metamorpherrat | 046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831

General

Target

046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe
Size

78KB
MD5

c1c088343ee0fa26e039c9990f1a2d20
SHA1

274e70ffb38cffffb1a02e04b5b87124600eb139
SHA256

046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831
SHA512

207037ed07645b5346a8c7e4d49cf1274ad8ba333e048a92906917694a776a63202444e909873ee2efcd7357b126879ef0b34b6523087e1f94dd130e1063a2eb
SSDEEP

1536:cPWtHY6M7t/vZv0kH9gDDtWzYCnJPeoYrGQtD9/I1vl:cPWtHYnh/l0Y9MDYrm7D9/o

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe

Executes dropped EXE 1 IoCs

pid	Process
232	tmpA71D.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmpA71D.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA71D.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	552	046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe
Token: SeDebugPrivilege	232	tmpA71D.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 552 wrote to memory of 4652	552	046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe	86
PID 552 wrote to memory of 4652	552	046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe	86
PID 552 wrote to memory of 4652	552	046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe	86
PID 4652 wrote to memory of 3912	4652	vbc.exe	88
PID 4652 wrote to memory of 3912	4652	vbc.exe	88
PID 4652 wrote to memory of 3912	4652	vbc.exe	88
PID 552 wrote to memory of 232	552	046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe	89
PID 552 wrote to memory of 232	552	046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe	89
PID 552 wrote to memory of 232	552	046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe	89

C:\Users\Admin\AppData\Local\Temp\046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe
"C:\Users\Admin\AppData\Local\Temp\046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:552
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vacao6dg.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA836.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3DB6CB1650C54255B48A9F77EB5FC14.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3912
- C:\Users\Admin\AppData\Local\Temp\tmpA71D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA71D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\046329b226ee881748a4172c275e531618f9397f4748bb4a18e2f13d4224e831N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA836.tmp

Filesize
1KB

MD5
406461ab8cd835458d05c1bd9b669258

SHA1
8ead8b823b36f39d2765453ff2aeb206225b3dcb

SHA256
e1a7816e4a6c4b7cd35dd840cc0aa8599e0e918ceef0b59da71ae3960f9b4846

SHA512
8159c23bad2c9e699c7832fc65f003d0cb3e8db7a3d04c6a0cc2f62d6372834d9f43dc221c708fbb75b5713175673ce2307911738b57e5a9ea883587f8cbc5fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA71D.tmp.exe

Filesize
78KB

MD5
9d2793b9edcc98a7a61b700ace37068a

SHA1
fd2e46d886a8adcf8edbf89707e7015d08d24f83

SHA256
3f06560996e341c255997682c4155728fc261ef1ebe37c405e69aede74fb84da

SHA512
4bc2213ec6c134e1d00e69df77854bf29152b699310233e9ad3e59a4a00dec88d6703406c50f4f07e8ef913bd5ebef7bf44cc0f8442d07276e341e07a55bb0dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\vacao6dg.0.vb

Filesize
15KB

MD5
43dce0e4bc99bac0b0cc9567c13bbd4e

SHA1
39d0606fb067f8591fa90b76f5470b53a2363a34

SHA256
46595f9e7037431f2f24290c38946ad744c8cb77734dbf08e3e4081d8611a5a6

SHA512
ec48eea086492a1d6d22216e9df512bd8e7d8dac1d3939bea492b30ca23d77cd51ce0c1c235270da5b4d33324b4cb843294ebce9c9f7650fe696bef85f167003

Download Submit
C:\Users\Admin\AppData\Local\Temp\vacao6dg.cmdline

Filesize
266B

MD5
9173b9654dfc1cbebef03752bda02d0e

SHA1
ead3521e9bc252c40a4576a311566b4e43e8da28

SHA256
c69309ff11002dc38db29599926d78fb6beb0c4ff5772b37528e834c2afb0e43

SHA512
ea34112d610a0dbb043dd693f9ef3e3026d8d834956b7a26e44d6a61743f2b0b1f5238e160b88c18277574f2b79e75b012b04386de2eba6e7464107b254283f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3DB6CB1650C54255B48A9F77EB5FC14.TMP

Filesize
660B

MD5
61b834ae4496eb397d720c8f7e5668e9

SHA1
c56fc5da653f73d16b4efa8eae47de3fbccb5ccb

SHA256
e7a09fd57cb434987d07af19e39463082e05ade9125775ff720592e725a114a5

SHA512
8dccf6b5f3b86ed399b250a9eadcc78cb65bac435531b7d4647852f5d30f50dbd10f9eaf2b7e2899f4309e90c30fb577649dad6ab3cec1ddd759bbdb3389f96c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/232-24-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/232-28-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/232-29-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/232-27-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/232-30-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/232-23-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/232-26-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/552-22-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/552-0-0x00000000753F2000-0x00000000753F3000-memory.dmp

Filesize
4KB

Download
memory/552-2-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/552-1-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/4652-18-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/4652-8-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads