metamorpherrat | c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a

General

Target

c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe
Size

78KB
MD5

3fe92d6af27ec0dd0fc474939a8c3ab6
SHA1

b355cbcaccc68da313d7513da35c96091328d6a5
SHA256

c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a
SHA512

3725be1320c9b7fb653f5392a9249895828fa7b63d58454695f5173e3e1c5ea7445d2bc15179d55e88c92eb4a93cf4ea546204f0616c11c5148bc4e6d527d405
SSDEEP

1536:sWtHY6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQteG9/s1Re:sWtHYnhASyRxvhTzXPvCbW2UeG9/p

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe

Deletes itself 1 IoCs

pid	Process
1868	tmp7213.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
1868	tmp7213.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp7213.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7213.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2356	c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe
Token: SeDebugPrivilege	1868	tmp7213.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 428	2356	c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe	85
PID 2356 wrote to memory of 428	2356	c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe	85
PID 2356 wrote to memory of 428	2356	c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe	85
PID 428 wrote to memory of 3656	428	vbc.exe	88
PID 428 wrote to memory of 3656	428	vbc.exe	88
PID 428 wrote to memory of 3656	428	vbc.exe	88
PID 2356 wrote to memory of 1868	2356	c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe	89
PID 2356 wrote to memory of 1868	2356	c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe	89
PID 2356 wrote to memory of 1868	2356	c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe	89

C:\Users\Admin\AppData\Local\Temp\c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe
"C:\Users\Admin\AppData\Local\Temp\c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jgv1360m.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:428
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES73C8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFBB93D74F6AF42BF945957C13A48EA2.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3656
- C:\Users\Admin\AppData\Local\Temp\tmp7213.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7213.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES73C8.tmp

Filesize
1KB

MD5
25b42f1f6a15106deea7ba4055344813

SHA1
519e2c8e318fb030ff2254c407d1630d16fb4000

SHA256
8644b500bbacf500e7609cf9883d93793980038447e8c72034a6b7dd6d242c5f

SHA512
3d1d6f88b59069fc2851c78d0af0c1d14c19d7a682c04b853ea9eb43847d471dfc3f137187b2bf40332e05c6a6c2b908443f04eb3ab44354cf79a25f47449f01

Download Submit
C:\Users\Admin\AppData\Local\Temp\jgv1360m.0.vb

Filesize
15KB

MD5
22821731fde8f0b49f70d39c51057b5f

SHA1
35940a603e86206d1b42359b37edbc65e242bf85

SHA256
9aa0465d33187efa9650fa5069e08b3ff65b1d5b3e69269776be88dff81092c4

SHA512
68cfa69e50edf35c8865e94cb70f034e49758eeb784e370649f03f5ba810673c725b98ee6d248a0dc39b98f8052fa27ea9b4c5b54fbbdeed4ce74e67c5781ab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\jgv1360m.cmdline

Filesize
266B

MD5
668c67c068331c559ebf1f741baa13fe

SHA1
6289e795e39223243b0749b5efd9d2e67543df2d

SHA256
00ffd2a67ece316481b11254ebbad081de6a3e35621f9fffbe6cd1cad5429ff0

SHA512
53bca1b24781f58b89584d046f38c77f7f39a286085afc829b9a93c1141353c259210bd45be567761809a79e75060ba6c9708777f1e6e3c04b87fcca32e236c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7213.tmp.exe

Filesize
78KB

MD5
af3e8c7e4ed699f96d50e3d849ec93cb

SHA1
2362e84b9c62dddc502c115aceaaabf49fcb7adc

SHA256
f16f0062b924e61a58cc05272947909f924d0bb1ff34a6e1a53d9e4e9c40a416

SHA512
15be8fb5179e7ca05e5ec1a0971f95c65d1d07ab4f3080b2e67fbd3f6231978ec234fe510c38c1c2ad9a6259ac17c5b987242d0ab0c09af068f68f961fe0e55a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFBB93D74F6AF42BF945957C13A48EA2.TMP

Filesize
660B

MD5
c8f5fc32d985c74d51ca4e89ebbbe5ea

SHA1
eb6c718cbef384ba5ad4c4d30376f261ee762e2d

SHA256
32c57f8d6f77357f08a805c123f98b3659b5809175d6f300d1f3a9f416d1cc1e

SHA512
09f3a889bcc64aa91a68ed45d56d3cb24cdf703d621e0f8bf88769f3d02981ef9c7f4ad7ed1e05e5b2e3186f2174b94c315a5cf0d0cf65c55ee9d34c1ca67304

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/428-8-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/428-18-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/1868-23-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/1868-25-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/1868-24-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/1868-27-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/1868-28-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/1868-29-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/2356-0-0x0000000075212000-0x0000000075213000-memory.dmp

Filesize
4KB

Download
memory/2356-2-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/2356-1-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/2356-22-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads