metamorpherrat | 1c4c4f24622933843a2d54448ba395bc22a55f3ed62a15ecbfc9a8c48d8f2f70

General

Target

4e221a36234f1467be827308a3709680N.exe
Size

78KB
MD5

4e221a36234f1467be827308a3709680
SHA1

a83751b85c3deaa60cb58a8f3e7e98ed0fc9a004
SHA256

1c4c4f24622933843a2d54448ba395bc22a55f3ed62a15ecbfc9a8c48d8f2f70
SHA512

123663981bac5a870fea7fe6c39469f0960c81f3a19ffcc5df2ecd8819012c483efe193007feef66294971295b32d9a20c55429cc8cf599bc928d10abdd3b303
SSDEEP

1536:wHF3M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt99/N1Sg:wHF8hASyRxvhTzXPvCbW2U99/X

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	4e221a36234f1467be827308a3709680N.exe

Executes dropped EXE 1 IoCs

pid	Process
5016	tmpA681.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpA681.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA681.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4e221a36234f1467be827308a3709680N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3652	4e221a36234f1467be827308a3709680N.exe
Token: SeDebugPrivilege	5016	tmpA681.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3652 wrote to memory of 3684	3652	4e221a36234f1467be827308a3709680N.exe	84
PID 3652 wrote to memory of 3684	3652	4e221a36234f1467be827308a3709680N.exe	84
PID 3652 wrote to memory of 3684	3652	4e221a36234f1467be827308a3709680N.exe	84
PID 3684 wrote to memory of 5084	3684	vbc.exe	88
PID 3684 wrote to memory of 5084	3684	vbc.exe	88
PID 3684 wrote to memory of 5084	3684	vbc.exe	88
PID 3652 wrote to memory of 5016	3652	4e221a36234f1467be827308a3709680N.exe	90
PID 3652 wrote to memory of 5016	3652	4e221a36234f1467be827308a3709680N.exe	90
PID 3652 wrote to memory of 5016	3652	4e221a36234f1467be827308a3709680N.exe	90

C:\Users\Admin\AppData\Local\Temp\4e221a36234f1467be827308a3709680N.exe
"C:\Users\Admin\AppData\Local\Temp\4e221a36234f1467be827308a3709680N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9mpemefj.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3684
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA940.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc84200CAFD3341C4BEBCA92F2E0AF4.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5084
- C:\Users\Admin\AppData\Local\Temp\tmpA681.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA681.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4e221a36234f1467be827308a3709680N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9mpemefj.0.vb

Filesize
15KB

MD5
48f7ab4584d09a85637a8e398b6c1699

SHA1
551631f259a5806a421b823afba4f7ce141bd3fd

SHA256
54fa282ada93e77182bed6266b34f30a2367c7eec97cc8bfe5744f688f9542c8

SHA512
c702a4888871af754163978a684771170147d1a3d5138b0f04317d22f46f09cc4fbbc27b1c28220f5c90a262f70745b88b389559f4c88e1696e7bec00ac77296

Download Submit
C:\Users\Admin\AppData\Local\Temp\9mpemefj.cmdline

Filesize
266B

MD5
a8e0b619f942a473e9e444cd76adae29

SHA1
51da7650b3f9d28181ddbe4b159a3357a1458dbd

SHA256
e8ff054bd9619a6f2c3ac01437603bebc2178ea1f91f02b909e30e05800cbd3b

SHA512
f009c750b53fc36cb92b9e11501a357329d3404c8bc975d083a3957efcc00e0f2a1c184e4ff319228a2f293cbfae2fb64c14b040aa9f411b93dbfc363cc83fe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA940.tmp

Filesize
1KB

MD5
a31cdefb6f0aeca51f4ea39581902c35

SHA1
2a37947c4c8df82d53fef868779f1eac87d9261d

SHA256
2faca156a03d26687b4f09872f562d6bdbaae3334c73b647c0c28d12ff6e7486

SHA512
f03957c6c08171355398ad03868df54f4772342f9c11952acedf9611a00b112ed6249debcdc28e22927f697ccb6ffc79acfdae26aa54eed377e362fa8a1ba279

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA681.tmp.exe

Filesize
78KB

MD5
464b5b253d4658f13a7d71392f8de3bc

SHA1
039ae0eec62e019a55d7112412451194d3120a6d

SHA256
524a1b1484bc3d9628e0528ad96ec171ee1e45cea9eb3a8dd2d48bab530f97d6

SHA512
51e285a24a13eff24043f908dbb3c50377ce175fe36f2e55f2a389aae1fd44d4a5d6049cf4c376750b277640692e949abb9b9be65f6d10fb20f52656b6f43dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc84200CAFD3341C4BEBCA92F2E0AF4.TMP

Filesize
660B

MD5
2dce00377c0da6b43831db913bf7dff5

SHA1
aca630088ead041bb778dd36497af88d5d1f2115

SHA256
6d5c104b1a622c9484b4ae3bdb7eb433969302acd3df0af1bd894cda4eb762c1

SHA512
8a30ec19335fb328b42cc42908a6536beb45aa0463d18f169abf1cc1fc3e0bd943dc762374803fd2565d5f3eef929bb474f5c81af13f06f4b3fe26caf8546946

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/3652-22-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/3652-0-0x0000000074652000-0x0000000074653000-memory.dmp

Filesize
4KB

Download
memory/3652-1-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/3652-2-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/3684-8-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/3684-18-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/5016-23-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/5016-24-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/5016-26-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/5016-27-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/5016-28-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads