metamorpherrat | b0eaaea93af75e058e49a26348511828fca5b79ae53d5ac544f3b30f54f431da

General

Target

eb5e6c4e4db36b9a5ae247e10491c8b0N.exe
Size

78KB
MD5

eb5e6c4e4db36b9a5ae247e10491c8b0
SHA1

b7c400e676c79484218396b181949e2edc049260
SHA256

b0eaaea93af75e058e49a26348511828fca5b79ae53d5ac544f3b30f54f431da
SHA512

2279f7b6087d0536a4fd906d1f2e918733dcf74164d4a802579119c0515c46d881170ce657138ada0b4476a8b8b186e8dbf88fe79a1e5f0fafd168862d802ea5
SSDEEP

1536:Ny5jidy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6d9/y1lC:Ny5j9n7N041Qqhg19/z

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	eb5e6c4e4db36b9a5ae247e10491c8b0N.exe

Executes dropped EXE 1 IoCs

pid	Process
4260	tmp9E63.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp9E63.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb5e6c4e4db36b9a5ae247e10491c8b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9E63.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4720	eb5e6c4e4db36b9a5ae247e10491c8b0N.exe
Token: SeDebugPrivilege	4260	tmp9E63.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4720 wrote to memory of 3788	4720	eb5e6c4e4db36b9a5ae247e10491c8b0N.exe	84
PID 4720 wrote to memory of 3788	4720	eb5e6c4e4db36b9a5ae247e10491c8b0N.exe	84
PID 4720 wrote to memory of 3788	4720	eb5e6c4e4db36b9a5ae247e10491c8b0N.exe	84
PID 3788 wrote to memory of 1352	3788	vbc.exe	88
PID 3788 wrote to memory of 1352	3788	vbc.exe	88
PID 3788 wrote to memory of 1352	3788	vbc.exe	88
PID 4720 wrote to memory of 4260	4720	eb5e6c4e4db36b9a5ae247e10491c8b0N.exe	90
PID 4720 wrote to memory of 4260	4720	eb5e6c4e4db36b9a5ae247e10491c8b0N.exe	90
PID 4720 wrote to memory of 4260	4720	eb5e6c4e4db36b9a5ae247e10491c8b0N.exe	90

C:\Users\Admin\AppData\Local\Temp\eb5e6c4e4db36b9a5ae247e10491c8b0N.exe
"C:\Users\Admin\AppData\Local\Temp\eb5e6c4e4db36b9a5ae247e10491c8b0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5yszesou.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3788
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F9B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBAA0C68120594D489FA04AD4E2E36CEB.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1352
- C:\Users\Admin\AppData\Local\Temp\tmp9E63.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9E63.tmp.exe" C:\Users\Admin\AppData\Local\Temp\eb5e6c4e4db36b9a5ae247e10491c8b0N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5yszesou.0.vb

Filesize
14KB

MD5
6cd7efa36891d3922e2a284fbacb641f

SHA1
ae0ed4ea60aea561163dc913ec6787a35862e3d9

SHA256
696cf4d2df6ce9f9c96d9855503971e2aa88cd46cbbe6f34025d85922f203e5e

SHA512
3c5bba4a53042b2789a12c17a62486a5cef8b66b3ce61dde64963708ac0c6e06fd283712b0fb566a1fe9b1c86bb15d1bbd81a55080847ea20f05f5f01c135dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\5yszesou.cmdline

Filesize
266B

MD5
ed2c652b1e09fb0b3c4a0098ef0cbca0

SHA1
d1fa35ffe4380e804767689cdc77b819d46053ca

SHA256
4f7be09efebeeb252c6a3b041ac4ab5e0c05633adb99c4befd12ab7325380d18

SHA512
0ea3a00897d820023495a3808277249fded2c0c7bafd440ca28a50a7bf519c237a934c2133b5748a8b62077e13a2183434cb0fa411945475846efbb4f9fe37d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9F9B.tmp

Filesize
1KB

MD5
0088eac6282bf487bcd811204e2c9b53

SHA1
9669e5f60a8d06de5a42724ea575f7b2f533dd9c

SHA256
e97f5257c4eba0f5371e3f058180b054b2a251df3c528593b6e64c188bc7518d

SHA512
8723c6d00aa2e3d8f36171748f7f89ba091e7a6ea73a8e2de97658bc8c2ad284b711c7aa7b095cb62ac6dd5ab5007e0e295699380b0efdaed2fcb176ed20a62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9E63.tmp.exe

Filesize
78KB

MD5
d385837d9ed25293285dbd45c24724c7

SHA1
6c82b1d2136e5fb65de364fe13c77f06f0a06081

SHA256
508def1eadfdba57b8f786261b3e41655f39434efa0dd93bf1b741f1aa1db682

SHA512
9a0f0707b4f775cf48fc3902dff30b7ff0ae706c420447576c0eecea96476da55e57571f3688da9b7098bb235d0cf658f611658b639005d6eab69337a74bc259

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBAA0C68120594D489FA04AD4E2E36CEB.TMP

Filesize
660B

MD5
ffff39eb1978607b8c5aa7020143a80e

SHA1
f691cfa5159811f9656b372b44f592ab369f0038

SHA256
cf54a1f01cc5ae7863cc1b608a9aaaaaa26ecd5e54b27ac0915c6e112689c3ec

SHA512
1066646ed43370cf140916979e65431674caa3d1b5a2827b7b91aad30a26f08b228ea7643e282cb97d2f0cb3751fa3f9cb07bfd34993a84c57fc290e65b23f58

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/3788-18-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/3788-9-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/4260-23-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/4260-25-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/4260-26-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/4260-27-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/4720-0-0x0000000074832000-0x0000000074833000-memory.dmp

Filesize
4KB

Download
memory/4720-2-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/4720-1-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/4720-22-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads