metamorpherrat | 3df6e9c1c706b1988cd3b777fc4da823842f9dfe100f9379e90476c9bfe69831

General

Target

3df6e9c1c706b1988cd3b777fc4da823842f9dfe100f9379e90476c9bfe69831N.exe
Size

78KB
MD5

2883e763338312aeae24f3ef2e848110
SHA1

aa88a9e0c0d58428e09a43fb3a8259c669499420
SHA256

3df6e9c1c706b1988cd3b777fc4da823842f9dfe100f9379e90476c9bfe69831
SHA512

a635c18d27422308b2abe84a89257bec49802048cdc9ecbcfb821cddaa5895e17afaec7d7147d537e9644ae6660da48656aa615f07d4cce938737912715658e0
SSDEEP

1536:65jSAXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtN6q9/oT1m+:65jS4SyRxvhTzXPvCbW2U99/2

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	3df6e9c1c706b1988cd3b777fc4da823842f9dfe100f9379e90476c9bfe69831N.exe

Deletes itself 1 IoCs

pid	Process
3840	tmp6BF8.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3840	tmp6BF8.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp6BF8.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6BF8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3df6e9c1c706b1988cd3b777fc4da823842f9dfe100f9379e90476c9bfe69831N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2252	3df6e9c1c706b1988cd3b777fc4da823842f9dfe100f9379e90476c9bfe69831N.exe
Token: SeDebugPrivilege	3840	tmp6BF8.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2076	2252	3df6e9c1c706b1988cd3b777fc4da823842f9dfe100f9379e90476c9bfe69831N.exe	82
PID 2252 wrote to memory of 2076	2252	3df6e9c1c706b1988cd3b777fc4da823842f9dfe100f9379e90476c9bfe69831N.exe	82
PID 2252 wrote to memory of 2076	2252	3df6e9c1c706b1988cd3b777fc4da823842f9dfe100f9379e90476c9bfe69831N.exe	82
PID 2076 wrote to memory of 1272	2076	vbc.exe	84
PID 2076 wrote to memory of 1272	2076	vbc.exe	84
PID 2076 wrote to memory of 1272	2076	vbc.exe	84
PID 2252 wrote to memory of 3840	2252	3df6e9c1c706b1988cd3b777fc4da823842f9dfe100f9379e90476c9bfe69831N.exe	85
PID 2252 wrote to memory of 3840	2252	3df6e9c1c706b1988cd3b777fc4da823842f9dfe100f9379e90476c9bfe69831N.exe	85
PID 2252 wrote to memory of 3840	2252	3df6e9c1c706b1988cd3b777fc4da823842f9dfe100f9379e90476c9bfe69831N.exe	85

C:\Users\Admin\AppData\Local\Temp\3df6e9c1c706b1988cd3b777fc4da823842f9dfe100f9379e90476c9bfe69831N.exe
"C:\Users\Admin\AppData\Local\Temp\3df6e9c1c706b1988cd3b777fc4da823842f9dfe100f9379e90476c9bfe69831N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jhuqnlhp.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6D50.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7D1E7E89F96A4715B3B05CF244E3B7B1.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1272
- C:\Users\Admin\AppData\Local\Temp\tmp6BF8.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp6BF8.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3df6e9c1c706b1988cd3b777fc4da823842f9dfe100f9379e90476c9bfe69831N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6D50.tmp

Filesize
1KB

MD5
84b3fcef76cc81e12d5bc6a8252c9f21

SHA1
c62c8f9cf252aa983ba9afcfd6f047b643489e72

SHA256
d0ec76f31534a3bc2ab97172a7ea38a4fdf41dadeaa6ad954d4d7c0d9be18e91

SHA512
fd594f277ef93f5daaef4bca63c0818800b1044f731dd278c0755208fe7410e2e5c599d90316117567f593ee5ab9e02bad43fe7279e9882bf44b0622ba1d5687

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhuqnlhp.0.vb

Filesize
14KB

MD5
a942fb790931695fd4baa0b19c812dbb

SHA1
b1002dcee95da585cfb921dc7163e3360e817848

SHA256
41b09c8215dcaa6030d3b4771c0bed7926dd0ee57e278469c2fdca846f0ae092

SHA512
147d58d3116a1a67eb78834e926954f0bda43c085fa69a536d09bcad22b571cb277e34058adf296a3143e0fbd86866668b0d98269d7532fd3ca03dcaf5756eb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhuqnlhp.cmdline

Filesize
266B

MD5
8db524a120e345dcb31d652cad2f9a60

SHA1
7461a1930e540bca8e3b934fb965cb14759fd05d

SHA256
7730b121382a4edbdb62c5cf794feeaff5efb06181e444d40e7a74637ffce4e8

SHA512
7a664526abf2273947b3f0d7e9352ef9d1014c9549c7ceded02e3d561510d858af14b83f9b31b1e9e31622bd2c09460bdc93f1992721a28000f899428e310eec

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6BF8.tmp.exe

Filesize
78KB

MD5
1064663d8986f8993835b9262b3c5190

SHA1
5d3b8877c27076023ae035a2befdbbb49d148e7d

SHA256
ad748658051d6137131307dab6a1e92b845df4869523438823068e9b3f6e985e

SHA512
00bb9dd8709c89e05b23e96d76e60fcc9285ad032e3df8316327cafa974c3334450b771db6ca9e34d481f8d7326687d1d796cc1487fd61c92ba5e18c4e124e96

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7D1E7E89F96A4715B3B05CF244E3B7B1.TMP

Filesize
660B

MD5
21b031582d540cda413a5b7e07f9334b

SHA1
84d7caea9deb941ac02cd39107a51f8473282477

SHA256
f60d7ec4a9ec01fc18f1a976c590e7b6b4b4fd2a7883af9bc82454ca82ba8514

SHA512
390730e218dca8947dd62c1ca19c8196e6b5dbd258bd0aea1f2f8e452cb9e15d3ac9c3b700ae369b1b9b17328d34745c210b7cc385f6697bc97f877715bfee69

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2076-18-0x00000000754B0000-0x0000000075A61000-memory.dmp

Filesize
5.7MB

Download
memory/2076-9-0x00000000754B0000-0x0000000075A61000-memory.dmp

Filesize
5.7MB

Download
memory/2252-2-0x00000000754B0000-0x0000000075A61000-memory.dmp

Filesize
5.7MB

Download
memory/2252-1-0x00000000754B0000-0x0000000075A61000-memory.dmp

Filesize
5.7MB

Download
memory/2252-0-0x00000000754B2000-0x00000000754B3000-memory.dmp

Filesize
4KB

Download
memory/2252-22-0x00000000754B0000-0x0000000075A61000-memory.dmp

Filesize
5.7MB

Download
memory/3840-23-0x00000000754B0000-0x0000000075A61000-memory.dmp

Filesize
5.7MB

Download
memory/3840-24-0x00000000754B0000-0x0000000075A61000-memory.dmp

Filesize
5.7MB

Download
memory/3840-26-0x00000000754B0000-0x0000000075A61000-memory.dmp

Filesize
5.7MB

Download
memory/3840-27-0x00000000754B0000-0x0000000075A61000-memory.dmp

Filesize
5.7MB

Download
memory/3840-28-0x00000000754B0000-0x0000000075A61000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads