metamorpherrat | ad7aee0f76b855bc8f5ce8f50238f3626e702876b66f7b7cd86e78568b004e7c

General

Target

f8d567f77cb240cd91dd98a903e4a8e0N.exe
Size

78KB
MD5

f8d567f77cb240cd91dd98a903e4a8e0
SHA1

6f2e53eca8362dc1320defb169b106ecf29fd1f2
SHA256

ad7aee0f76b855bc8f5ce8f50238f3626e702876b66f7b7cd86e78568b004e7c
SHA512

5577fa78bbf45336f555d1b723e9513b424827bed7d3cdc018af4650687769e4a019afa51594ad48aa8eecb32b1f7b9678f498b3fdd1dcc31e070776c4814fd6
SSDEEP

1536:iOe5RvZv0kH9gDDtWzYCnJPeoYrGQtC6s9/AO1sP:Je5Rl0Y9MDYrm7k9/A9

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	f8d567f77cb240cd91dd98a903e4a8e0N.exe

Executes dropped EXE 1 IoCs

pid	Process
1984	tmp8944.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmp8944.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f8d567f77cb240cd91dd98a903e4a8e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8944.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2776	f8d567f77cb240cd91dd98a903e4a8e0N.exe
Token: SeDebugPrivilege	1984	tmp8944.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 832	2776	f8d567f77cb240cd91dd98a903e4a8e0N.exe	84
PID 2776 wrote to memory of 832	2776	f8d567f77cb240cd91dd98a903e4a8e0N.exe	84
PID 2776 wrote to memory of 832	2776	f8d567f77cb240cd91dd98a903e4a8e0N.exe	84
PID 832 wrote to memory of 4740	832	vbc.exe	89
PID 832 wrote to memory of 4740	832	vbc.exe	89
PID 832 wrote to memory of 4740	832	vbc.exe	89
PID 2776 wrote to memory of 1984	2776	f8d567f77cb240cd91dd98a903e4a8e0N.exe	90
PID 2776 wrote to memory of 1984	2776	f8d567f77cb240cd91dd98a903e4a8e0N.exe	90
PID 2776 wrote to memory of 1984	2776	f8d567f77cb240cd91dd98a903e4a8e0N.exe	90

C:\Users\Admin\AppData\Local\Temp\f8d567f77cb240cd91dd98a903e4a8e0N.exe
"C:\Users\Admin\AppData\Local\Temp\f8d567f77cb240cd91dd98a903e4a8e0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1qlrhwnu.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:832
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8ACB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2EE0E7337E5B48EF876160BEB27FEEBB.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4740
- C:\Users\Admin\AppData\Local\Temp\tmp8944.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8944.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f8d567f77cb240cd91dd98a903e4a8e0N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1qlrhwnu.0.vb

Filesize
14KB

MD5
63d7897518ac8e3491e683d2740e445d

SHA1
aa61475f72ebdd9b4a45afec97b9ca5b20da0da6

SHA256
6bba34bca8e174396217a812a97d23351ebe58a943ddbcf2bf3b21d0fdb7ecac

SHA512
a3bd3467ae28c0d9fd0e5ca06af87e5afc28604a8b2c88d29cd1e1713359bfe9cfb2f701b3bc9bdcc8395a2bebcef4e669378b2046d05eadb44b58b939070478

Download Submit
C:\Users\Admin\AppData\Local\Temp\1qlrhwnu.cmdline

Filesize
266B

MD5
31d28257fe9bfea2d91dc889478e5ee4

SHA1
ac29e53c496a5e8306eb55ea791c7e6ca7767a93

SHA256
f70b728f24f34d297aafd2157615aa493a2ab6069bbe774cd0edad3408b6e0eb

SHA512
bd3ed6a65d5ecc723e87422ae085bbb70b75415567c6aa7b91cf5249827f34eb57a42aaea1f7699145b8e968d7c2d00eb46e9a4fca4ea8f266fc1e9c0a87bf17

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8ACB.tmp

Filesize
1KB

MD5
528ba8e199661eabdc6aa29b56a0b4c2

SHA1
980d32952771bd82f0c0d80545ec0a6cd3d20d46

SHA256
b9f6a385a7c8af183fb3e527cd626719531b6e305cf4879cd3f245d3bd6cdfc1

SHA512
a76e15f0cd5c6a0f61320106268ff36f354c685e00618dad15640e0524340d3359e998d38f14478f962c718d79a213545938eb7614949bcd9c4c5375b6709ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8944.tmp.exe

Filesize
78KB

MD5
6c751b96d5d3cc7f06ebe7018c9aa641

SHA1
d85aab7e0809fcb969326189e20fdc601e4f206b

SHA256
d2d3c056074dc57b29300d294be3594d21777a35c9220ed6d8a769a3c75c7cc1

SHA512
cd14702b5bf1fb2886bac26ed05e6aa2ee7d6f4ba33c8b21ddcdc39c548dd038ae9cafff2805c38c3e78e9ca42e0cabd7204b0f546e0fe5e4167313771bab0c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2EE0E7337E5B48EF876160BEB27FEEBB.TMP

Filesize
660B

MD5
53d998327a266001ee5b1bc9e37bcc7f

SHA1
f231b916d139e4c90dc7126715a18e34c0c17118

SHA256
9c3787bf33f712389e480c4ae4ab4a6e430efff0778e5a82d87c51246cec3d98

SHA512
1a320796745097896db6f171a79d3666ac8b96073caa44d0f464d1bafffea45a4d8cf806eac90818d97a22e6ae1b679275c51e35fa9c744a30cad71c13375267

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/832-18-0x00000000750C0000-0x0000000075671000-memory.dmp

Filesize
5.7MB

Download
memory/832-9-0x00000000750C0000-0x0000000075671000-memory.dmp

Filesize
5.7MB

Download
memory/1984-23-0x00000000750C0000-0x0000000075671000-memory.dmp

Filesize
5.7MB

Download
memory/1984-24-0x00000000750C0000-0x0000000075671000-memory.dmp

Filesize
5.7MB

Download
memory/1984-26-0x00000000750C0000-0x0000000075671000-memory.dmp

Filesize
5.7MB

Download
memory/1984-27-0x00000000750C0000-0x0000000075671000-memory.dmp

Filesize
5.7MB

Download
memory/1984-28-0x00000000750C0000-0x0000000075671000-memory.dmp

Filesize
5.7MB

Download
memory/2776-0-0x00000000750C2000-0x00000000750C3000-memory.dmp

Filesize
4KB

Download
memory/2776-2-0x00000000750C0000-0x0000000075671000-memory.dmp

Filesize
5.7MB

Download
memory/2776-1-0x00000000750C0000-0x0000000075671000-memory.dmp

Filesize
5.7MB

Download
memory/2776-22-0x00000000750C0000-0x0000000075671000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads