metamorpherrat | 1bb31f46f47ccee185c2d7fcf9ae0a992c3960f3c09d01166d05d888aea71bac

General

Target

ff63f5136dc3fffe04d04acbdbaf0b30N.exe
Size

78KB
MD5

ff63f5136dc3fffe04d04acbdbaf0b30
SHA1

4abd081bb66cd4ebf722ee7bb401253b704db812
SHA256

1bb31f46f47ccee185c2d7fcf9ae0a992c3960f3c09d01166d05d888aea71bac
SHA512

fbc9750d30168b598e2389efc95d9610c5ae9dc4e6daf4ab2871a25c0f5003e151c4b1ceddd0a9886b22a76cd638399cdf6f6402477c5a9b207f05c2dbbff730
SSDEEP

1536:v5jidy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC679/k1qa:v5j9n7N041Qqhgj9/4

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	ff63f5136dc3fffe04d04acbdbaf0b30N.exe

Executes dropped EXE 1 IoCs

pid	Process
4824	tmpCB01.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpCB01.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpCB01.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff63f5136dc3fffe04d04acbdbaf0b30N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	968	ff63f5136dc3fffe04d04acbdbaf0b30N.exe
Token: SeDebugPrivilege	4824	tmpCB01.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 968 wrote to memory of 2656	968	ff63f5136dc3fffe04d04acbdbaf0b30N.exe	86
PID 968 wrote to memory of 2656	968	ff63f5136dc3fffe04d04acbdbaf0b30N.exe	86
PID 968 wrote to memory of 2656	968	ff63f5136dc3fffe04d04acbdbaf0b30N.exe	86
PID 2656 wrote to memory of 4380	2656	vbc.exe	90
PID 2656 wrote to memory of 4380	2656	vbc.exe	90
PID 2656 wrote to memory of 4380	2656	vbc.exe	90
PID 968 wrote to memory of 4824	968	ff63f5136dc3fffe04d04acbdbaf0b30N.exe	92
PID 968 wrote to memory of 4824	968	ff63f5136dc3fffe04d04acbdbaf0b30N.exe	92
PID 968 wrote to memory of 4824	968	ff63f5136dc3fffe04d04acbdbaf0b30N.exe	92

C:\Users\Admin\AppData\Local\Temp\ff63f5136dc3fffe04d04acbdbaf0b30N.exe
"C:\Users\Admin\AppData\Local\Temp\ff63f5136dc3fffe04d04acbdbaf0b30N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:968
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7olf7pqq.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC39.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9C1615642EB4C87914D3E2A2A5BFEBE.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4380
- C:\Users\Admin\AppData\Local\Temp\tmpCB01.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpCB01.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ff63f5136dc3fffe04d04acbdbaf0b30N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7olf7pqq.0.vb

Filesize
14KB

MD5
5bff5d298ace0814d49aae69fb252365

SHA1
c698b644e972dbe949c4415cee543d7d9b7cc744

SHA256
30d889c0275f9ce48dbe42187b10047eb19268ed9f1ec7ad443688fd610d4aed

SHA512
9c6d79cc4de5778af4fe206ef77cf01798704bb6a44105736ed554c8d4f29406194c2db4675eccac84480e76683ad4a0dca43d9ad964a7b1245cd8ef17831998

Download Submit
C:\Users\Admin\AppData\Local\Temp\7olf7pqq.cmdline

Filesize
266B

MD5
8fc6c02f21439975b3aadd609b85dad4

SHA1
207cbe9fbf7ab125ddca13e9e59a1159c05f7837

SHA256
ac2bd3008d8a2638043742c724576090eff7319c4f11e563bf776082929bbffe

SHA512
a4166e5d52a22a42d65448287c5a1d6dc53cbab1159b35b102948d4f0441a2849380097c14578feb5480a9f7aac6fb70261b9d4cd38c21755e4a773952116e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCC39.tmp

Filesize
1KB

MD5
05f2bcd7ba77f8f40fe0af505b5cda4e

SHA1
46f69f192bb1d713934927b49428ebefa5589ada

SHA256
d81f5c9fa6030465c6ada22e76cff52811d4c31bfa1e7d616813e349563c420b

SHA512
d4ee7ff493ed56a076555fe5c8e5e7d88a5322a2c57d7d224d6b5b865147dcebe08bafb5ba907916f4c1380d83d9c869f296c570645ec93589ca7a12b02ab8fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCB01.tmp.exe

Filesize
78KB

MD5
cb7824d2cd78842d0c04378d5bae40a1

SHA1
054f992de24f97a923557f878521c003e4799ed1

SHA256
a1d3c613856cf1b84cbcaca30ce499cad8ec3f81ce4001103b0b92e296473b05

SHA512
7dfddcd7786d01d9613fea726fcadc401b617d9741b8914ebabd1abbba2089772e54bd5c99952fbe761b57bdca71a3ea50f1b839059d2a359e4152c8bbebea12

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9C1615642EB4C87914D3E2A2A5BFEBE.TMP

Filesize
660B

MD5
97f31db11a875b5c538a27260d44e988

SHA1
a0d05d25d6fc0efe5c2236a152ab37e0c0ef70cd

SHA256
4e6d8659fbf85eb3b08a0f6859dc85ff0948e35d812e0b32a3c964119b078f1c

SHA512
19be07e1480962cb5a295ab778375e56464a063e28120b3a47ec642ce93d1674977907259622d7827dfb2519686983743f2cc726086866c77909336352f3d55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/968-1-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/968-2-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/968-0-0x0000000075472000-0x0000000075473000-memory.dmp

Filesize
4KB

Download
memory/968-22-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/2656-8-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/2656-18-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/4824-23-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/4824-24-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/4824-26-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/4824-27-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/4824-28-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads