metamorpherrat | 477d6ea4bbe43bfd961db598ce52eec26c469ea96b9870a48f0efa42313c7e4c

General

Target

7aee1b5ade10a773442eabcf9e3a81c0N.exe
Size

78KB
MD5

7aee1b5ade10a773442eabcf9e3a81c0
SHA1

10108aa79dc556af1d219d86024a4e7dfb4d0b53
SHA256

477d6ea4bbe43bfd961db598ce52eec26c469ea96b9870a48f0efa42313c7e4c
SHA512

b4cbf642d28c2b1cfe185a94fc43880930a89e6632da3adf09b1578973eddde22f82d8dd508acdde09f705f214bcf4f644377a939e93fd24130fe1c381591605
SSDEEP

1536:kPCHY6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQth9/y129:kPCHYnhASyRxvhTzXPvCbW2Uh9/J

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	7aee1b5ade10a773442eabcf9e3a81c0N.exe

Deletes itself 1 IoCs

pid	Process
3620	tmpCE1D.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3620	tmpCE1D.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpCE1D.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7aee1b5ade10a773442eabcf9e3a81c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpCE1D.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3644	7aee1b5ade10a773442eabcf9e3a81c0N.exe
Token: SeDebugPrivilege	3620	tmpCE1D.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3644 wrote to memory of 4012	3644	7aee1b5ade10a773442eabcf9e3a81c0N.exe	84
PID 3644 wrote to memory of 4012	3644	7aee1b5ade10a773442eabcf9e3a81c0N.exe	84
PID 3644 wrote to memory of 4012	3644	7aee1b5ade10a773442eabcf9e3a81c0N.exe	84
PID 4012 wrote to memory of 1100	4012	vbc.exe	87
PID 4012 wrote to memory of 1100	4012	vbc.exe	87
PID 4012 wrote to memory of 1100	4012	vbc.exe	87
PID 3644 wrote to memory of 3620	3644	7aee1b5ade10a773442eabcf9e3a81c0N.exe	90
PID 3644 wrote to memory of 3620	3644	7aee1b5ade10a773442eabcf9e3a81c0N.exe	90
PID 3644 wrote to memory of 3620	3644	7aee1b5ade10a773442eabcf9e3a81c0N.exe	90

C:\Users\Admin\AppData\Local\Temp\7aee1b5ade10a773442eabcf9e3a81c0N.exe
"C:\Users\Admin\AppData\Local\Temp\7aee1b5ade10a773442eabcf9e3a81c0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3644
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gz8g8etq.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4012
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF27.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD2FAA7214D3445FF9DA5A3E97BE226DF.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1100
- C:\Users\Admin\AppData\Local\Temp\tmpCE1D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpCE1D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7aee1b5ade10a773442eabcf9e3a81c0N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESCF27.tmp

Filesize
1KB

MD5
e9d06cb54efa65b66c4628100ead0761

SHA1
aaa6bf0b74b882d30e3a91d4ce83f32a249e4fa2

SHA256
c7e3b9b5c0216cfe7c5af0b7b5478d3bddd07a4a915aa390d7ba7295b282a6ef

SHA512
fe61585999f2531b9c4e2c1067234e2d17ac7f1aa356c52fab360d3b7c0e449e8f50b431d0a12fd24d8b35e0bb6732ca6c173dd794db0a7f0511aa087c83a8a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\gz8g8etq.0.vb

Filesize
15KB

MD5
1e3f1dfb107be43cb7ea9097fe55bdd1

SHA1
e50e475f904c7f849c709c5a1cd4f6eb5e9252b6

SHA256
7cf1fe29b5cfc8bee4d4b3f9a0796575d3b82a2bbef3ef90d6d82f1b27267a2f

SHA512
1b4240f0728c8d61c83130571cad1726ef0047a07a49b886716f4cf25818489ce847040f14203d8980b5d821681641e5d28a8d032b4800a137f7631b152e19f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gz8g8etq.cmdline

Filesize
266B

MD5
4bfede1b71704449951bf08d344f5d9e

SHA1
81948e874f287070146a972134d7f59705fa4d22

SHA256
88e309184996ecb0f1a616e845fd2ee1d089ff50648df9cfc7c63cd400acc003

SHA512
f10828fc2f02761cfafe28fd954ec4d610c2f09a69fd6029eaa02e8adc53348ef1c7890370b5aa0cf325da7e7fd71a44d93d9950d9ac3e339b5beee7b44bdda9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCE1D.tmp.exe

Filesize
78KB

MD5
cacb679ac4c2005d501d226d4f621ae4

SHA1
963b6ac2611f7a094d6a7c3108e48a1f4bcb66dd

SHA256
9419f4aa6d191a9e0ab8b10cea8b236fe952a66fd96a8c05c6d0831f183f5566

SHA512
79f40ceeda401c8dec7fa0f4d30dc33a2375fea556f359f9956f8637e1147b623e0f5c3fdd3ab134e58c004e757e702c2b971d32e63f5c2684043113f451aaea

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD2FAA7214D3445FF9DA5A3E97BE226DF.TMP

Filesize
660B

MD5
6a5db1a609efe29fda8fc753a8a03790

SHA1
7a6368cdcfdabb46ba726bc2c607bcf23df6fcdd

SHA256
3687b2628861a121eae50dd510ddd531c1eb7dcbf20bb0c31739945ecf48d8c1

SHA512
40053d912cfd3bfa44037818bbab20ccc7baa99c3ab236a9f49df7274995da9d3c0830de42cd6c628444ba7099be8945e16d7c9743e826c9f3db99c42b7862fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/3620-23-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/3620-24-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/3620-26-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/3620-27-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/3620-28-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/3644-2-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/3644-0-0x0000000074D42000-0x0000000074D43000-memory.dmp

Filesize
4KB

Download
memory/3644-1-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/3644-22-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/4012-18-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/4012-9-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads