metamorpherrat | 948c52f9917203376321fd24dbb66ebec29f4bac335da9253299480d96d5e022

General

Target

948c52f9917203376321fd24dbb66ebec29f4bac335da9253299480d96d5e022.exe
Size

78KB
MD5

a03733be7236ec04189c4efcd350a1e3
SHA1

3f9516abefc8ad78985dcb79c5457324361a8e33
SHA256

948c52f9917203376321fd24dbb66ebec29f4bac335da9253299480d96d5e022
SHA512

77ad1a08b639f9bc2008f0b3104343ad25ee32f873d25b7ddb0c0ca54498fbe1ec8fd355dca056e0238366b1998b6acb2fdfeff67b01a2dfd1b052f1ae81c3f9
SSDEEP

1536:8RWV58fXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt96W9/81nj:8RWV58/SyRxvhTzXPvCbW2UN9/G

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	948c52f9917203376321fd24dbb66ebec29f4bac335da9253299480d96d5e022.exe

Executes dropped EXE 1 IoCs

pid	Process
3572	tmpB333.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpB333.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	948c52f9917203376321fd24dbb66ebec29f4bac335da9253299480d96d5e022.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB333.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1100	948c52f9917203376321fd24dbb66ebec29f4bac335da9253299480d96d5e022.exe
Token: SeDebugPrivilege	3572	tmpB333.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 1764	1100	948c52f9917203376321fd24dbb66ebec29f4bac335da9253299480d96d5e022.exe	85
PID 1100 wrote to memory of 1764	1100	948c52f9917203376321fd24dbb66ebec29f4bac335da9253299480d96d5e022.exe	85
PID 1100 wrote to memory of 1764	1100	948c52f9917203376321fd24dbb66ebec29f4bac335da9253299480d96d5e022.exe	85
PID 1764 wrote to memory of 224	1764	vbc.exe	88
PID 1764 wrote to memory of 224	1764	vbc.exe	88
PID 1764 wrote to memory of 224	1764	vbc.exe	88
PID 1100 wrote to memory of 3572	1100	948c52f9917203376321fd24dbb66ebec29f4bac335da9253299480d96d5e022.exe	89
PID 1100 wrote to memory of 3572	1100	948c52f9917203376321fd24dbb66ebec29f4bac335da9253299480d96d5e022.exe	89
PID 1100 wrote to memory of 3572	1100	948c52f9917203376321fd24dbb66ebec29f4bac335da9253299480d96d5e022.exe	89

C:\Users\Admin\AppData\Local\Temp\948c52f9917203376321fd24dbb66ebec29f4bac335da9253299480d96d5e022.exe
"C:\Users\Admin\AppData\Local\Temp\948c52f9917203376321fd24dbb66ebec29f4bac335da9253299480d96d5e022.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1vosuoth.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB48B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF57319CAF19495EB570B2BD64FF66CA.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:224
- C:\Users\Admin\AppData\Local\Temp\tmpB333.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB333.tmp.exe" C:\Users\Admin\AppData\Local\Temp\948c52f9917203376321fd24dbb66ebec29f4bac335da9253299480d96d5e022.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1vosuoth.0.vb

Filesize
14KB

MD5
0b9cc3cfee4be31e843fe23b32b2e9e0

SHA1
209969bc4775846aed1e008525a0b47fe52be931

SHA256
d955c3d4fc44255cbe84363dbf20733acfeaa51bdd3026600f73d6cef4709cee

SHA512
b848a76ccec4d8c0cdf8312187799895f9f8e75d3c95da94e2000c621a17bdc08d7b742f8afd8088aabdc9db74356fbdc72b1089b412334ccef942ce7207c3a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1vosuoth.cmdline

Filesize
266B

MD5
59fcc3a412010de1d0aecc7a43c3239b

SHA1
80c083d15cd7d98fd01bfd9fc3eb6b44732a69d1

SHA256
29a100cb9a481d115969623da0714670d47ab0947639e1bbc975006d318f60e5

SHA512
3544cfe721e84b975394c9ccbee78d894065e33f181bf836384de1b9e57f7f8fa3fecf105cbe06533e280d32bda2804567c91f7cdd3bfadc75e69434d836b951

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB48B.tmp

Filesize
1KB

MD5
0c15aa072699b975091028c75a9e003b

SHA1
ddd1736bbc80cd72b23d7df1723b9ea3b50f4ef6

SHA256
a0e445b3b150460a40f6c44a9d5f2fa607ae0ba419742c71885cbaa77b85dd76

SHA512
be4d28e89fc195d3e293e1160aee0971fe7d526f4bf1c41dc97ae9dded1eb7e610e9bd31ea80e943da530473b4ff3740f460ceb683f79ea3872fc7a3ec0b42a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB333.tmp.exe

Filesize
78KB

MD5
772268d645cb7d0a9c559eb81de27dbb

SHA1
c9f5c4cd51cd2cde88f60d0c964944836c2de9e1

SHA256
5a1bf0dc5561167df5ff3497d68ed34b02bff67ced81b5de65d3e4965cf274de

SHA512
d8c0617a9250d0223289df8e1247d1ac9db731a9db55870324bbc0c0da89f9e6e3c1d01d64a5650c7509c8c0c77eccc6260a3617206aa88ab83d6d47f77a9519

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF57319CAF19495EB570B2BD64FF66CA.TMP

Filesize
660B

MD5
40699361ce08432d0481127f03bce32f

SHA1
72bcb73b81d8a1bac18a616d74a9f73ca8ef409c

SHA256
57d127c884fb4449e301c0f9e0274e13a8803287821a41431c65305595b35a12

SHA512
78985b954f0b6d60044a0d0468a343137bac860bc9ecc9a7801eae2af33c05c817d9b0fd64e41c1e12af1c5ac2ea3e381518cc1a0274922342643c6f0bb57cd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1100-24-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/1100-0-0x0000000074CA2000-0x0000000074CA3000-memory.dmp

Filesize
4KB

Download
memory/1100-1-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/1100-2-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/1764-9-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/1764-18-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/3572-22-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/3572-23-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/3572-26-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/3572-27-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/3572-28-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads