metamorpherrat | be5c742d41fa69c0c3a266fc8a57cea4a7c5f297e2c3d5d6f2af125f29fdab17

General

Target

be5c742d41fa69c0c3a266fc8a57cea4a7c5f297e2c3d5d6f2af125f29fdab17N.exe
Size

78KB
MD5

45309cbe21e9ffdb1313d47c9e06a250
SHA1

1029e05ccbd273fe37dbb0f87e3831547d88040b
SHA256

be5c742d41fa69c0c3a266fc8a57cea4a7c5f297e2c3d5d6f2af125f29fdab17
SHA512

0f87e54c93f765afffd9761c9526cc12dc4fe3cdb8313d0436f3e5fb726cbe02bb9f994d95802f97534b3fc41c7acee0601748db042682d50c668b338e294757
SSDEEP

1536:UCHHM7t/vZv0kH9gDDtWzYCnJPeoYrGQt1th9/31nc:UCHsh/l0Y9MDYrm71r9/u

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	be5c742d41fa69c0c3a266fc8a57cea4a7c5f297e2c3d5d6f2af125f29fdab17N.exe

Executes dropped EXE 1 IoCs

pid	Process
2464	tmp85AB.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmp85AB.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp85AB.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	be5c742d41fa69c0c3a266fc8a57cea4a7c5f297e2c3d5d6f2af125f29fdab17N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2996	be5c742d41fa69c0c3a266fc8a57cea4a7c5f297e2c3d5d6f2af125f29fdab17N.exe
Token: SeDebugPrivilege	2464	tmp85AB.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 744	2996	be5c742d41fa69c0c3a266fc8a57cea4a7c5f297e2c3d5d6f2af125f29fdab17N.exe	82
PID 2996 wrote to memory of 744	2996	be5c742d41fa69c0c3a266fc8a57cea4a7c5f297e2c3d5d6f2af125f29fdab17N.exe	82
PID 2996 wrote to memory of 744	2996	be5c742d41fa69c0c3a266fc8a57cea4a7c5f297e2c3d5d6f2af125f29fdab17N.exe	82
PID 744 wrote to memory of 4396	744	vbc.exe	84
PID 744 wrote to memory of 4396	744	vbc.exe	84
PID 744 wrote to memory of 4396	744	vbc.exe	84
PID 2996 wrote to memory of 2464	2996	be5c742d41fa69c0c3a266fc8a57cea4a7c5f297e2c3d5d6f2af125f29fdab17N.exe	85
PID 2996 wrote to memory of 2464	2996	be5c742d41fa69c0c3a266fc8a57cea4a7c5f297e2c3d5d6f2af125f29fdab17N.exe	85
PID 2996 wrote to memory of 2464	2996	be5c742d41fa69c0c3a266fc8a57cea4a7c5f297e2c3d5d6f2af125f29fdab17N.exe	85

C:\Users\Admin\AppData\Local\Temp\be5c742d41fa69c0c3a266fc8a57cea4a7c5f297e2c3d5d6f2af125f29fdab17N.exe
"C:\Users\Admin\AppData\Local\Temp\be5c742d41fa69c0c3a266fc8a57cea4a7c5f297e2c3d5d6f2af125f29fdab17N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mnv5d15m.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:744
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8666.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7619219BDB294C28876B28A78AEE9EA3.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4396
- C:\Users\Admin\AppData\Local\Temp\tmp85AB.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp85AB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\be5c742d41fa69c0c3a266fc8a57cea4a7c5f297e2c3d5d6f2af125f29fdab17N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8666.tmp

Filesize
1KB

MD5
8b3db4698af771e1a4ff1550e3321043

SHA1
84636dc45560f689b4c4ad737cb0907731d7e7a1

SHA256
73123b910282839e8f06f1c71cd716bdb57654e0c12e0669cf2d897ecc2cc612

SHA512
d201acfcf5af9792433fb42c797e18f6d57a8b4cf8186a15a58cc98f1ed937139c92455c518a77132de4fd2a9c23c56f66f7573f3f7adc9606f6258b12b1aedb

Download Submit
C:\Users\Admin\AppData\Local\Temp\mnv5d15m.0.vb

Filesize
15KB

MD5
91c3715fadd3a3d1a7c81e1820dac903

SHA1
8492ef205952dbee1847f7c4aa96194ebdf88bec

SHA256
371755ca31bfd2af3f8ca75f2817389eb1cd69ae9a528791bd1911340ab5892c

SHA512
d45d28dc678df8e124e380c1402b39bdfa274346c83f432eb5dfa7160e850201af17bc4e672420c08ce29772610aa45b1415ddda8f3bc030694945a18c96ee0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mnv5d15m.cmdline

Filesize
266B

MD5
ecf40612e44ca745b425bb0e3071ff86

SHA1
2209ad335100330065d970cb8d7d9e8ea93e5bc7

SHA256
67d414aa594a190d6375e35235ba47fdd2178514fffb5e1703f91b6eb061a175

SHA512
891d44c6229f5404b5d7ac57659df36458b0c50991a21a65550cbe833aa9773b0d7fefa4c2718c5d1659d553dc505eb75055c6a418eb05b26cc775cf36830c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp85AB.tmp.exe

Filesize
78KB

MD5
50ff49b0b7df7167062e74d8fdb15da5

SHA1
768b50fb52e5e500656e0be1968cd1a7a4e354fd

SHA256
e636a1b616a3c701f8a65caa2a521863cbe2b362865a9f46c788af737f85c89f

SHA512
25da26e53d195e03f10dc5f66ef488fff561e274edb346b158718858884fb213a6b2ac5a5382688af87b14f8d4d99dc68b4efbd6a2471d0d3cf25aa2fb504b09

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7619219BDB294C28876B28A78AEE9EA3.TMP

Filesize
660B

MD5
3173bc517f00641c2d5ea0fec7278036

SHA1
d694f8eb2e9e285596b5f3423a512baca21b4465

SHA256
8acca02b9ee5d655b86ec900cade809af4a5c46b7d61c895dce3a333e332e889

SHA512
e8e09b465ee35d14d84bd5a17edcd8afb38000213f69771fc9c290b6e3444d028acd686052ce02636642ec19457c9a0cc634f4be0b0bf3ba23d105e5e31567ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/744-9-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/744-18-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/2464-28-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/2464-23-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/2464-24-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/2464-25-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/2464-27-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/2464-29-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/2464-30-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/2464-31-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/2996-2-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/2996-1-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/2996-22-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/2996-0-0x0000000074B92000-0x0000000074B93000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads