metamorpherrat | 165f560e66f15904d6ae4f150247ba95b3d989e1f0ed033e65a700ee3b62ea14

General

Target

165f560e66f15904d6ae4f150247ba95b3d989e1f0ed033e65a700ee3b62ea14N.exe
Size

78KB
MD5

85d106dfe2b38575d440f49eff457ba0
SHA1

eed23005ed3ac32c6a123193ee82c3fd51495efd
SHA256

165f560e66f15904d6ae4f150247ba95b3d989e1f0ed033e65a700ee3b62ea14
SHA512

b5e19872849067f0db3d7e1b0b84b183e81d0372abde950a8bf786158a9e9c55757ab49d4e24756e3ddf83ef2d775801944896e646b30dc01649464c577c563f
SSDEEP

1536:7c5rXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtC6N9/Y1Td:7c5rSyRxvhTzXPvCbW2UF9/g

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	165f560e66f15904d6ae4f150247ba95b3d989e1f0ed033e65a700ee3b62ea14N.exe

Deletes itself 1 IoCs

pid	Process
4548	tmpA6CF.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4548	tmpA6CF.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpA6CF.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA6CF.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	165f560e66f15904d6ae4f150247ba95b3d989e1f0ed033e65a700ee3b62ea14N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	544	165f560e66f15904d6ae4f150247ba95b3d989e1f0ed033e65a700ee3b62ea14N.exe
Token: SeDebugPrivilege	4548	tmpA6CF.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 544 wrote to memory of 2884	544	165f560e66f15904d6ae4f150247ba95b3d989e1f0ed033e65a700ee3b62ea14N.exe	82
PID 544 wrote to memory of 2884	544	165f560e66f15904d6ae4f150247ba95b3d989e1f0ed033e65a700ee3b62ea14N.exe	82
PID 544 wrote to memory of 2884	544	165f560e66f15904d6ae4f150247ba95b3d989e1f0ed033e65a700ee3b62ea14N.exe	82
PID 2884 wrote to memory of 1080	2884	vbc.exe	84
PID 2884 wrote to memory of 1080	2884	vbc.exe	84
PID 2884 wrote to memory of 1080	2884	vbc.exe	84
PID 544 wrote to memory of 4548	544	165f560e66f15904d6ae4f150247ba95b3d989e1f0ed033e65a700ee3b62ea14N.exe	85
PID 544 wrote to memory of 4548	544	165f560e66f15904d6ae4f150247ba95b3d989e1f0ed033e65a700ee3b62ea14N.exe	85
PID 544 wrote to memory of 4548	544	165f560e66f15904d6ae4f150247ba95b3d989e1f0ed033e65a700ee3b62ea14N.exe	85

C:\Users\Admin\AppData\Local\Temp\165f560e66f15904d6ae4f150247ba95b3d989e1f0ed033e65a700ee3b62ea14N.exe
"C:\Users\Admin\AppData\Local\Temp\165f560e66f15904d6ae4f150247ba95b3d989e1f0ed033e65a700ee3b62ea14N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:544
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wrtjgnbx.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA8B3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc80D071A5AF6C4A828A79C7F318846FB5.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1080
- C:\Users\Admin\AppData\Local\Temp\tmpA6CF.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA6CF.tmp.exe" C:\Users\Admin\AppData\Local\Temp\165f560e66f15904d6ae4f150247ba95b3d989e1f0ed033e65a700ee3b62ea14N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA8B3.tmp

Filesize
1KB

MD5
b355e3609600b80e37ea7e45db00364d

SHA1
ba376eec346ace67b37b024ebc3b4c80e45aa478

SHA256
e3dc699cb4371265d969752a5c605d954697e12e46d14c77e2652c198a976f37

SHA512
98af6f47e810d0d3821c83f9f2a69619b0bedd8d9eec128d1be24013bdb098fb21cc4397379284f348aff8ad81f630a925e3c9cbd5a858a9032d490ff1380972

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA6CF.tmp.exe

Filesize
78KB

MD5
2eb32b25d14ca16e8d79711a899cc017

SHA1
5add8b21551582a13ca6d1e8e3f579db6f413858

SHA256
d8b6d62f84702997172b1e82ad80fe721e31e19705299865f6611d3c089e96d5

SHA512
adcbc5452c8fb2e951a55b12b958ec3c492e525133153cdf3009449ba3f72acf6053237754affc2c41ae94a8de7caa7fec517c569bc1719fb4cac5d1021b8dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc80D071A5AF6C4A828A79C7F318846FB5.TMP

Filesize
660B

MD5
f4cba9d6b358102af8439c7c880fd690

SHA1
74d757483bcfb9fe9910da9133889038f4a260d7

SHA256
99599d7e36c745ded2ffa1a3681e2e7eaee6333039e510d11e854428aca8338e

SHA512
ddba63a8f3f077424c9be5df895da9a5e45c64a1eed19606aa9ac2bff6adaaddbf7bafcf1d305b943324165361ac2f0f1d7f4303ff649d209f10dc9acfde8f01

Download Submit
C:\Users\Admin\AppData\Local\Temp\wrtjgnbx.0.vb

Filesize
14KB

MD5
ad23a6f52dcf469733db65f797b55ca1

SHA1
a923b6ed95328538f46f3c245ac4153c6eb3e83b

SHA256
8246785651051eaeedccd063e8b284c5bf8c90a74b84753bec4177eb525ce683

SHA512
32bcc067f10a468d0501d16b8467cafdda1dcbfe23a0edf2dc17e0a45788969e18177eb587805d8a83806e9d5054de1ce0b5b033585fb39d9b81405b31a19620

Download Submit
C:\Users\Admin\AppData\Local\Temp\wrtjgnbx.cmdline

Filesize
266B

MD5
ed9fd5d6d0fb42fbd3ef9dc84aef8e8f

SHA1
79ed1cf0f43b04c17d8d3e9e57af6ede27f9f122

SHA256
cde7b28d1c40b0e87bdf915eead21a3c6ab09c4d3befd0bea32048aae75caaf1

SHA512
e167243b4bfe40bc2d95de451372fe69819410e949c4cdf86ba64cf8dd581e732262948cfa8dfa93a92cf740e9a472fa2c6a16485a17dd99c580ad40cebae4e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/544-1-0x0000000074F70000-0x0000000075521000-memory.dmp

Filesize
5.7MB

Download
memory/544-2-0x0000000074F70000-0x0000000075521000-memory.dmp

Filesize
5.7MB

Download
memory/544-0-0x0000000074F72000-0x0000000074F73000-memory.dmp

Filesize
4KB

Download
memory/544-22-0x0000000074F70000-0x0000000075521000-memory.dmp

Filesize
5.7MB

Download
memory/2884-9-0x0000000074F70000-0x0000000075521000-memory.dmp

Filesize
5.7MB

Download
memory/2884-18-0x0000000074F70000-0x0000000075521000-memory.dmp

Filesize
5.7MB

Download
memory/4548-24-0x0000000074F70000-0x0000000075521000-memory.dmp

Filesize
5.7MB

Download
memory/4548-23-0x0000000074F70000-0x0000000075521000-memory.dmp

Filesize
5.7MB

Download
memory/4548-26-0x0000000074F70000-0x0000000075521000-memory.dmp

Filesize
5.7MB

Download
memory/4548-27-0x0000000074F70000-0x0000000075521000-memory.dmp

Filesize
5.7MB

Download
memory/4548-28-0x0000000074F70000-0x0000000075521000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads