metamorpherrat | 2e1168dae7669807b8905799e3734c7a49e683db6c5fce6230a92508cf98f1ee

General

Target

dea981aaf4a2cce10bdc02ad863a0c00N.exe
Size

78KB
MD5

dea981aaf4a2cce10bdc02ad863a0c00
SHA1

5dba73213a7d5e5dbd93c78b40580d9974a4c43f
SHA256

2e1168dae7669807b8905799e3734c7a49e683db6c5fce6230a92508cf98f1ee
SHA512

1af91f3fcef41ef3eb03ae71054d0a6c2a9b3c2641f2fe0ecd2bb313b22321c409336cc5b0d654f55712acb754c900ed272355a3da1c1a14352412f31b77620d
SSDEEP

1536:WPWtHHM7t/vZv0kH9gDDtWzYCnJPeoYrGQtt9/d1U6:WPWtHsh/l0Y9MDYrm7t9/n

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	dea981aaf4a2cce10bdc02ad863a0c00N.exe

Executes dropped EXE 1 IoCs

pid	Process
1308	tmpBA57.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmpBA57.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBA57.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dea981aaf4a2cce10bdc02ad863a0c00N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4456	dea981aaf4a2cce10bdc02ad863a0c00N.exe
Token: SeDebugPrivilege	1308	tmpBA57.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4456 wrote to memory of 3844	4456	dea981aaf4a2cce10bdc02ad863a0c00N.exe	84
PID 4456 wrote to memory of 3844	4456	dea981aaf4a2cce10bdc02ad863a0c00N.exe	84
PID 4456 wrote to memory of 3844	4456	dea981aaf4a2cce10bdc02ad863a0c00N.exe	84
PID 3844 wrote to memory of 2632	3844	vbc.exe	88
PID 3844 wrote to memory of 2632	3844	vbc.exe	88
PID 3844 wrote to memory of 2632	3844	vbc.exe	88
PID 4456 wrote to memory of 1308	4456	dea981aaf4a2cce10bdc02ad863a0c00N.exe	89
PID 4456 wrote to memory of 1308	4456	dea981aaf4a2cce10bdc02ad863a0c00N.exe	89
PID 4456 wrote to memory of 1308	4456	dea981aaf4a2cce10bdc02ad863a0c00N.exe	89

C:\Users\Admin\AppData\Local\Temp\dea981aaf4a2cce10bdc02ad863a0c00N.exe
"C:\Users\Admin\AppData\Local\Temp\dea981aaf4a2cce10bdc02ad863a0c00N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4or7fx5e.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3844
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB41.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc894156A22F1446F1BAFCACD7284C85F2.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2632
- C:\Users\Admin\AppData\Local\Temp\tmpBA57.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpBA57.tmp.exe" C:\Users\Admin\AppData\Local\Temp\dea981aaf4a2cce10bdc02ad863a0c00N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4or7fx5e.0.vb

Filesize
15KB

MD5
e54bd382598a4a66da99f764349a08cd

SHA1
97af1fd15bebe07a2b9d233c4628b491306876bc

SHA256
36c58d7cc70361629220716c479da92d75c14043280007901129cd71e7592e91

SHA512
4196dc4996e2efc5bf40de097b1ee11bc10734405c5984f6c91ea06e8212ee30dec71e6a8b50da564e7938a294785811baafa9b9e5f863e84baffc7715b7a67c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4or7fx5e.cmdline

Filesize
266B

MD5
dde5d265bf9155f8b747bacebb889b39

SHA1
e5e75f069d5e7645573b0338a01f898c83c76aab

SHA256
4d616964d68041db613b9fae5b6e49027938c8f28f68cf688ca83b250e282743

SHA512
dd2e5f1a8f6ae0dcf340e24a03b5988399be043d3249e6a1d39f09af70669adf8226904f816bf8c1934d1d2c90daeb88f0210a693273fb403aaa62912a33e8eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBB41.tmp

Filesize
1KB

MD5
2b9d5f649da2c4c9be61d4bff34eb7e5

SHA1
fe367a43a3a2942b7e712d446a68daeec9fda84a

SHA256
3a22c943786644e87070220e6231c931820eb594fe90df0d29b44fed1689fc99

SHA512
2308c6ea90319644be210ee0e3b4c0cfea26a902651360b828431c954c06bdf9ee74b2b6b80a94bc3aba4749249d0568c3d232967dcf191ef56aae5fdf86df7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBA57.tmp.exe

Filesize
78KB

MD5
33e9bfae5d502c471fc21af03a12b372

SHA1
e31bd89b21f50d9d281b825f50ce81f65ee43983

SHA256
4f9f1848457010e1c842003d4b0b0e0d7b5aaecd3af4dce14998c7bbd9dcd30f

SHA512
9d1979673ee17fd4f779ad4ec406658b92c1fd752efa30ccaddfc393699d49f8f52440ff146a36d59592d0b736aaf571c35ca7d35014cee0ef6bbd7ba1941325

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc894156A22F1446F1BAFCACD7284C85F2.TMP

Filesize
660B

MD5
51bcdec07267225b4b9dc709a6be4f5b

SHA1
f5fe02cf17e7588e51293da297fb0239d15fafc5

SHA256
e8d6463a2cf0eac94716b1938016993add9ea0a36be6cad3b6e65226f3af5030

SHA512
9d86e00426e735d6c4357846b746bf46e883a3ece214276e5204d2199449d15e95c187ed7eb8a860162f77d2b63bcdde1b683d369f2614e056c427067dee8112

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/1308-23-0x00000000748F0000-0x0000000074EA1000-memory.dmp

Filesize
5.7MB

Download
memory/1308-24-0x00000000748F0000-0x0000000074EA1000-memory.dmp

Filesize
5.7MB

Download
memory/1308-26-0x00000000748F0000-0x0000000074EA1000-memory.dmp

Filesize
5.7MB

Download
memory/1308-27-0x00000000748F0000-0x0000000074EA1000-memory.dmp

Filesize
5.7MB

Download
memory/1308-28-0x00000000748F0000-0x0000000074EA1000-memory.dmp

Filesize
5.7MB

Download
memory/1308-29-0x00000000748F0000-0x0000000074EA1000-memory.dmp

Filesize
5.7MB

Download
memory/1308-30-0x00000000748F0000-0x0000000074EA1000-memory.dmp

Filesize
5.7MB

Download
memory/3844-8-0x00000000748F0000-0x0000000074EA1000-memory.dmp

Filesize
5.7MB

Download
memory/3844-18-0x00000000748F0000-0x0000000074EA1000-memory.dmp

Filesize
5.7MB

Download
memory/4456-2-0x00000000748F0000-0x0000000074EA1000-memory.dmp

Filesize
5.7MB

Download
memory/4456-1-0x00000000748F0000-0x0000000074EA1000-memory.dmp

Filesize
5.7MB

Download
memory/4456-22-0x00000000748F0000-0x0000000074EA1000-memory.dmp

Filesize
5.7MB

Download
memory/4456-0-0x00000000748F2000-0x00000000748F3000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads