metamorpherrat | 17e5f298f75d78d71cf62a02761c8f805e1eaff2612c0aec014966b201c75967

General

Target

17e5f298f75d78d71cf62a02761c8f805e1eaff2612c0aec014966b201c75967N.exe
Size

78KB
MD5

08d889480a2770d650d20e8f18885490
SHA1

e5c6f31cd767d26a8e85a1c65a9e3b970675329b
SHA256

17e5f298f75d78d71cf62a02761c8f805e1eaff2612c0aec014966b201c75967
SHA512

91fbe4b6535794e985db6fed0c4299e679ef5c0123edd545581c7a260da05febe1b6cc111bb58a0b6d23eb51c431ba4b88fe3c146a7223cee5320ea25a9e18b7
SSDEEP

1536:7PWtHY6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQte9/V1rl:7PWtHYnhASyRxvhTzXPvCbW2Ue9/J

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	17e5f298f75d78d71cf62a02761c8f805e1eaff2612c0aec014966b201c75967N.exe

Deletes itself 1 IoCs

pid	Process
3936	tmpAB24.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3936	tmpAB24.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpAB24.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpAB24.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	17e5f298f75d78d71cf62a02761c8f805e1eaff2612c0aec014966b201c75967N.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3176	17e5f298f75d78d71cf62a02761c8f805e1eaff2612c0aec014966b201c75967N.exe
Token: SeDebugPrivilege	3936	tmpAB24.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3176 wrote to memory of 3252	3176	17e5f298f75d78d71cf62a02761c8f805e1eaff2612c0aec014966b201c75967N.exe	82
PID 3176 wrote to memory of 3252	3176	17e5f298f75d78d71cf62a02761c8f805e1eaff2612c0aec014966b201c75967N.exe	82
PID 3176 wrote to memory of 3252	3176	17e5f298f75d78d71cf62a02761c8f805e1eaff2612c0aec014966b201c75967N.exe	82
PID 3252 wrote to memory of 1888	3252	vbc.exe	84
PID 3252 wrote to memory of 1888	3252	vbc.exe	84
PID 3252 wrote to memory of 1888	3252	vbc.exe	84
PID 3176 wrote to memory of 3936	3176	17e5f298f75d78d71cf62a02761c8f805e1eaff2612c0aec014966b201c75967N.exe	85
PID 3176 wrote to memory of 3936	3176	17e5f298f75d78d71cf62a02761c8f805e1eaff2612c0aec014966b201c75967N.exe	85
PID 3176 wrote to memory of 3936	3176	17e5f298f75d78d71cf62a02761c8f805e1eaff2612c0aec014966b201c75967N.exe	85

C:\Users\Admin\AppData\Local\Temp\17e5f298f75d78d71cf62a02761c8f805e1eaff2612c0aec014966b201c75967N.exe
"C:\Users\Admin\AppData\Local\Temp\17e5f298f75d78d71cf62a02761c8f805e1eaff2612c0aec014966b201c75967N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\spor6xk0.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3252
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESABC1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFF67314CAE5448C3A12DE7BFB09E91D6.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1888
- C:\Users\Admin\AppData\Local\Temp\tmpAB24.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpAB24.tmp.exe" C:\Users\Admin\AppData\Local\Temp\17e5f298f75d78d71cf62a02761c8f805e1eaff2612c0aec014966b201c75967N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESABC1.tmp

Filesize
1KB

MD5
555f1949c7a38570ab166823792053cc

SHA1
0d13572966aeaf8242c2ba6c532e4216924e7db4

SHA256
cde0f54077a237139d3741de45b253704c1efd10e5cecd7d4cf172728a940ee8

SHA512
8b116f060507466db126036b362c0792a4823ec61ce24b7145844024db33920055e56ea2a9587064affdacc5111717d488d4b8d75e7bc2353980b950404b3748

Download Submit
C:\Users\Admin\AppData\Local\Temp\spor6xk0.0.vb

Filesize
15KB

MD5
844066fa9c8595096b37af1c74e79b39

SHA1
660e2e660763cd91a0c78a607682d7496dce2630

SHA256
14bfa9f0a74c390caddacfccf76c63e8e2c1be7838b46be17d479c3f839caf2f

SHA512
b03b1e8eeca7e78ce5338a5efa059b7d416ab0778c941ab0fd45514b921cc12e83870df4caaa6163e6701bcf8301870d304f7944b5547410d7ff153d78d43799

Download Submit
C:\Users\Admin\AppData\Local\Temp\spor6xk0.cmdline

Filesize
266B

MD5
7f8c9625769a3bd4c35fc392ec232962

SHA1
5765e7bfe34b547b8e9282c3c1a575b67238721e

SHA256
70c3b106004970e5228dbe1cf86fd3c597c22eb0d25ecb8536ab248678a144ab

SHA512
ddc76d797381242e819aabb8d84c5b5ed99571fc4f3858e502d5535bd6f4ee6d817207c423071f0c3cab7238814e99c161a0cf4457875abcf3b56cda7e8cac76

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAB24.tmp.exe

Filesize
78KB

MD5
c6440923d095bc2ec871e321b85a9a15

SHA1
0757738ef8177c5f8815bdea03148448c6b89a85

SHA256
6f5bebd88b1fe8b4da113ccfc7e7b743fc4ebb299bff4f53888d8593c31f2e02

SHA512
49734cb32991861a026facbbb33f8ce371e1631d6750512cd09a1e616e3087862b920cb06810808774b9c3fc633d67eb8dd657661a436f47d030b80b3a57a68e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFF67314CAE5448C3A12DE7BFB09E91D6.TMP

Filesize
660B

MD5
ddb7089e247f88db00a3c28e8da0405f

SHA1
5218167cbf2042e17292199befadca54d6964a44

SHA256
535b2dd68204128bb9933baed8e5dd5faca833ff695d3e32917921086c8244ae

SHA512
c7992b0a99902413caaa1fe31a2a51c10d0cad04819ef92e8e6afaa6af4957c88a8ff05c72bf6d72e38d2821338fc909e47cc861118543ea72b271479db00abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/3176-22-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download
memory/3176-2-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download
memory/3176-0-0x0000000074E22000-0x0000000074E23000-memory.dmp

Filesize
4KB

Download
memory/3176-1-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download
memory/3252-18-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download
memory/3252-8-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download
memory/3936-24-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download
memory/3936-25-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download
memory/3936-23-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download
memory/3936-27-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download
memory/3936-28-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download
memory/3936-29-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads