metamorpherrat | dea8f4ff2ad43f1e92b8a43831472d9a7e383b09138dedbafca54c8084c400a1

General

Target

49546e74e611e45cbdd8cc24c9a6faf0N.exe
Size

78KB
MD5

49546e74e611e45cbdd8cc24c9a6faf0
SHA1

89f23dc38d0c74bf7acfffa00cf26d97e2af823f
SHA256

dea8f4ff2ad43f1e92b8a43831472d9a7e383b09138dedbafca54c8084c400a1
SHA512

024ce617d32c4553ce521ec4faca5467751d193ea6b6c2d41b06eb023af4ea01c52dded608deee41a9d6ac2e2e50d331deb35761659b155f18b962a309198dcd
SSDEEP

1536:Ry58MLT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtt6O9/s1/5:Ry586E2EwR4uY41HyvYp9/A

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	49546e74e611e45cbdd8cc24c9a6faf0N.exe

Executes dropped EXE 1 IoCs

pid	Process
4408	tmp5DAB.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmp5DAB.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49546e74e611e45cbdd8cc24c9a6faf0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5DAB.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3596	49546e74e611e45cbdd8cc24c9a6faf0N.exe
Token: SeDebugPrivilege	4408	tmp5DAB.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 5016	3596	49546e74e611e45cbdd8cc24c9a6faf0N.exe	92
PID 3596 wrote to memory of 5016	3596	49546e74e611e45cbdd8cc24c9a6faf0N.exe	92
PID 3596 wrote to memory of 5016	3596	49546e74e611e45cbdd8cc24c9a6faf0N.exe	92
PID 5016 wrote to memory of 3976	5016	vbc.exe	95
PID 5016 wrote to memory of 3976	5016	vbc.exe	95
PID 5016 wrote to memory of 3976	5016	vbc.exe	95
PID 3596 wrote to memory of 4408	3596	49546e74e611e45cbdd8cc24c9a6faf0N.exe	96
PID 3596 wrote to memory of 4408	3596	49546e74e611e45cbdd8cc24c9a6faf0N.exe	96
PID 3596 wrote to memory of 4408	3596	49546e74e611e45cbdd8cc24c9a6faf0N.exe	96

C:\Users\Admin\AppData\Local\Temp\49546e74e611e45cbdd8cc24c9a6faf0N.exe
"C:\Users\Admin\AppData\Local\Temp\49546e74e611e45cbdd8cc24c9a6faf0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rp3dytu4.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5016
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5EC5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc74796BCCA71E4305B8DA65E6CA8431F8.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3976
- C:\Users\Admin\AppData\Local\Temp\tmp5DAB.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp5DAB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\49546e74e611e45cbdd8cc24c9a6faf0N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4148,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=3884 /prefetch:8
1⤵
PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5EC5.tmp

Filesize
1KB

MD5
8dc793d8d62232899f8ba4995f322d0d

SHA1
13c48e9a91cc85a4ae66ccfaa754cb876ed59382

SHA256
13dc55899364c4da3d6e33be009372f97cbcb29fea66299e3bda288171062776

SHA512
d9727352e051062b0aea268c07c36b24552ef6981faf53f7a8c066e3d692aee24077d7b5103249e1d3a262ca0f006de03cb72ab8739c35c5a85624f001481e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\rp3dytu4.0.vb

Filesize
14KB

MD5
6eede3c5f683730bf72cbc5d2425c7f5

SHA1
d98faaf9f7d77b47dfbd39110d5efd69b133dbb1

SHA256
07ba02ff641b4bd9d30058d89a756d1cef808c4517aedbaebe271659b53393b3

SHA512
34f471f8ca30eaa93c62fcf58d2f7f2194bada581f828d997c6f29741b3cb8361c15d349248d100ffb1f3f15012cd49665eb5d35061cb23b151ad9d56c72e069

Download Submit
C:\Users\Admin\AppData\Local\Temp\rp3dytu4.cmdline

Filesize
266B

MD5
f941c4faefb97706d4ef8093c82e72ef

SHA1
69d225b97bd4cbda9c09c2e601d525a3fc52fbd9

SHA256
7046a4301ba64d0379f9ce055777ef4b5ee7a6eadf24beea4781ddc86fad47b6

SHA512
60d29fbcfbf5a706f4d817d166a0cb2c03df49588388cfbd1648b9db1fe31ecee015a9f2b81920ebcd3c191fb6f21699d87cef516be4f32b0d0cb8b9509b2c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5DAB.tmp.exe

Filesize
78KB

MD5
061d13cf6848a6d23b2546df0d0df12f

SHA1
92bd2226f7ae327c8cdf1524eaa140897296e7ab

SHA256
77c3515c20550021c5dc4c0f90c4277b884334994ff74d6eb5bb4d4b70dffae0

SHA512
fe4de1007009404b90c5bf127d1fe1e053fa5b8d65832da0fabd2e2c5f5936ba108c254a26c99956d5fb03b9a4c128a4730ea4dc958896961cd0976043610043

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc74796BCCA71E4305B8DA65E6CA8431F8.TMP

Filesize
660B

MD5
68f4a74a7a4c950a699d45c8eb3a51c9

SHA1
c395cea4b6528449f2d7b5e14ab90b6d1fd76e8e

SHA256
72203df978785af83357fa13be14300fb87baebea3ed1cae235741e7dd4ca87f

SHA512
3b0a40b3a44a2bf9079d5b80bd97e2bc5d80c7637c9970bf3a60328392740eff907d386bf89147b2719620aca855a5d3ff4f84df347809b0c249d75d251a1269

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/3596-22-0x0000000075360000-0x0000000075911000-memory.dmp

Filesize
5.7MB

Download
memory/3596-1-0x0000000075360000-0x0000000075911000-memory.dmp

Filesize
5.7MB

Download
memory/3596-2-0x0000000075360000-0x0000000075911000-memory.dmp

Filesize
5.7MB

Download
memory/3596-0-0x0000000075362000-0x0000000075363000-memory.dmp

Filesize
4KB

Download
memory/4408-23-0x0000000075360000-0x0000000075911000-memory.dmp

Filesize
5.7MB

Download
memory/4408-24-0x0000000075360000-0x0000000075911000-memory.dmp

Filesize
5.7MB

Download
memory/4408-25-0x0000000075360000-0x0000000075911000-memory.dmp

Filesize
5.7MB

Download
memory/4408-27-0x0000000075360000-0x0000000075911000-memory.dmp

Filesize
5.7MB

Download
memory/4408-28-0x0000000075360000-0x0000000075911000-memory.dmp

Filesize
5.7MB

Download
memory/4408-29-0x0000000075360000-0x0000000075911000-memory.dmp

Filesize
5.7MB

Download
memory/5016-18-0x0000000075360000-0x0000000075911000-memory.dmp

Filesize
5.7MB

Download
memory/5016-8-0x0000000075360000-0x0000000075911000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads