metamorpherrat | cc63856466a7bc3187c29e03d52344c92de361eb776290fce937e36075df70ac

General

Target

f2167a17e7bf4bc26e38a563c40d6179023978091d9407a3429645b943370e3d.exe
Size

78KB
MD5

5a0e73710ba67f3fee26ca0974b30c9b
SHA1

3ec0cb651838e32577d213fbb4c620cf8e496b5e
SHA256

f2167a17e7bf4bc26e38a563c40d6179023978091d9407a3429645b943370e3d
SHA512

d9d7e2df2d684fdcccc6cc0e002f8020ca4aa39fef63512b526f3c3db04be6f1d4e46e617ada493a7037c205a64ae500191044efc33d004d4d204c2b4868fad0
SSDEEP

1536:DPWtHHM7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt69/81EP:DPWtHshASyRxvhTzXPvCbW2U69/7

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	f2167a17e7bf4bc26e38a563c40d6179023978091d9407a3429645b943370e3d.exe

Executes dropped EXE 1 IoCs

pid	Process
2124	tmp7BD7.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp7BD7.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2167a17e7bf4bc26e38a563c40d6179023978091d9407a3429645b943370e3d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7BD7.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2264	f2167a17e7bf4bc26e38a563c40d6179023978091d9407a3429645b943370e3d.exe
Token: SeDebugPrivilege	2124	tmp7BD7.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 3840	2264	f2167a17e7bf4bc26e38a563c40d6179023978091d9407a3429645b943370e3d.exe	84
PID 2264 wrote to memory of 3840	2264	f2167a17e7bf4bc26e38a563c40d6179023978091d9407a3429645b943370e3d.exe	84
PID 2264 wrote to memory of 3840	2264	f2167a17e7bf4bc26e38a563c40d6179023978091d9407a3429645b943370e3d.exe	84
PID 3840 wrote to memory of 3272	3840	vbc.exe	86
PID 3840 wrote to memory of 3272	3840	vbc.exe	86
PID 3840 wrote to memory of 3272	3840	vbc.exe	86
PID 2264 wrote to memory of 2124	2264	f2167a17e7bf4bc26e38a563c40d6179023978091d9407a3429645b943370e3d.exe	90
PID 2264 wrote to memory of 2124	2264	f2167a17e7bf4bc26e38a563c40d6179023978091d9407a3429645b943370e3d.exe	90
PID 2264 wrote to memory of 2124	2264	f2167a17e7bf4bc26e38a563c40d6179023978091d9407a3429645b943370e3d.exe	90

C:\Users\Admin\AppData\Local\Temp\f2167a17e7bf4bc26e38a563c40d6179023978091d9407a3429645b943370e3d.exe
"C:\Users\Admin\AppData\Local\Temp\f2167a17e7bf4bc26e38a563c40d6179023978091d9407a3429645b943370e3d.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fskahtaz.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3840
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7CD1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1E5CC753B9874AE7A6665AF065256AC0.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3272
- C:\Users\Admin\AppData\Local\Temp\tmp7BD7.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7BD7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f2167a17e7bf4bc26e38a563c40d6179023978091d9407a3429645b943370e3d.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7CD1.tmp

Filesize
1KB

MD5
7ef664793783ae65f165ead370caa12d

SHA1
62b4933da00fbfe4b746c29494c2b9155af8753b

SHA256
811b3acaf332d362d6a27ecb7cf5227fc5eb30b445fb952eb25b7c2f6758a273

SHA512
4763f332c6627cc757cd44ba139e5e6dae31c8170b06e01451dd5af812c3cf8874019d8b75f8e72cc686bf5ab61ab6241538b5981e6a7b354be7b4fa94282a29

Download Submit
C:\Users\Admin\AppData\Local\Temp\fskahtaz.0.vb

Filesize
15KB

MD5
e04bb02e78c47b78ba9eb15d85c48d91

SHA1
2fc28d60174c4b8adf8e26701346a9c862e5727d

SHA256
8eafc6e7328ef449def0bbd4f614b38a372943131edb38f36684a225cebe9df6

SHA512
f241752bf5e1abd1c49b7603e0641db8decd811a8aa2f4d7ea79b6ee0f01d4cb6b646247412104e56b44c2eb3419bd47e490326c9ecb942fe4594e1076c820d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\fskahtaz.cmdline

Filesize
266B

MD5
f6a0c677f908dd27b0f4b2db04b30b75

SHA1
e5b87de2da4936bc3b2d09a3ede6afb51d7c482b

SHA256
8030a413df7263000dd4dff094f5e784f43fbcba4ddba88111ce08bd7ba3ad37

SHA512
06949f2f11d3dbcef9bc994aca73df379ca3fca70e5ca7463bff825d369153927a40222adace819c46426101ad2436fb4c7a03743292b665f32a4941c9056e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7BD7.tmp.exe

Filesize
78KB

MD5
8d4d2c498f657dba435bd3b413af4317

SHA1
205c07413c1760c9fc6337560467d16beecc364c

SHA256
785ccf81689a790645338ff6fd87670102e8cd173587ca02be58c18c1fe0d4a4

SHA512
954ca43c39b0c6e8cb06f544df42922e189e47ce3bb654d80ade6d404a626751f136a6f26c8517998b7fe00e30ed343dc6c2378474f993bb394614e673387f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1E5CC753B9874AE7A6665AF065256AC0.TMP

Filesize
660B

MD5
796cfa2713f9eef372542ad2ef45bf14

SHA1
4dc21699c0c7adadc27427cf66105a14fbe0dd0f

SHA256
d114cfe25c0cdcdc6f9a70c09aebf493c86f937d7f8108256c325c56dbf3835a

SHA512
7f428e8f1d26944359212cc314c6fb1d470c42ce58cc60497e7caf116fde5771363694bc50db9bd84ab7e95b84c5d9acf35592ca7470fd9676c93d6ccfa6c886

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2124-23-0x0000000075190000-0x0000000075741000-memory.dmp

Filesize
5.7MB

Download
memory/2124-24-0x0000000075190000-0x0000000075741000-memory.dmp

Filesize
5.7MB

Download
memory/2124-26-0x0000000075190000-0x0000000075741000-memory.dmp

Filesize
5.7MB

Download
memory/2124-27-0x0000000075190000-0x0000000075741000-memory.dmp

Filesize
5.7MB

Download
memory/2124-28-0x0000000075190000-0x0000000075741000-memory.dmp

Filesize
5.7MB

Download
memory/2264-2-0x0000000075190000-0x0000000075741000-memory.dmp

Filesize
5.7MB

Download
memory/2264-0-0x0000000075192000-0x0000000075193000-memory.dmp

Filesize
4KB

Download
memory/2264-1-0x0000000075190000-0x0000000075741000-memory.dmp

Filesize
5.7MB

Download
memory/2264-22-0x0000000075190000-0x0000000075741000-memory.dmp

Filesize
5.7MB

Download
memory/3840-18-0x0000000075190000-0x0000000075741000-memory.dmp

Filesize
5.7MB

Download
memory/3840-9-0x0000000075190000-0x0000000075741000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads