metamorpherrat | 863a2d2c67e4a5cfad7cdb20df983dfce833d3a8f349d933e5535a158cc8eb3e

General

Target

863a2d2c67e4a5cfad7cdb20df983dfce833d3a8f349d933e5535a158cc8eb3eN.exe
Size

78KB
MD5

daac97a0d08a51bd310fab3d3de573e0
SHA1

d60f3a880a7584ffb3b7882b670e2f309ab644d4
SHA256

863a2d2c67e4a5cfad7cdb20df983dfce833d3a8f349d933e5535a158cc8eb3e
SHA512

682d2daf03932176e51ee88eed891a75743cbfb14b022f10d8ef2e90569dacd7c4618c0edf871590690a775a735f42bc47c44c5f49e6e63df4e5e0b8dba4bcee
SSDEEP

1536:TStHFo6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtRu9/Gd1VY:TStHFonhASyRxvhTzXPvCbW2URu9/1

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	863a2d2c67e4a5cfad7cdb20df983dfce833d3a8f349d933e5535a158cc8eb3eN.exe

Deletes itself 1 IoCs

pid	Process
4232	tmp7A02.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4232	tmp7A02.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp7A02.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	863a2d2c67e4a5cfad7cdb20df983dfce833d3a8f349d933e5535a158cc8eb3eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7A02.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1348	863a2d2c67e4a5cfad7cdb20df983dfce833d3a8f349d933e5535a158cc8eb3eN.exe
Token: SeDebugPrivilege	4232	tmp7A02.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 5064	1348	863a2d2c67e4a5cfad7cdb20df983dfce833d3a8f349d933e5535a158cc8eb3eN.exe	82
PID 1348 wrote to memory of 5064	1348	863a2d2c67e4a5cfad7cdb20df983dfce833d3a8f349d933e5535a158cc8eb3eN.exe	82
PID 1348 wrote to memory of 5064	1348	863a2d2c67e4a5cfad7cdb20df983dfce833d3a8f349d933e5535a158cc8eb3eN.exe	82
PID 5064 wrote to memory of 1744	5064	vbc.exe	84
PID 5064 wrote to memory of 1744	5064	vbc.exe	84
PID 5064 wrote to memory of 1744	5064	vbc.exe	84
PID 1348 wrote to memory of 4232	1348	863a2d2c67e4a5cfad7cdb20df983dfce833d3a8f349d933e5535a158cc8eb3eN.exe	85
PID 1348 wrote to memory of 4232	1348	863a2d2c67e4a5cfad7cdb20df983dfce833d3a8f349d933e5535a158cc8eb3eN.exe	85
PID 1348 wrote to memory of 4232	1348	863a2d2c67e4a5cfad7cdb20df983dfce833d3a8f349d933e5535a158cc8eb3eN.exe	85

C:\Users\Admin\AppData\Local\Temp\863a2d2c67e4a5cfad7cdb20df983dfce833d3a8f349d933e5535a158cc8eb3eN.exe
"C:\Users\Admin\AppData\Local\Temp\863a2d2c67e4a5cfad7cdb20df983dfce833d3a8f349d933e5535a158cc8eb3eN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sgzyikgl.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5064
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7B4A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5DC5A1275D2B4CEF8E376EFEA6B1D01E.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1744
- C:\Users\Admin\AppData\Local\Temp\tmp7A02.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7A02.tmp.exe" C:\Users\Admin\AppData\Local\Temp\863a2d2c67e4a5cfad7cdb20df983dfce833d3a8f349d933e5535a158cc8eb3eN.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7B4A.tmp

Filesize
1KB

MD5
2fda2b39a63fbb581b649a15dfc1d187

SHA1
01e17f05d4057b9132df999b09d6ab42b9d23f9f

SHA256
1ecef1e605a59947c7924b0da60fcaf309c6fb0faaf82fa16a746919526d2d4f

SHA512
827bb4951c9955f9bae9ec2aaf2f177210edb62a3e908d84d23ea23673569c79de014da59b98c0ec542a3174eff5c7814bbc75587c7c2daf5edb942b60bb3223

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgzyikgl.0.vb

Filesize
15KB

MD5
2a5042d4ececee6eb81f19d767fe33c7

SHA1
67ff6af9400c5665af9e6aebebf413bccbd04600

SHA256
e0846da828537081bfe697e94e18adee879ca6461ae48ae52dd45871405e8e42

SHA512
0a412aad4e7f28e5cb3b0bd5564d072ceca2eb6d87d4c74c3d54f1482e110883765ba043bcd489de7eff474d4fda24021ccc0011f72d20d8a300824aff12d341

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgzyikgl.cmdline

Filesize
266B

MD5
87fc1d97cfb98ff0d32c2a74b4abeb20

SHA1
3223f26e3e0d38839c610e538b02064de0dcf58d

SHA256
f6c0dc8b966092d995dd6e4f9a18931475881ad3c749ef3370dc8a729409ce7f

SHA512
fa6fa3825a5dd93c76af6b6919a2b1681fb0d3ef9e3c75b9ccefc8cb749ea30b7644ba46193378835535f898893d589f87ba037a6719b58dc6c4916ef6be45e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7A02.tmp.exe

Filesize
78KB

MD5
423a722eea3b54fb4842d37ae8413e87

SHA1
7eff714d4f5444441c454367bb30ce72c82055ae

SHA256
fac1f89d0356aaed5645a1e6601de99b2a7b2a088743b27f246af86f67d5b8e8

SHA512
e0626b7da8831b1e2e238761b17ad2eb4545ac692e3b6efed046359bd35c054c495b3fd41424a71623f5f0604a46dfd4fad2f780e4bd2dc6f7c12ad029569cd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5DC5A1275D2B4CEF8E376EFEA6B1D01E.TMP

Filesize
660B

MD5
5263348eb39c6354ab97432934a908c1

SHA1
409d8b14dc14815ecb8d9a2637df54ccf34cbff0

SHA256
4b0858cf48b674523b33cb78e92bf856d647a8c6d6a7ac29e01adc5480888aef

SHA512
c4f9853dc29bd564136bfdd0b2a76ddf95501e3b1f0e73fb0b944fcd72dfb5a06f7cb44f6547c3c5eeaded2680d04b97c7a0ee51d1ace72bc5c192887eb3b33f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1348-22-0x00000000753C0000-0x0000000075971000-memory.dmp

Filesize
5.7MB

Download
memory/1348-2-0x00000000753C0000-0x0000000075971000-memory.dmp

Filesize
5.7MB

Download
memory/1348-1-0x00000000753C0000-0x0000000075971000-memory.dmp

Filesize
5.7MB

Download
memory/1348-0-0x00000000753C2000-0x00000000753C3000-memory.dmp

Filesize
4KB

Download
memory/4232-23-0x00000000753C0000-0x0000000075971000-memory.dmp

Filesize
5.7MB

Download
memory/4232-24-0x00000000753C0000-0x0000000075971000-memory.dmp

Filesize
5.7MB

Download
memory/4232-26-0x00000000753C0000-0x0000000075971000-memory.dmp

Filesize
5.7MB

Download
memory/4232-27-0x00000000753C0000-0x0000000075971000-memory.dmp

Filesize
5.7MB

Download
memory/4232-28-0x00000000753C0000-0x0000000075971000-memory.dmp

Filesize
5.7MB

Download
memory/5064-8-0x00000000753C0000-0x0000000075971000-memory.dmp

Filesize
5.7MB

Download
memory/5064-18-0x00000000753C0000-0x0000000075971000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads