metamorpherrat | 54af753863d5a910ec6c0c8c24841b77cf521e87e6a7e032a9ee06e37472e97b

General

Target

4607aabb6e54b7279cef034c033631d0N.exe
Size

78KB
MD5

4607aabb6e54b7279cef034c033631d0
SHA1

3c31a2e12ff26e8a1a45d99f8e02feeeeb013bbf
SHA256

54af753863d5a910ec6c0c8c24841b77cf521e87e6a7e032a9ee06e37472e97b
SHA512

1251868c0f9a630ffb06458ab7943224dce4d55a118a1a4a626294e3f759433f5ad83e84652f2897e41081ee5a3abf3895c507ff2133551fc2b6c70d0117180b
SSDEEP

1536:nHY6M7t/vZv0kH9gDDtWzYCnJPeoYrGQtRY9/541hq:nHYnh/l0Y9MDYrm7RY9/r

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	4607aabb6e54b7279cef034c033631d0N.exe

Deletes itself 1 IoCs

pid	Process
2068	tmpB13F.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2068	tmpB13F.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmpB13F.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4607aabb6e54b7279cef034c033631d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB13F.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5036	4607aabb6e54b7279cef034c033631d0N.exe
Token: SeDebugPrivilege	2068	tmpB13F.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 4836	5036	4607aabb6e54b7279cef034c033631d0N.exe	85
PID 5036 wrote to memory of 4836	5036	4607aabb6e54b7279cef034c033631d0N.exe	85
PID 5036 wrote to memory of 4836	5036	4607aabb6e54b7279cef034c033631d0N.exe	85
PID 4836 wrote to memory of 3568	4836	vbc.exe	88
PID 4836 wrote to memory of 3568	4836	vbc.exe	88
PID 4836 wrote to memory of 3568	4836	vbc.exe	88
PID 5036 wrote to memory of 2068	5036	4607aabb6e54b7279cef034c033631d0N.exe	89
PID 5036 wrote to memory of 2068	5036	4607aabb6e54b7279cef034c033631d0N.exe	89
PID 5036 wrote to memory of 2068	5036	4607aabb6e54b7279cef034c033631d0N.exe	89

C:\Users\Admin\AppData\Local\Temp\4607aabb6e54b7279cef034c033631d0N.exe
"C:\Users\Admin\AppData\Local\Temp\4607aabb6e54b7279cef034c033631d0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ixymg7nu.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB258.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFEC905E778544C2B903AA9DE46607D11.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3568
- C:\Users\Admin\AppData\Local\Temp\tmpB13F.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB13F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4607aabb6e54b7279cef034c033631d0N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB258.tmp

Filesize
1KB

MD5
0e54fbd7f8bf888eb5cb41380ec734ad

SHA1
5c8fb117cce9be11723bd9985100ffb3e7f6e2bb

SHA256
55948dd2217a0d3fd190337515d73605bf02cd30a28d837a66ad0cc253af04a6

SHA512
f2cd2be9e56459db82378973de54a5f2f9e7878b1fdc381c9e8691c6ff07c4c916f4a0425abb22350c626ffd12f594fca7d8f3e07277b06921ef6b32d38e63b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ixymg7nu.0.vb

Filesize
15KB

MD5
d046c03ad39b6b24ee53b9285708ac36

SHA1
efcfde551509f9b327a7a5d9178116917644f6d1

SHA256
2032135c48e56ce45bc50690cbe643285a5cb02f06719cf1368d7b116130bcfa

SHA512
a9505408aa4eae43ab2f370c0c99329b0b29241c08b4e24eea5fc7dd6ee87a2e3c9e8c20fb344ae679f7fc6a3e04ad18863b58a59ba0bb8d542819270fc3e7a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ixymg7nu.cmdline

Filesize
266B

MD5
92a436ca7443a308ec5224be78703690

SHA1
bc526c9c88cd5021721a182b16876fd55c4fc923

SHA256
db8ed3fa63be4f9fd733045cd36a79e3c98868cadab87fcb0097762b4b229784

SHA512
b72dd98c38a6be303f83fca1a60b0ca2dae768e3dbf5900aeb754b68177694fb5917e4fd5f02e6f0f32f4d16fdb825c6b7f2fe45db5b0ee75cc408020f401bf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB13F.tmp.exe

Filesize
78KB

MD5
24ac94e8c5edb3bc4428cf910de6b932

SHA1
38f9745db3a98ccedeec97a8120cbd6e677d9621

SHA256
19da71c62c9ea3678002eb0a22fb7905921c6af4b34c9887f3d30a664355aad4

SHA512
77672258fc87d646d584949bc951cd28dd84917018c2da009de9c0ddd67cbfd56b747606ae0c94e6c2a7645b30486949e4e1a8b9c9d54620cea6cf1739105ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFEC905E778544C2B903AA9DE46607D11.TMP

Filesize
660B

MD5
0e522faea5a99cb32e9b87d9255dc9e7

SHA1
893ae74cdba7f6c2a5696d329c4d595138e22b1c

SHA256
e6b1fe3f5c3bd1ea674ef14ab20207cbcc3724149d457ca43a25af18cdf83f20

SHA512
b33a8c592afd4e9f21efce5d12127cc07f12eba4b7ceedfb9628fb69e9ba038cf755a8d3207b4b9c0096fdb419b94a5030cea495e6b2b10b7713826cb8be1d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/2068-23-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/2068-24-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/2068-26-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/2068-27-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/2068-28-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/4836-9-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/4836-18-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/5036-2-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/5036-1-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/5036-22-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/5036-0-0x0000000074CA2000-0x0000000074CA3000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads