metamorpherrat | 9c121272cc8944ba39ad4886863504fbdc1eccae00c790fd3c0e5e3d280f3cd3

General

Target

fbfb295282e62c72af0c49a8817d7a50N.exe
Size

78KB
MD5

fbfb295282e62c72af0c49a8817d7a50
SHA1

5e68f16d1431541c27d400b483b4611f2ddf9d83
SHA256

9c121272cc8944ba39ad4886863504fbdc1eccae00c790fd3c0e5e3d280f3cd3
SHA512

bcd67e221c3609b112682677b564171fbc6c34fe16d3747a6bdb55abbbf4569a4cfad43ed6a8ad5c23b3bbab3e06b18f69b2dd9ba50b2227cf24991ee791c701
SSDEEP

1536:BWtHF3638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtec9/A17J:BWtHFq3Ln7N041Qqhgec9/8

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	fbfb295282e62c72af0c49a8817d7a50N.exe

Executes dropped EXE 1 IoCs

pid	Process
2476	tmp611B.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp611B.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp611B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fbfb295282e62c72af0c49a8817d7a50N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5020	fbfb295282e62c72af0c49a8817d7a50N.exe
Token: SeDebugPrivilege	2476	tmp611B.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 808	5020	fbfb295282e62c72af0c49a8817d7a50N.exe	86
PID 5020 wrote to memory of 808	5020	fbfb295282e62c72af0c49a8817d7a50N.exe	86
PID 5020 wrote to memory of 808	5020	fbfb295282e62c72af0c49a8817d7a50N.exe	86
PID 808 wrote to memory of 2092	808	vbc.exe	88
PID 808 wrote to memory of 2092	808	vbc.exe	88
PID 808 wrote to memory of 2092	808	vbc.exe	88
PID 5020 wrote to memory of 2476	5020	fbfb295282e62c72af0c49a8817d7a50N.exe	89
PID 5020 wrote to memory of 2476	5020	fbfb295282e62c72af0c49a8817d7a50N.exe	89
PID 5020 wrote to memory of 2476	5020	fbfb295282e62c72af0c49a8817d7a50N.exe	89

C:\Users\Admin\AppData\Local\Temp\fbfb295282e62c72af0c49a8817d7a50N.exe
"C:\Users\Admin\AppData\Local\Temp\fbfb295282e62c72af0c49a8817d7a50N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\paj3o42a.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:808
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES61F6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCC1C758E45574E64B780A9534376C4EC.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2092
- C:\Users\Admin\AppData\Local\Temp\tmp611B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp611B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\fbfb295282e62c72af0c49a8817d7a50N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES61F6.tmp

Filesize
1KB

MD5
f1d55444785e061cb54b2c476ff0c082

SHA1
aebd78ebde932aeb0d252d3eb7466ad94fc056b3

SHA256
1357cf5a05ebb2095a99aced10bb05cda60c1d21aa22c356e266fbdc29329d65

SHA512
a29cc05081db37625628d8ab3880562ed80d5fc5994338f006e71daec64c70bdce6efd8eeb92918636ff5cc221b448101ecc2470832366a8ee62e7d95ed68550

Download Submit
C:\Users\Admin\AppData\Local\Temp\paj3o42a.0.vb

Filesize
15KB

MD5
81f66728e9bb8caa570640d248e718b6

SHA1
59a9d79efdb98e6ccaae092ea0791ccf9ce98a36

SHA256
7fae9c80aa3df5a68442976a65d35eece694c31d8730c064686e54e308db87b4

SHA512
1be2d5a3c0010724895ea8e2ff1f717bfb178eaafe512ea61a4ac6ecdcf33ab2a1b22b240e20d2ece96cfd7f965f5f618b18489e6e03afd5418fe2061996a693

Download Submit
C:\Users\Admin\AppData\Local\Temp\paj3o42a.cmdline

Filesize
266B

MD5
f493e8cedbab33f547b86c18c9dc123d

SHA1
16e397b792bc472629ae77e8f570dbb38ff1d4eb

SHA256
813fe02d03a02c2e9eef908fbafd912ef22bc33b07f1baf5551ba4e01cc1f449

SHA512
0968e7f4843a7eea91010cf83ced1faa3a056edc7bbad42f92eaa251bbd53326b679a997c5e26974a7e9425bd1dfd2e4b54c7c8cc2ba520eede8a174d0b80ec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp611B.tmp.exe

Filesize
78KB

MD5
61d3b404b0278216166e7ebe71b40950

SHA1
ea1308958a5421468ae1112593904b7101737612

SHA256
03d6d5ca4eb575975874100dc2b4e2388483da27def8576a0dbb7df5d17fada6

SHA512
89f005f80ebcb68b79f5ea9ec0d390cdbba65dfac308e422901deeaafb00b07156e8603a035236e3f1645b81b83a1dc38015aafd32bded2c4ec53320ba50829c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCC1C758E45574E64B780A9534376C4EC.TMP

Filesize
660B

MD5
12837e3accbb0053cb58315553388b00

SHA1
80e7b1ad32d8541957c8d71ab772ad11a3239348

SHA256
05ba7b6e3229b6c6b50a853148b55d42328256bd41420cee8647fdd6b94c9599

SHA512
3b99428ec2910822befcb410d9f5e051ee128adb03ddf9597c0561883417c285ab109ed18a440bd9ca5eddaf6af96b3f9ec92f758cfec8789ebfeea9d6f7752c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/808-8-0x0000000074760000-0x0000000074D11000-memory.dmp

Filesize
5.7MB

Download
memory/808-18-0x0000000074760000-0x0000000074D11000-memory.dmp

Filesize
5.7MB

Download
memory/2476-23-0x0000000074760000-0x0000000074D11000-memory.dmp

Filesize
5.7MB

Download
memory/2476-24-0x0000000074760000-0x0000000074D11000-memory.dmp

Filesize
5.7MB

Download
memory/2476-26-0x0000000074760000-0x0000000074D11000-memory.dmp

Filesize
5.7MB

Download
memory/2476-27-0x0000000074760000-0x0000000074D11000-memory.dmp

Filesize
5.7MB

Download
memory/2476-28-0x0000000074760000-0x0000000074D11000-memory.dmp

Filesize
5.7MB

Download
memory/5020-0-0x0000000074762000-0x0000000074763000-memory.dmp

Filesize
4KB

Download
memory/5020-2-0x0000000074760000-0x0000000074D11000-memory.dmp

Filesize
5.7MB

Download
memory/5020-1-0x0000000074760000-0x0000000074D11000-memory.dmp

Filesize
5.7MB

Download
memory/5020-22-0x0000000074760000-0x0000000074D11000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads