747B0000-0x0000000074D61000-memory.dmp

Filesize
5.7MB

Download
memory/4908-0-0x00000000747B2000-0x00000000747B3000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads