metamorpherrat | 28e1aab094fedfae24008315310247a1a9775e06f49b682b3bd19d0a6a037d25

General

Target

28e1aab094fedfae24008315310247a1a9775e06f49b682b3bd19d0a6a037d25N.exe
Size

78KB
MD5

0c302be2c485ac1248ae94f54e3f5310
SHA1

96405b5ed2f2d055e3f4416f99aa4209bab415fc
SHA256

28e1aab094fedfae24008315310247a1a9775e06f49b682b3bd19d0a6a037d25
SHA512

2bdf429f0d955cb7b1e023769bf90d202b764a8b07aae00032aefdd4ad63f38dcc4325eee08cad2fca672188afe670de15bbf1b941cc2c4ad54e5694032912a2
SSDEEP

1536:hCHFo6M7t/vZv0kH9gDDtWzYCnJPeoYrGQt89/vd1t/:hCHFonh/l0Y9MDYrm789/vl

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	28e1aab094fedfae24008315310247a1a9775e06f49b682b3bd19d0a6a037d25N.exe

Executes dropped EXE 1 IoCs

pid	Process
2560	tmp6830.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmp6830.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	28e1aab094fedfae24008315310247a1a9775e06f49b682b3bd19d0a6a037d25N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6830.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1672	28e1aab094fedfae24008315310247a1a9775e06f49b682b3bd19d0a6a037d25N.exe
Token: SeDebugPrivilege	2560	tmp6830.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 4788	1672	28e1aab094fedfae24008315310247a1a9775e06f49b682b3bd19d0a6a037d25N.exe	83
PID 1672 wrote to memory of 4788	1672	28e1aab094fedfae24008315310247a1a9775e06f49b682b3bd19d0a6a037d25N.exe	83
PID 1672 wrote to memory of 4788	1672	28e1aab094fedfae24008315310247a1a9775e06f49b682b3bd19d0a6a037d25N.exe	83
PID 4788 wrote to memory of 3220	4788	vbc.exe	85
PID 4788 wrote to memory of 3220	4788	vbc.exe	85
PID 4788 wrote to memory of 3220	4788	vbc.exe	85
PID 1672 wrote to memory of 2560	1672	28e1aab094fedfae24008315310247a1a9775e06f49b682b3bd19d0a6a037d25N.exe	86
PID 1672 wrote to memory of 2560	1672	28e1aab094fedfae24008315310247a1a9775e06f49b682b3bd19d0a6a037d25N.exe	86
PID 1672 wrote to memory of 2560	1672	28e1aab094fedfae24008315310247a1a9775e06f49b682b3bd19d0a6a037d25N.exe	86

C:\Users\Admin\AppData\Local\Temp\28e1aab094fedfae24008315310247a1a9775e06f49b682b3bd19d0a6a037d25N.exe
"C:\Users\Admin\AppData\Local\Temp\28e1aab094fedfae24008315310247a1a9775e06f49b682b3bd19d0a6a037d25N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ewqp6ujs.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4788
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6987.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc75C2EAD1EAAD45829513DE1888EFCD77.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3220
- C:\Users\Admin\AppData\Local\Temp\tmp6830.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp6830.tmp.exe" C:\Users\Admin\AppData\Local\Temp\28e1aab094fedfae24008315310247a1a9775e06f49b682b3bd19d0a6a037d25N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6987.tmp

Filesize
1KB

MD5
fea9db03d539c37a32ae1e21a384626a

SHA1
02c0e81b27a1cf15332b1fbc327c81d6ac6438e4

SHA256
e78766cf2d344c054ef0486dc984960657cee478f44aa2ebc2f3360d5ed58021

SHA512
328cb1e8759833af06f0f6aa951d7a030de4952ca030a571b24941a0022542b6e075bb9e35eda3588429a512c06240a8ff6769fdd78044b7865bc761e9dc2883

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewqp6ujs.0.vb

Filesize
15KB

MD5
bb7074ad5de485bdf363be54cd71d6a4

SHA1
517f2dbbe02a568381c1f8bd19ab1119bc12eb43

SHA256
380f677b36bf8bb2bbff51d4f3e13f1dfd0e1b45a10918030b7af2f4fca31494

SHA512
d5f3dd9d92d8e2e7cf86559b1e22b33181612ee822616ae200ce4720b4f463deab90e45d9662dad8b6f98c1fa52f8dda4dcf9d398183e30214a8505e56e09dde

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewqp6ujs.cmdline

Filesize
266B

MD5
431732d1a18fcae5aed0d15138719c21

SHA1
38b79d9d7af7ea0fd9257caceb236f6fab7cf4cf

SHA256
eb417d0f8f9ac03900d65e36ac824a633e3c49161fda8cf309c2c11758d736d3

SHA512
0a41aa6255a1e4f3b29ab08a870c0cab9c8ccf7488441877bd469cbde9fa3698688be503d802dd90af89b16b576f8c8f9b056f483368e9388bbf94885ce49ae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6830.tmp.exe

Filesize
78KB

MD5
fdddff90a6b7b9977c0780a23906c9a7

SHA1
188e6bdc39c11f76de9ce5e79fba28d7bb449850

SHA256
07596ce5a748f8094618a69f090c82221856315ff00ca4244d0d7f881ba21b84

SHA512
cbcd7115b7165cfb1bb941545a7d75fe9f7d47cfd33913a060d8adad1dac9e02c11aa0c756451cfd426718d328e59aa733b621b4ef78a3553aff41b8c49b935f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc75C2EAD1EAAD45829513DE1888EFCD77.TMP

Filesize
660B

MD5
b0d7b32c4154094fb72aef51ae68703d

SHA1
a872feeb8d36a63ed62eef5557509e6f4f2dcf08

SHA256
cb784d3cfd867079ade6a6ca814ef0e663c7b3cd4289e691dd6a7533583243ad

SHA512
94005f2b65a02bad55cb6c1cbe4d1867d8ac2e37277b3f12c782eaddc7d96e137d39c10fc5626997a6527509e5b817ce7edb3af4abfe962dc48c253fab94c685

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/1672-1-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/1672-2-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/1672-0-0x0000000074A62000-0x0000000074A63000-memory.dmp

Filesize
4KB

Download
memory/1672-22-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/2560-23-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/2560-24-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/2560-26-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/2560-27-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/2560-28-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/2560-29-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/2560-30-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/4788-18-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/4788-8-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads