metamorpherrat | ff222ef8d7fcbbeb626ff86204a9d9e34c4fc5c33857423c216802fba2615b60

General

Target

ff222ef8d7fcbbeb626ff86204a9d9e34c4fc5c33857423c216802fba2615b60N.exe
Size

78KB
MD5

a1c11b0739e44800cbe5ea15d9437340
SHA1

d710e3a13fb773f468e1aaa12a914e8829191909
SHA256

ff222ef8d7fcbbeb626ff86204a9d9e34c4fc5c33857423c216802fba2615b60
SHA512

3ed89d50f766c34af72dfaf7673a7ed44de21617c0a85441f445530e6f56bb92e144970b9547dac9e0c9bb753380c100186dbca18d2de16f695906b446505110
SSDEEP

1536:gCHFo6M7t/vZv0kH9gDDtWzYCnJPeoYrGQtRL9/Q1aI:gCHFonh/l0Y9MDYrm7RL9/u

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	ff222ef8d7fcbbeb626ff86204a9d9e34c4fc5c33857423c216802fba2615b60N.exe

Deletes itself 1 IoCs

pid	Process
1592	tmp9114.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
1592	tmp9114.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmp9114.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9114.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff222ef8d7fcbbeb626ff86204a9d9e34c4fc5c33857423c216802fba2615b60N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4460	ff222ef8d7fcbbeb626ff86204a9d9e34c4fc5c33857423c216802fba2615b60N.exe
Token: SeDebugPrivilege	1592	tmp9114.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4460 wrote to memory of 1728	4460	ff222ef8d7fcbbeb626ff86204a9d9e34c4fc5c33857423c216802fba2615b60N.exe	82
PID 4460 wrote to memory of 1728	4460	ff222ef8d7fcbbeb626ff86204a9d9e34c4fc5c33857423c216802fba2615b60N.exe	82
PID 4460 wrote to memory of 1728	4460	ff222ef8d7fcbbeb626ff86204a9d9e34c4fc5c33857423c216802fba2615b60N.exe	82
PID 1728 wrote to memory of 1588	1728	vbc.exe	84
PID 1728 wrote to memory of 1588	1728	vbc.exe	84
PID 1728 wrote to memory of 1588	1728	vbc.exe	84
PID 4460 wrote to memory of 1592	4460	ff222ef8d7fcbbeb626ff86204a9d9e34c4fc5c33857423c216802fba2615b60N.exe	85
PID 4460 wrote to memory of 1592	4460	ff222ef8d7fcbbeb626ff86204a9d9e34c4fc5c33857423c216802fba2615b60N.exe	85
PID 4460 wrote to memory of 1592	4460	ff222ef8d7fcbbeb626ff86204a9d9e34c4fc5c33857423c216802fba2615b60N.exe	85

C:\Users\Admin\AppData\Local\Temp\ff222ef8d7fcbbeb626ff86204a9d9e34c4fc5c33857423c216802fba2615b60N.exe
"C:\Users\Admin\AppData\Local\Temp\ff222ef8d7fcbbeb626ff86204a9d9e34c4fc5c33857423c216802fba2615b60N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4460
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mzg5jzcj.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES920E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc319ACB6E4EF14CB3B07611D53062D7EB.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1588
- C:\Users\Admin\AppData\Local\Temp\tmp9114.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9114.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ff222ef8d7fcbbeb626ff86204a9d9e34c4fc5c33857423c216802fba2615b60N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES920E.tmp

Filesize
1KB

MD5
8db4c493f5b4cff30cca19488171c52a

SHA1
42a588689d7f48a51e344990bc049d0d24a8aafb

SHA256
da6b1a6697e6aa27913462761f9b6f3af1c00acc3431ee09d9e3f6620f83e00c

SHA512
f2042dcb6c77020ef228649e5e55f611af4b7ba6134af09b96a6f14b0e21313f9ee49821d98db0d8a5fddd13474ecca7a1467e0b22d1910e25bb949b572b8c36

Download Submit
C:\Users\Admin\AppData\Local\Temp\mzg5jzcj.0.vb

Filesize
15KB

MD5
6c92f59f9e3601cc813908ab5b856998

SHA1
776f61adcfdf46b97a2a9c2f265a0be838c90c31

SHA256
3256ba19e8c7fa4ec79ed83163d3350fbc9962c500f8ff88ff000b3a92c3f324

SHA512
cf4ad3efe73f6e73ae2e48feac0cfb5b96531cd288371642cd417fd6db74d466df99dbe09fd45b750ef4a8a6b64b255db1ec69f065367424f8ec5e7d7eb2a782

Download Submit
C:\Users\Admin\AppData\Local\Temp\mzg5jzcj.cmdline

Filesize
266B

MD5
08a064e874fcc3057388cc6fa45a2a60

SHA1
57402c0408bd7d88eaae5a8b2c525e9832b7e98c

SHA256
0a2775010188e6d63e038e510ea6d37b736434ffcd410e24fab73cc53a2fc5cd

SHA512
979a8a168151dd2bce76470aa2ef7f4983f74a178898eb34aada4c4b587aa0582af1080e539fb5c6b3eade2f8b72255badc6da4b88cb26e68eb2ae66657f1f00

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9114.tmp.exe

Filesize
78KB

MD5
5713c7b55a1b27fd922be4d81c960850

SHA1
fe7ad796997b30abb380e85d82718333bcb97c13

SHA256
9d2be62e85052f34956d6a039e715da0812291d74e97f0bb7216c6127027ace7

SHA512
a4be4ddee4d9d3b3c35025fc9f7eeea18ed8e18d26a70a6577454f2f0feedbbf0c77589c42189dd906099225bf0a976d848c7f30f808d321ffccf1a55239f50a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc319ACB6E4EF14CB3B07611D53062D7EB.TMP

Filesize
660B

MD5
09182c2b6b72d74f9cc6b93d177f4f24

SHA1
9106ce2f37491d9a05ea25b59b9009d3f5fa716b

SHA256
75f5dfc6e8daac3edf4a44360e7622bfdeaebb35ab0ea5f52b90f248a67cf6e0

SHA512
3d32e0631bb906578ee47b66322a6154a38cf47f875dda75c195a7e4a3bb44a14a352ec5c61ff3be8a143acc4064b261e7d94d8888292d9fc0505aaae49a9054

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/1592-27-0x0000000074AE0000-0x0000000075091000-memory.dmp

Filesize
5.7MB

Download
memory/1592-28-0x0000000074AE0000-0x0000000075091000-memory.dmp

Filesize
5.7MB

Download
memory/1592-31-0x0000000074AE0000-0x0000000075091000-memory.dmp

Filesize
5.7MB

Download
memory/1592-30-0x0000000074AE0000-0x0000000075091000-memory.dmp

Filesize
5.7MB

Download
memory/1592-29-0x0000000074AE0000-0x0000000075091000-memory.dmp

Filesize
5.7MB

Download
memory/1592-25-0x0000000074AE0000-0x0000000075091000-memory.dmp

Filesize
5.7MB

Download
memory/1592-23-0x0000000074AE0000-0x0000000075091000-memory.dmp

Filesize
5.7MB

Download
memory/1592-24-0x0000000074AE0000-0x0000000075091000-memory.dmp

Filesize
5.7MB

Download
memory/1728-9-0x0000000074AE0000-0x0000000075091000-memory.dmp

Filesize
5.7MB

Download
memory/1728-18-0x0000000074AE0000-0x0000000075091000-memory.dmp

Filesize
5.7MB

Download
memory/4460-22-0x0000000074AE0000-0x0000000075091000-memory.dmp

Filesize
5.7MB

Download
memory/4460-0-0x0000000074AE2000-0x0000000074AE3000-memory.dmp

Filesize
4KB

Download
memory/4460-1-0x0000000074AE0000-0x0000000075091000-memory.dmp

Filesize
5.7MB

Download
memory/4460-2-0x0000000074AE0000-0x0000000075091000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads