metamorpherrat | f6950aa2608d44af4e9ab8a77b3cd2b10b1a538f40130e651733bb49b09d8f70

General

Target

29f9b680505b0abf1f09b72d6537cc30N.exe
Size

78KB
MD5

29f9b680505b0abf1f09b72d6537cc30
SHA1

733878d7d19ca0f5c93e70005284da811fdcf5a2
SHA256

f6950aa2608d44af4e9ab8a77b3cd2b10b1a538f40130e651733bb49b09d8f70
SHA512

fa8cdbeb33518a908c039270a6b71b2d42f235d7b334f4339a0570d0ffa8d45cc0d6dc0380cfdc14df43ad7e9c3f69fed8a65d522adca4ee91b91f959a412185
SSDEEP

1536:4tHFo6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtq9/o19N:4tHFo53Ln7N041Qqhgq9/2

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	29f9b680505b0abf1f09b72d6537cc30N.exe

Executes dropped EXE 1 IoCs

pid	Process
2092	tmpCBEB.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpCBEB.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpCBEB.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	29f9b680505b0abf1f09b72d6537cc30N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2496	29f9b680505b0abf1f09b72d6537cc30N.exe
Token: SeDebugPrivilege	2092	tmpCBEB.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 4284	2496	29f9b680505b0abf1f09b72d6537cc30N.exe	84
PID 2496 wrote to memory of 4284	2496	29f9b680505b0abf1f09b72d6537cc30N.exe	84
PID 2496 wrote to memory of 4284	2496	29f9b680505b0abf1f09b72d6537cc30N.exe	84
PID 4284 wrote to memory of 3328	4284	vbc.exe	86
PID 4284 wrote to memory of 3328	4284	vbc.exe	86
PID 4284 wrote to memory of 3328	4284	vbc.exe	86
PID 2496 wrote to memory of 2092	2496	29f9b680505b0abf1f09b72d6537cc30N.exe	89
PID 2496 wrote to memory of 2092	2496	29f9b680505b0abf1f09b72d6537cc30N.exe	89
PID 2496 wrote to memory of 2092	2496	29f9b680505b0abf1f09b72d6537cc30N.exe	89

C:\Users\Admin\AppData\Local\Temp\29f9b680505b0abf1f09b72d6537cc30N.exe
"C:\Users\Admin\AppData\Local\Temp\29f9b680505b0abf1f09b72d6537cc30N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2m7khrud.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4284
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD04.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7AAEDFE2BA3B427092A04C5A4C1187BC.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3328
- C:\Users\Admin\AppData\Local\Temp\tmpCBEB.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpCBEB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\29f9b680505b0abf1f09b72d6537cc30N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2m7khrud.0.vb

Filesize
15KB

MD5
9e600f74e1179139b86af372d225cf55

SHA1
f73820597beba9b49281c2e88300b11c7af780ab

SHA256
402aa090122cfad9bad0ca1051eeeec65c6c62cf19b2ee364f866338415b1d3a

SHA512
760939c8be6aa64719758f69c8297200fc380e816df4f8240c73fdfcbfa8eb030d388804f02cdfc34516131d720e2709aa965c6da2dd806e29b5a24e90e07d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\2m7khrud.cmdline

Filesize
266B

MD5
f283baaa0a385c7a2ea2dc2a5aa43ea4

SHA1
2fbc9d13b7fae5ba5f394a691f0baddbc008afd5

SHA256
b59b29dc862d68a79fe609b5f1bd535cda13d62ccbb00c0d6d3e5f63015e0201

SHA512
60adcefe081848550abe411b8b11b68abf180172e173e346d042247e16a50692577cd682133ce520742a87f7f66d21c9c43b229d1f6ac2a8bd0bb9e90012b51f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCD04.tmp

Filesize
1KB

MD5
49ebfa3e013b37cec95b22f0f59cdac8

SHA1
72c27cacdfdab584641fcecc01ba80e2a4757b3d

SHA256
4b5d9dd880e9a952b55bd01c6dd7f208abe571052459eebc136eb64aebdcce39

SHA512
856c3b1a8dc6f11058b9f60bdea76d60181864b65dd463ee62d5c5f8cec266f30a4a865b14f8ec5ae12cd529bfa38caeee8fb6df12e915d8ff268dc537c79152

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCBEB.tmp.exe

Filesize
78KB

MD5
4780ec35bb9565393c173ef9a186aa77

SHA1
14af57dc11d3a5f55fd61bb3b997344f390bf4a9

SHA256
2c625ac5a3cb9306f33499328fbcf0d96a38bb79d1567c789b670d3de4d69d8d

SHA512
a769c9065888355a89bb631e790d08d4066cf207e6f19723a6fe785753e0ec510b76a460d23188dad3ac6fc00f848c4ceb60bff496352ac979ff2bcc4b5de19a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7AAEDFE2BA3B427092A04C5A4C1187BC.TMP

Filesize
660B

MD5
d5b55e0d82149663e09e5eabf7a63425

SHA1
a9ef560219701672631e3d05ac35419e5f0111aa

SHA256
219dfb4bde66d702333748bd01c0795efd01bb48095209f52a84ec3f781dfdce

SHA512
06c131e87c08f3b3f7ada9b3400c76aadb48bd1954c46aab221c98555708f5722198cda215ea86173d685128f5ecaaec9c181bf74a8b715ca7549bd9bb365e7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2092-23-0x0000000074D00000-0x00000000752B1000-memory.dmp

Filesize
5.7MB

Download
memory/2092-24-0x0000000074D00000-0x00000000752B1000-memory.dmp

Filesize
5.7MB

Download
memory/2092-25-0x0000000074D00000-0x00000000752B1000-memory.dmp

Filesize
5.7MB

Download
memory/2092-27-0x0000000074D00000-0x00000000752B1000-memory.dmp

Filesize
5.7MB

Download
memory/2092-28-0x0000000074D00000-0x00000000752B1000-memory.dmp

Filesize
5.7MB

Download
memory/2092-29-0x0000000074D00000-0x00000000752B1000-memory.dmp

Filesize
5.7MB

Download
memory/2496-0-0x0000000074D02000-0x0000000074D03000-memory.dmp

Filesize
4KB

Download
memory/2496-1-0x0000000074D00000-0x00000000752B1000-memory.dmp

Filesize
5.7MB

Download
memory/2496-22-0x0000000074D00000-0x00000000752B1000-memory.dmp

Filesize
5.7MB

Download
memory/2496-2-0x0000000074D00000-0x00000000752B1000-memory.dmp

Filesize
5.7MB

Download
memory/4284-9-0x0000000074D00000-0x00000000752B1000-memory.dmp

Filesize
5.7MB

Download
memory/4284-18-0x0000000074D00000-0x00000000752B1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads