metamorpherrat | 94759de2b61c323019a4493aa53aeff8647f3e7423d4f7d61b0a342304d1f95a

General

Target

94759de2b61c323019a4493aa53aeff8647f3e7423d4f7d61b0a342304d1f95a.exe
Size

78KB
MD5

b06ce71d691abd77583bffbc87ea9022
SHA1

4a1675c0fdb4cfbcef8ced7ac066138a74b9f61f
SHA256

94759de2b61c323019a4493aa53aeff8647f3e7423d4f7d61b0a342304d1f95a
SHA512

c098d37d31990dc26f0e8d53a9bbcec2c71fc76bffcc442102daaceb90a23cbc03b6192851489ca740c485d94c3eabba4443a340c1829288ceb599696c832129
SSDEEP

1536:cHFo6M7t/vZv0kH9gDDtWzYCnJPeoYrGQtvO9/m1+3:cHFonh/l0Y9MDYrm7vO9/H

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	94759de2b61c323019a4493aa53aeff8647f3e7423d4f7d61b0a342304d1f95a.exe

Deletes itself 1 IoCs

pid	Process
5016	tmp6021.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
5016	tmp6021.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmp6021.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6021.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94759de2b61c323019a4493aa53aeff8647f3e7423d4f7d61b0a342304d1f95a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2588	94759de2b61c323019a4493aa53aeff8647f3e7423d4f7d61b0a342304d1f95a.exe
Token: SeDebugPrivilege	5016	tmp6021.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 2716	2588	94759de2b61c323019a4493aa53aeff8647f3e7423d4f7d61b0a342304d1f95a.exe	84
PID 2588 wrote to memory of 2716	2588	94759de2b61c323019a4493aa53aeff8647f3e7423d4f7d61b0a342304d1f95a.exe	84
PID 2588 wrote to memory of 2716	2588	94759de2b61c323019a4493aa53aeff8647f3e7423d4f7d61b0a342304d1f95a.exe	84
PID 2716 wrote to memory of 5044	2716	vbc.exe	88
PID 2716 wrote to memory of 5044	2716	vbc.exe	88
PID 2716 wrote to memory of 5044	2716	vbc.exe	88
PID 2588 wrote to memory of 5016	2588	94759de2b61c323019a4493aa53aeff8647f3e7423d4f7d61b0a342304d1f95a.exe	89
PID 2588 wrote to memory of 5016	2588	94759de2b61c323019a4493aa53aeff8647f3e7423d4f7d61b0a342304d1f95a.exe	89
PID 2588 wrote to memory of 5016	2588	94759de2b61c323019a4493aa53aeff8647f3e7423d4f7d61b0a342304d1f95a.exe	89

C:\Users\Admin\AppData\Local\Temp\94759de2b61c323019a4493aa53aeff8647f3e7423d4f7d61b0a342304d1f95a.exe
"C:\Users\Admin\AppData\Local\Temp\94759de2b61c323019a4493aa53aeff8647f3e7423d4f7d61b0a342304d1f95a.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gkopcy8y.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES60FC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB1A3276A1C2B4D2E93585ECE727138FD.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5044
- C:\Users\Admin\AppData\Local\Temp\tmp6021.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp6021.tmp.exe" C:\Users\Admin\AppData\Local\Temp\94759de2b61c323019a4493aa53aeff8647f3e7423d4f7d61b0a342304d1f95a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES60FC.tmp

Filesize
1KB

MD5
f404472d17ab11dccb5f94cefc7675df

SHA1
3664ec098e2667cb58695a304f7dfa7c76f93a54

SHA256
e38d2f8a9f1b75f2a706ed63391c948c9b2c6231bdb59db605296be54c0a2c1e

SHA512
c18710963234885697260ebb6ff55b7ad768101e618fd885f8c4f712a5d41e6e1935454b125be54f0cbdc742e4e0f205f4573150bcf3a7af5a0172517d5255c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkopcy8y.0.vb

Filesize
15KB

MD5
eebd5aef28d9c2f50524e719715c951d

SHA1
278b67243ed7060c43a6652de01ee2953779ae4c

SHA256
cd6b0405ebf6f946bfe5ea0e60ac2bd2a408ec8e1e6df5cd6993b2ab2882f888

SHA512
5c662727c26d798c6dfc9b78c0f89a36dbeefe90f1e767c9009ea68cfdbf820d287c1a41c303d1e7e2f106ffee5c6341331e762518d1289885dcad1874769cf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkopcy8y.cmdline

Filesize
266B

MD5
da6b539ec7ff5eb830885b6955bc02b0

SHA1
2ca2a87c55d0bc9ec7e8b8ef9bd25facc30e9005

SHA256
769db434597b7afa4331f1cb9711f3c772a90655f2b771f82ff84e272a2e31cf

SHA512
8150dc3715a8f3c22ecf56e6a2aebb3a77cf6b15b3825f7788f5580045e6188fac5b437b7de7e41c6dd524c3793a721f20b802a9d3b365dafab7663ee05b4e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6021.tmp.exe

Filesize
78KB

MD5
cadfd39be16c7ec3cd487fb24a5d2d9d

SHA1
9bbd112b16e737843b4efad198b33ecb2c5e91ac

SHA256
427a6e5dfadc5d51059b9cf07ed9840d0f93fc1cc2900e6a8f0c1bba1f045d33

SHA512
350a093bcf29782572ebb44b4753056b9a2c149b4307ce2b98ffaf79e616a2f1e27eb646d83f24dd939bc0c81fa289eb76b18127f60e0e7da2ff2e8421f2654a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB1A3276A1C2B4D2E93585ECE727138FD.TMP

Filesize
660B

MD5
72998a10c6345260435b6a9cc56cee80

SHA1
73153d72b746bc8458ca35bc0b5c9e9f984975f9

SHA256
57c0010f5e125ed7e9b9565d2ebda41c482791e51180f931ed26486a61ca7a05

SHA512
9a96f7ad390d129c1d6a9fc9af8744be598025fc17c2082d82e65f4961a537a6bceac8c01d3a2e743778904c5b6900de3ef3e47bdd7090f8bc53c3e9aa82f325

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/2588-1-0x0000000074DF0000-0x00000000753A1000-memory.dmp

Filesize
5.7MB

Download
memory/2588-2-0x0000000074DF0000-0x00000000753A1000-memory.dmp

Filesize
5.7MB

Download
memory/2588-0-0x0000000074DF2000-0x0000000074DF3000-memory.dmp

Filesize
4KB

Download
memory/2588-22-0x0000000074DF0000-0x00000000753A1000-memory.dmp

Filesize
5.7MB

Download
memory/2716-9-0x0000000074DF0000-0x00000000753A1000-memory.dmp

Filesize
5.7MB

Download
memory/2716-18-0x0000000074DF0000-0x00000000753A1000-memory.dmp

Filesize
5.7MB

Download
memory/5016-23-0x0000000074DF0000-0x00000000753A1000-memory.dmp

Filesize
5.7MB

Download
memory/5016-24-0x0000000074DF0000-0x00000000753A1000-memory.dmp

Filesize
5.7MB

Download
memory/5016-25-0x0000000074DF0000-0x00000000753A1000-memory.dmp

Filesize
5.7MB

Download
memory/5016-27-0x0000000074DF0000-0x00000000753A1000-memory.dmp

Filesize
5.7MB

Download
memory/5016-28-0x0000000074DF0000-0x00000000753A1000-memory.dmp

Filesize
5.7MB

Download
memory/5016-29-0x0000000074DF0000-0x00000000753A1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads