metamorpherrat | f87e95bd4452223f851123f1067bca8f41b3cbfa2aabad8a461c3d8f1966522b

General

Target

826082ee131cd5e61515a16471b3a950N.exe
Size

78KB
MD5

826082ee131cd5e61515a16471b3a950
SHA1

22b90b193671642e16a257c68a86a392bc3b90a4
SHA256

f87e95bd4452223f851123f1067bca8f41b3cbfa2aabad8a461c3d8f1966522b
SHA512

e0b1cc7d28436ed79626d5ac3842f3e7d4085ad41a9902e13e4041f0a647eb112ab0e7eaefa1cab8377999533a7b74410d710f83cdbd70e7ff51d73b31ccc3c1
SSDEEP

1536:C5jSmVdv5wyFppaVs+aYTCgtWzYXxxiMrBnP5oYZNQtC629/k11So:C5jSm/vqyA11XYUBxprBPjcu9/kn

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	826082ee131cd5e61515a16471b3a950N.exe

Executes dropped EXE 1 IoCs

pid	Process
3032	tmp859B.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System.Management = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sbscmp20_mscorlib.exe\""	tmp859B.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	826082ee131cd5e61515a16471b3a950N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp859B.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2732	826082ee131cd5e61515a16471b3a950N.exe
Token: SeDebugPrivilege	3032	tmp859B.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 1876	2732	826082ee131cd5e61515a16471b3a950N.exe	85
PID 2732 wrote to memory of 1876	2732	826082ee131cd5e61515a16471b3a950N.exe	85
PID 2732 wrote to memory of 1876	2732	826082ee131cd5e61515a16471b3a950N.exe	85
PID 1876 wrote to memory of 1728	1876	vbc.exe	87
PID 1876 wrote to memory of 1728	1876	vbc.exe	87
PID 1876 wrote to memory of 1728	1876	vbc.exe	87
PID 2732 wrote to memory of 3032	2732	826082ee131cd5e61515a16471b3a950N.exe	88
PID 2732 wrote to memory of 3032	2732	826082ee131cd5e61515a16471b3a950N.exe	88
PID 2732 wrote to memory of 3032	2732	826082ee131cd5e61515a16471b3a950N.exe	88

C:\Users\Admin\AppData\Local\Temp\826082ee131cd5e61515a16471b3a950N.exe
"C:\Users\Admin\AppData\Local\Temp\826082ee131cd5e61515a16471b3a950N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ez9vkdyu.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES86E3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD6ED8CFDF4444CFEBAD67CE4158CE6B2.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1728
- C:\Users\Admin\AppData\Local\Temp\tmp859B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp859B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\826082ee131cd5e61515a16471b3a950N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES86E3.tmp

Filesize
1KB

MD5
099bfdcf70904d8b6785ab428bf8e958

SHA1
61884cc93c4737561201f65b527bc78f5f37efdb

SHA256
cebb19ad44a9ae574d080cfddb1300a02225876b5dc114215a7fe62006e035ac

SHA512
94f8a75488938ddb9123086605b39820147f9f0399d96a102f62c3818a878b971c3fdc6fa0cf35dedca677e94ea508ec7622ffe5a5c77dce0be360f96cd8681d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ez9vkdyu.0.vb

Filesize
14KB

MD5
5b0d3a72051589f56ba89abadb3c6183

SHA1
6f84dac1abe8a97f107e6566f7a6da74d6c01dc3

SHA256
ca2f22581e131e4a5a6aff32ac6495ec0af4cf8c6b6265d244bcf6700850dad9

SHA512
403438ecab9ed155ea8c4f9a7a2f4122d1ca05580f9894c691a2c2191aff793b8cd6a0fe7a2bf793e1bd36fed2dbf8457e89d943655d003d225b2ea683a86084

Download Submit
C:\Users\Admin\AppData\Local\Temp\ez9vkdyu.cmdline

Filesize
266B

MD5
60ad81338759c2e04043977bef7f3070

SHA1
fdc3252b816a3f37052b22b0574fb8b0746ecee5

SHA256
b4609377f3740b4c8c60095a61eeff5cf9af6c9c23d8bbab00f2b3d27a8de9f6

SHA512
430e651a43e7c9417e30394e4192c4ca85bbd8f827fadae81d748638441b525377285b226aaab045e81c8fbb34763ab5abf0042b3fd737d2d0db5c8473931e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp859B.tmp.exe

Filesize
78KB

MD5
69144a737fd4e70190f6b14178d4287b

SHA1
d6155a0e026813ac65f29224fb6620315b387030

SHA256
798dd35f7e940160bc378f6465688e5459b0f8f8a80303ff75ffde7fcb0a3f83

SHA512
620f4b9bd933b5bdd4ff90a3581befcf0bfc802aea3781ba601af85b651b253f1fafdcb93562a0e83b516cf86e6d50919f3a1dd40999c8a62b8ee5da99bc84b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD6ED8CFDF4444CFEBAD67CE4158CE6B2.TMP

Filesize
660B

MD5
665d89d18e78f0fb140363531c221a3f

SHA1
2dd5a3eadc96bb0d4543475c723ec44c9709186f

SHA256
234253d846a7d6be5e1b11096f7b773f0be2ea41108f9f014708abafb4bafcc2

SHA512
d5a9d685f306dd645ebd1a44dce65d2c4ae0de4b9c7c1eb941540468dd88a817eed7651bc027a8a489333ab05157464141ca9f929120c40a61ff34defbadc4a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8481b7e4924c14743ffc0d34075e2ce3

SHA1
e8e7ef480499ba85190b8d5f8e43f761850b0ef3

SHA256
6110931ed1cb1b1a141d4a12044a062646f14be3566a286106e5f59ceaddc4ac

SHA512
3c4ee8221c5238aed57e4fdbcd74833edcf46d5ed602840b5265438538405b4378a1966e9cd0c34a5ce52d0afe7bd7e0d9aac6b420e515fe1ea52477f957a7e1

Download Submit
memory/1876-18-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/1876-9-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/2732-2-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/2732-1-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/2732-0-0x00000000750D2000-0x00000000750D3000-memory.dmp

Filesize
4KB

Download
memory/2732-22-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/3032-24-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/3032-23-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/3032-26-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/3032-27-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/3032-28-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads