metamorpherrat | 9254ce1b528c791560739eecdebe5a4f1372f55556f5d21cf4c948dbc48ad2f3

General

Target

9254ce1b528c791560739eecdebe5a4f1372f55556f5d21cf4c948dbc48ad2f3N.exe
Size

78KB
MD5

6791cf354d7374245788d7279ab016c0
SHA1

363727c303a29bd921933127da58d95f529ef2d3
SHA256

9254ce1b528c791560739eecdebe5a4f1372f55556f5d21cf4c948dbc48ad2f3
SHA512

0df98fbf11fb42f3e03ad5f738765ad4bb606980ddf9cd0d558b9fd3a732b996e33a90a872bfd0d506a7d28589fe13ab9ca6909b6fbe5661c9f4acd99d281b3e
SSDEEP

1536:GStHHrdELT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtMd9/z1RM:GStHLdSE2EwR4uY41HyvYMd9/g

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	9254ce1b528c791560739eecdebe5a4f1372f55556f5d21cf4c948dbc48ad2f3N.exe

Deletes itself 1 IoCs

pid	Process
548	tmp9971.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
548	tmp9971.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmp9971.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9254ce1b528c791560739eecdebe5a4f1372f55556f5d21cf4c948dbc48ad2f3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9971.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1160	9254ce1b528c791560739eecdebe5a4f1372f55556f5d21cf4c948dbc48ad2f3N.exe
Token: SeDebugPrivilege	548	tmp9971.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 4736	1160	9254ce1b528c791560739eecdebe5a4f1372f55556f5d21cf4c948dbc48ad2f3N.exe	82
PID 1160 wrote to memory of 4736	1160	9254ce1b528c791560739eecdebe5a4f1372f55556f5d21cf4c948dbc48ad2f3N.exe	82
PID 1160 wrote to memory of 4736	1160	9254ce1b528c791560739eecdebe5a4f1372f55556f5d21cf4c948dbc48ad2f3N.exe	82
PID 4736 wrote to memory of 4928	4736	vbc.exe	84
PID 4736 wrote to memory of 4928	4736	vbc.exe	84
PID 4736 wrote to memory of 4928	4736	vbc.exe	84
PID 1160 wrote to memory of 548	1160	9254ce1b528c791560739eecdebe5a4f1372f55556f5d21cf4c948dbc48ad2f3N.exe	85
PID 1160 wrote to memory of 548	1160	9254ce1b528c791560739eecdebe5a4f1372f55556f5d21cf4c948dbc48ad2f3N.exe	85
PID 1160 wrote to memory of 548	1160	9254ce1b528c791560739eecdebe5a4f1372f55556f5d21cf4c948dbc48ad2f3N.exe	85

C:\Users\Admin\AppData\Local\Temp\9254ce1b528c791560739eecdebe5a4f1372f55556f5d21cf4c948dbc48ad2f3N.exe
"C:\Users\Admin\AppData\Local\Temp\9254ce1b528c791560739eecdebe5a4f1372f55556f5d21cf4c948dbc48ad2f3N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ci4dwta2.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4736
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9A7B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc513C12C1322E49EEB762C1CE300A1A6.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4928
- C:\Users\Admin\AppData\Local\Temp\tmp9971.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9971.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9254ce1b528c791560739eecdebe5a4f1372f55556f5d21cf4c948dbc48ad2f3N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9A7B.tmp

Filesize
1KB

MD5
39f257ba9b9ac9b30374094b805135d1

SHA1
af0935efa89b285f5ac5a06efd7e8540277df609

SHA256
352477d7b8fee5cc1f24fe28bc7f0be2322d36e38d4f25914a44ba3971a3d9f6

SHA512
cbe62f253e044c3f725f6435640a9c87116e9b28c6526f7b7fdd30a610ad07d9268bdda744dd325e009afad8e8c5391ebb566ac07b11026a5cd3d070b14c2b30

Download Submit
C:\Users\Admin\AppData\Local\Temp\ci4dwta2.0.vb

Filesize
15KB

MD5
eebc1b6e82d3cdaea682aa049f37d7ca

SHA1
d77fa69bec61a252627f4178f1abf9667831fe48

SHA256
9092d246861b01bd25c0406fecb748e570eb6204dbf89fbff8fea63fa00a7854

SHA512
5d6352a168128251081f2326a3de6592cfaa9e136e5cdf3d67a0d89d309073bd466d00d6fa22a65d6d26dcc6b2ca70446a9add123d521d60842915d7336202ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\ci4dwta2.cmdline

Filesize
266B

MD5
96e4c7aadaceb9957889cf76d1f300a9

SHA1
ca571c4222ddf7c4b8d32d6c44176617814ef920

SHA256
a222de3caacb9e37bfe62d1e254098aa1b2345a417cb7ae314fb446cea4a81ec

SHA512
60a0772c82e18564d299c346ac6debdc5ec52736a877f9c2773cb99dfc1651409f9a84343300ccc74b5fef8cb089926a386693c057bea7600dc5b5bf6cb2b630

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9971.tmp.exe

Filesize
78KB

MD5
20b7816a68e733c76d0f3e55b635282c

SHA1
8365c281b871a5bcc957a425f457e9ca29e3217f

SHA256
a2f66d1b6ec403ba58fcfca51ee9c36012ce0f0237a68c8d5ace286a9c49a503

SHA512
6d6bd3a817b320a585bd373e2f69de728ddc6c9efcaab0ac10c6c68edf6f5a07aacd660d6127e47f5e9e5487ad05284b221316c7ac6d9113c2df4e80326a6d78

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc513C12C1322E49EEB762C1CE300A1A6.TMP

Filesize
660B

MD5
ec0a76a098fdd49e0a94fd8281dc2c74

SHA1
e191ea63596d2b704482bf1e16824bbca8580ea9

SHA256
13cd13938aa8d305035db6edb1d3d8b885e28b2cca0ea63c3c79eb6a73a387fc

SHA512
3f0b3f3d748dc898af3098cbb9bb7da75666c88aa68d3d2132010cc5f6a8a22838889dfe728a1d7d881a69a7e853687c4496fedcff7bd8acfd519d2f00d8a3fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/548-23-0x00000000747B0000-0x0000000074D61000-memory.dmp

Filesize
5.7MB

Download
memory/548-24-0x00000000747B0000-0x0000000074D61000-memory.dmp

Filesize
5.7MB

Download
memory/548-25-0x00000000747B0000-0x0000000074D61000-memory.dmp

Filesize
5.7MB

Download
memory/548-27-0x00000000747B0000-0x0000000074D61000-memory.dmp

Filesize
5.7MB

Download
memory/548-28-0x00000000747B0000-0x0000000074D61000-memory.dmp

Filesize
5.7MB

Download
memory/548-29-0x00000000747B0000-0x0000000074D61000-memory.dmp

Filesize
5.7MB

Download
memory/1160-22-0x00000000747B0000-0x0000000074D61000-memory.dmp

Filesize
5.7MB

Download
memory/1160-1-0x00000000747B0000-0x0000000074D61000-memory.dmp

Filesize
5.7MB

Download
memory/1160-2-0x00000000747B0000-0x0000000074D61000-memory.dmp

Filesize
5.7MB

Download
memory/1160-0-0x00000000747B2000-0x00000000747B3000-memory.dmp

Filesize
4KB

Download
memory/4736-9-0x00000000747B0000-0x0000000074D61000-memory.dmp

Filesize
5.7MB

Download
memory/4736-18-0x00000000747B0000-0x0000000074D61000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads