metamorpherrat | dda190817a878208465944ffc20bba4106d7f1e79231b38804f6b0ab04e45e02

General

Target

b8793caba27d0eaab94758c378efe000N.exe
Size

78KB
MD5

b8793caba27d0eaab94758c378efe000
SHA1

737051e456217e8a4449bdeaba2432fdee839012
SHA256

dda190817a878208465944ffc20bba4106d7f1e79231b38804f6b0ab04e45e02
SHA512

b33828c38210216c131a43ccda2541abe483902c00f7f546c9cff6996cc65e6dcac51b822211bc30337a5d7555472c15deaf25cfc9cea5c37d8c30d6d1aaec7a
SSDEEP

1536:6y5j5dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtN6MM9/f1LI:6y5jkn7N041QqhgA9/C

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	b8793caba27d0eaab94758c378efe000N.exe

Deletes itself 1 IoCs

pid	Process
1676	tmp825F.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
1676	tmp825F.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp825F.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8793caba27d0eaab94758c378efe000N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp825F.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4324	b8793caba27d0eaab94758c378efe000N.exe
Token: SeDebugPrivilege	1676	tmp825F.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4324 wrote to memory of 4764	4324	b8793caba27d0eaab94758c378efe000N.exe	85
PID 4324 wrote to memory of 4764	4324	b8793caba27d0eaab94758c378efe000N.exe	85
PID 4324 wrote to memory of 4764	4324	b8793caba27d0eaab94758c378efe000N.exe	85
PID 4764 wrote to memory of 2480	4764	vbc.exe	88
PID 4764 wrote to memory of 2480	4764	vbc.exe	88
PID 4764 wrote to memory of 2480	4764	vbc.exe	88
PID 4324 wrote to memory of 1676	4324	b8793caba27d0eaab94758c378efe000N.exe	89
PID 4324 wrote to memory of 1676	4324	b8793caba27d0eaab94758c378efe000N.exe	89
PID 4324 wrote to memory of 1676	4324	b8793caba27d0eaab94758c378efe000N.exe	89

C:\Users\Admin\AppData\Local\Temp\b8793caba27d0eaab94758c378efe000N.exe
"C:\Users\Admin\AppData\Local\Temp\b8793caba27d0eaab94758c378efe000N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4324
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kfsln7j7.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8368.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc826DC74919E74AFB9F61ABA0C25EDD.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2480
- C:\Users\Admin\AppData\Local\Temp\tmp825F.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp825F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b8793caba27d0eaab94758c378efe000N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8368.tmp

Filesize
1KB

MD5
11c4c0826feef20176040caf4dbfe9fc

SHA1
b87143a7dc7891372223747f9530a511ded37b82

SHA256
d528da6a120bb819e09e6154d485662e7dd3ecc1125aea2108aba3d942df7b22

SHA512
e202f88a8f6a28df040bc8af3f4747c1d7c366b1a39f8a0ee58b80d1c054b56e914a4cc73c04cf71da7bc563e530532b887727d04272fbb140c367672f3fae76

Download Submit
C:\Users\Admin\AppData\Local\Temp\kfsln7j7.0.vb

Filesize
14KB

MD5
7bdb130e7cf9dee56e7e8060ea8f5859

SHA1
4226227ddb9098b6a2661e30950b2f789d3dda4f

SHA256
7b4872ee83939f6c44977e905be70daec95301981bb27a96025210f2579ea975

SHA512
5e4844db358b99ec5c01fe5a86e7e31f3db3ed60413ac5bf82acf9cc7df1846d2d1d90a95aaf57619cd128e50a89cd2f8fddb5dadb429dc71800b84f20708291

Download Submit
C:\Users\Admin\AppData\Local\Temp\kfsln7j7.cmdline

Filesize
266B

MD5
7d36379b40200eca2788dede8da2688a

SHA1
9bda73b224112491b2e0c5002610c491f4b1cded

SHA256
e74dffbe71568e44656ed992e5835b2de4ba6116a0d4c8a091f8d6257283e703

SHA512
8cc746f227a6e3ff343c40023a3e7121c4c321f266fd3ef8a5225aa658e550ee7cdf25fe78badaeb5dfb27fd073346caafcd884f762cefb0ac7b298ea42b19e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp825F.tmp.exe

Filesize
78KB

MD5
25d20981630625b5e86d3fe7b5217d82

SHA1
cf2e8f33ffc5016bb14a730bf8bc35ec5c6d296c

SHA256
f70b81dd91192fe08a1fdf899e7f225556c1d4c58389c0bee9ae94d27fdbe7da

SHA512
63da859c140bc34fddc285cdc99a65a9842ff3b8105ed2c624d1b9fbbfea93c085c362bc16ff4e8e79a158b30373e68aa63192a422b31c8a39385f22ab5df6d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc826DC74919E74AFB9F61ABA0C25EDD.TMP

Filesize
660B

MD5
f946615b5774dcf9b2e07105e9be6335

SHA1
15abd824b8de2cb19876cae85449b123f92eb687

SHA256
1d941371049d6b20cdabc5856d72a49c4ebe6235c2b14b3875f3870850c20864

SHA512
eb27cf46b3d61f5b9ac76517dfef8dd82f69df9a0e1129bad8c016e96668a8c171c6539e1ec9bf9ff4b38bcd9087c5333dbde35976445e88350256eb47c9f50f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/1676-23-0x0000000074A80000-0x0000000075031000-memory.dmp

Filesize
5.7MB

Download
memory/1676-24-0x0000000074A80000-0x0000000075031000-memory.dmp

Filesize
5.7MB

Download
memory/1676-26-0x0000000074A80000-0x0000000075031000-memory.dmp

Filesize
5.7MB

Download
memory/1676-27-0x0000000074A80000-0x0000000075031000-memory.dmp

Filesize
5.7MB

Download
memory/1676-28-0x0000000074A80000-0x0000000075031000-memory.dmp

Filesize
5.7MB

Download
memory/4324-2-0x0000000074A80000-0x0000000075031000-memory.dmp

Filesize
5.7MB

Download
memory/4324-0-0x0000000074A82000-0x0000000074A83000-memory.dmp

Filesize
4KB

Download
memory/4324-1-0x0000000074A80000-0x0000000075031000-memory.dmp

Filesize
5.7MB

Download
memory/4324-22-0x0000000074A80000-0x0000000075031000-memory.dmp

Filesize
5.7MB

Download
memory/4764-18-0x0000000074A80000-0x0000000075031000-memory.dmp

Filesize
5.7MB

Download
memory/4764-9-0x0000000074A80000-0x0000000075031000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads