metamorpherrat | 094b1185526c1016fa3d52dd2d0aee3edc53bc944f1dd404fb423ffac7aa4fc9

General

Target

094b1185526c1016fa3d52dd2d0aee3edc53bc944f1dd404fb423ffac7aa4fc9.exe
Size

78KB
MD5

41d6067a155a8321042893776fe9c852
SHA1

68e7ba49e2733b43b2d3f453546fecf9c8e98dda
SHA256

094b1185526c1016fa3d52dd2d0aee3edc53bc944f1dd404fb423ffac7aa4fc9
SHA512

1bad1478a1b3119dbc11a50555188bad83fdb3894a61a6d2c3b560d72fc67c78eaa6979b6390c1d3fc059842dea9480dd3022e1161cec769517df021b54347b4
SSDEEP

1536:Mc58wvZv0kH9gDDtWzYCnJPeoYrGQt961A9/b10U:Mc58wl0Y9MDYrm7GA9//

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	094b1185526c1016fa3d52dd2d0aee3edc53bc944f1dd404fb423ffac7aa4fc9.exe

Deletes itself 1 IoCs

pid	Process
4304	tmp8916.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4304	tmp8916.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmp8916.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	094b1185526c1016fa3d52dd2d0aee3edc53bc944f1dd404fb423ffac7aa4fc9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8916.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4000	094b1185526c1016fa3d52dd2d0aee3edc53bc944f1dd404fb423ffac7aa4fc9.exe
Token: SeDebugPrivilege	4304	tmp8916.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 1360	4000	094b1185526c1016fa3d52dd2d0aee3edc53bc944f1dd404fb423ffac7aa4fc9.exe	82
PID 4000 wrote to memory of 1360	4000	094b1185526c1016fa3d52dd2d0aee3edc53bc944f1dd404fb423ffac7aa4fc9.exe	82
PID 4000 wrote to memory of 1360	4000	094b1185526c1016fa3d52dd2d0aee3edc53bc944f1dd404fb423ffac7aa4fc9.exe	82
PID 1360 wrote to memory of 2504	1360	vbc.exe	84
PID 1360 wrote to memory of 2504	1360	vbc.exe	84
PID 1360 wrote to memory of 2504	1360	vbc.exe	84
PID 4000 wrote to memory of 4304	4000	094b1185526c1016fa3d52dd2d0aee3edc53bc944f1dd404fb423ffac7aa4fc9.exe	85
PID 4000 wrote to memory of 4304	4000	094b1185526c1016fa3d52dd2d0aee3edc53bc944f1dd404fb423ffac7aa4fc9.exe	85
PID 4000 wrote to memory of 4304	4000	094b1185526c1016fa3d52dd2d0aee3edc53bc944f1dd404fb423ffac7aa4fc9.exe	85

C:\Users\Admin\AppData\Local\Temp\094b1185526c1016fa3d52dd2d0aee3edc53bc944f1dd404fb423ffac7aa4fc9.exe
"C:\Users\Admin\AppData\Local\Temp\094b1185526c1016fa3d52dd2d0aee3edc53bc944f1dd404fb423ffac7aa4fc9.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dmakdjmc.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1360
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8A6D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDCAB37F851844161A2A34AAE52A5EE4E.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2504
- C:\Users\Admin\AppData\Local\Temp\tmp8916.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8916.tmp.exe" C:\Users\Admin\AppData\Local\Temp\094b1185526c1016fa3d52dd2d0aee3edc53bc944f1dd404fb423ffac7aa4fc9.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8A6D.tmp

Filesize
1KB

MD5
e9cb3b49c332438a3b0f7e0fb4b2f58d

SHA1
9c1270646dc589fb033cc0c785ec127640c667e4

SHA256
c07da7e968063d7c645e71fd33390942c51a8b3439387d39eb3b6074768a7118

SHA512
cd020a22b6910923eaa37511ee862b8249b3bc53b53843989776ded3301f7de034d7ea41e582052eeb3bf116ca0049dfe033e9ea0046ede680fcb97f9067a805

Download Submit
C:\Users\Admin\AppData\Local\Temp\dmakdjmc.0.vb

Filesize
14KB

MD5
cfb8892b67a425acd1de66e5eab30ac3

SHA1
e1fc1c95e32a7a820b3d0fcf72ced791a0698360

SHA256
b2e8d5b3069758e6c57d945ba412f8f5a7517aa4625b576635821a90a129f023

SHA512
d8a3075953ad55472fde0a1f6315cdb2125acdf6d64fad4a7ddfbcdeec2e418103fd1c0891f79d1434d74e856404a346dbb49b8a5d3e3dd0ef5ceccf571c262d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dmakdjmc.cmdline

Filesize
266B

MD5
98f5c2fb80fa8905a94fabb38edd12a5

SHA1
6c7ecf82e330fa0ff22fcb60e0091ff1ff82ad8c

SHA256
cad7832512e886dda17877957cec299d099ad6f16520cedb17a68acf1ee15960

SHA512
5db46fb18c51eeff7e776f61c5fc8c66d3c7592f130abb67d6d2ec242f5832ddddb45023e90fea1c9e23478c3207eb4cc9306255451ba5e8bd7f41b76200689f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8916.tmp.exe

Filesize
78KB

MD5
44e6e677772b4dfc764791ab68df8132

SHA1
32e3401dce385bea278a9c15cae06f71b062d225

SHA256
6a23c6e888406f7e08902016665c4e0ec5136354231218a080bad6551c7b2bcd

SHA512
91523316343b0bec1f8acae260434d67c1a79867fcbc6726a2b1d982385c91b5fe58adb32df8b0ccae768e923dbf27f012420474294fa83c40adda99dba62a68

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDCAB37F851844161A2A34AAE52A5EE4E.TMP

Filesize
660B

MD5
e31094bfb7e2e1832be58016755d1597

SHA1
4fd958bb9c89e0928bda7e81a632366a68ab225f

SHA256
b5650872af42dd5fd243685373b170a8aabc6d998ae3a0d4df91de5f989cec48

SHA512
a0a380c04308f7f4bcd3b7b2cbb21112f38885e54ae478dc8fd84178e7112955a0e5f39fa83cf4b81c451e9636a7eca5a8b437be17192d51728636d50b13eb4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/1360-8-0x00000000750C0000-0x0000000075671000-memory.dmp

Filesize
5.7MB

Download
memory/1360-18-0x00000000750C0000-0x0000000075671000-memory.dmp

Filesize
5.7MB

Download
memory/4000-0-0x00000000750C2000-0x00000000750C3000-memory.dmp

Filesize
4KB

Download
memory/4000-2-0x00000000750C0000-0x0000000075671000-memory.dmp

Filesize
5.7MB

Download
memory/4000-1-0x00000000750C0000-0x0000000075671000-memory.dmp

Filesize
5.7MB

Download
memory/4000-22-0x00000000750C0000-0x0000000075671000-memory.dmp

Filesize
5.7MB

Download
memory/4304-23-0x00000000750C0000-0x0000000075671000-memory.dmp

Filesize
5.7MB

Download
memory/4304-24-0x00000000750C0000-0x0000000075671000-memory.dmp

Filesize
5.7MB

Download
memory/4304-26-0x00000000750C0000-0x0000000075671000-memory.dmp

Filesize
5.7MB

Download
memory/4304-27-0x00000000750C0000-0x0000000075671000-memory.dmp

Filesize
5.7MB

Download
memory/4304-28-0x00000000750C0000-0x0000000075671000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads