metamorpherrat | cb1624fb8d4ff67a6c9402fb29693ffaeda4059d8a1ce65ed61aa76a10cc69af

General

Target

a2565f04d58f58bc8ca5a960408f7db0N.exe
Size

78KB
MD5

a2565f04d58f58bc8ca5a960408f7db0
SHA1

4e73bcd7a6cff378986904b0f0e1857580308ac0
SHA256

cb1624fb8d4ff67a6c9402fb29693ffaeda4059d8a1ce65ed61aa76a10cc69af
SHA512

1eb54cbe7dfb366ec0ff0874cbc720ce80609ace1e8ae2206ad4acd70ae261159961a6b59982e38a802bbaf1dce1eeae6f2a21eee3e2ce6bcd2537f513b5c2a9
SSDEEP

1536:QPCHFo6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtl9/+1Jg:QPCHFo53Ln7N041Qqhgl9/l

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	a2565f04d58f58bc8ca5a960408f7db0N.exe

Executes dropped EXE 1 IoCs

pid	Process
4032	tmp79E3.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp79E3.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2565f04d58f58bc8ca5a960408f7db0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp79E3.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4248	a2565f04d58f58bc8ca5a960408f7db0N.exe
Token: SeDebugPrivilege	4032	tmp79E3.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4248 wrote to memory of 1688	4248	a2565f04d58f58bc8ca5a960408f7db0N.exe	85
PID 4248 wrote to memory of 1688	4248	a2565f04d58f58bc8ca5a960408f7db0N.exe	85
PID 4248 wrote to memory of 1688	4248	a2565f04d58f58bc8ca5a960408f7db0N.exe	85
PID 1688 wrote to memory of 2196	1688	vbc.exe	87
PID 1688 wrote to memory of 2196	1688	vbc.exe	87
PID 1688 wrote to memory of 2196	1688	vbc.exe	87
PID 4248 wrote to memory of 4032	4248	a2565f04d58f58bc8ca5a960408f7db0N.exe	90
PID 4248 wrote to memory of 4032	4248	a2565f04d58f58bc8ca5a960408f7db0N.exe	90
PID 4248 wrote to memory of 4032	4248	a2565f04d58f58bc8ca5a960408f7db0N.exe	90

C:\Users\Admin\AppData\Local\Temp\a2565f04d58f58bc8ca5a960408f7db0N.exe
"C:\Users\Admin\AppData\Local\Temp\a2565f04d58f58bc8ca5a960408f7db0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4248
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fj6rgsj7.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7B5A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCD4A0364841C48829DEE236645F5916.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2196
- C:\Users\Admin\AppData\Local\Temp\tmp79E3.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp79E3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a2565f04d58f58bc8ca5a960408f7db0N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7B5A.tmp

Filesize
1KB

MD5
c27dfce6a895e514fdaf86714093bda0

SHA1
12361038f18da78b8277cab7d85ca63746f3041e

SHA256
4b090695301f39ad24b1e141fa6d891e6af61247e56ebb33e76af2b9eaf8047a

SHA512
e6da53a788d1a86daae0ad9710b8e869d219957117ecc05f8961daece9e886655563e9c6b3b318d52e942c8e05f324b318047d9bf11151748b4d00c8ca3f2005

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj6rgsj7.0.vb

Filesize
15KB

MD5
c6006517d4a2b4432fee67483fe1b09c

SHA1
bb538427c3264114ecfa3e6b8096210aa42ffa1a

SHA256
5819541678dc7ec4f016baf9610aa1ad23687aac56aea35bd3ff0756f348a412

SHA512
733d653b85b682fb26c5c621e92af3513d07654ff9095d5d5516fea4293ef356beb5fe7b3ca13b974f8ace414d6c8f54714160bc8ddb3f90db4b6bacc0e7287a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj6rgsj7.cmdline

Filesize
266B

MD5
8374e6f065a3188c9f3fd89b183166d9

SHA1
2e48f1d188b200e5097de02754577943a691e622

SHA256
9c88eec803e57f2092b41055d0737c118c3b67cc1b2bf7b596c38b5d5646a4f5

SHA512
52e646513c6da386f281f405285bf69f7bb0104435d99d9166e1f81deae311a3aa0f347b61e0ab492e205b33b2353e68b0e9080800faddda85788f715f951f8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp79E3.tmp.exe

Filesize
78KB

MD5
a0651d20bfe84bd81613d2a0c07bf627

SHA1
fa1e6761cea999353406bbcf3d8810606d2ae8fe

SHA256
2279190b26864d865a11e38490ffb21cb49e0becbe3840b7c14c3da323bdb29a

SHA512
b5c574e399ec5614ff7617593f08a78393024305ab03d1d5a88316085de1cbe361d7e909bfc749f76ffccf69320dbe7c4bb3dc5e8b967b86702eb1e8e09de388

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCD4A0364841C48829DEE236645F5916.TMP

Filesize
660B

MD5
e05f0078fd4406c1fb23365beaeb2de1

SHA1
3dd7ff70d8c9e1a8d8ff269ff2726a0e58a9f914

SHA256
1b553dcd0988b2deb35a11219cf1f02ce79b5d9b0f900048a0357c1c17fb6808

SHA512
c30e25e4aa16b81e0663be4eae6b7295f58294d7d5e47e28d997e215cedda1017d7debfe39211baab5094a0eb709d6bbcaf98901324e9fc7f68aa9ccc00952d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/1688-9-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/1688-18-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/4032-23-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/4032-25-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/4032-24-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/4032-27-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/4032-28-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/4032-29-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/4248-0-0x0000000074F42000-0x0000000074F43000-memory.dmp

Filesize
4KB

Download
memory/4248-22-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/4248-2-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/4248-1-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads