metamorpherrat | aaffa2c3e7182d9da5a2097bc273758a55e0c66edc58aebd40da4113fe1374c3

General

Target

aaffa2c3e7182d9da5a2097bc273758a55e0c66edc58aebd40da4113fe1374c3N.exe
Size

78KB
MD5

ed389ee9a2ce5adc29152cc4df7997e0
SHA1

fae9a619e69074a45ec8ae9e5dda17cfbdb88eec
SHA256

aaffa2c3e7182d9da5a2097bc273758a55e0c66edc58aebd40da4113fe1374c3
SHA512

8b66ad5c3a9da4fec83c733665f25e748e4149bd3bfcc0280a22d7a021461aed94859a45cb39e50dfa3930d057adbc1c2d779f30df8911d17694de3eda391be1
SSDEEP

1536:7tHFo6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQt+9/Q1za:7tHFo53Ln7N041Qqhg+9/H

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	aaffa2c3e7182d9da5a2097bc273758a55e0c66edc58aebd40da4113fe1374c3N.exe

Executes dropped EXE 1 IoCs

pid	Process
4836	tmpCF08.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpCF08.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpCF08.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aaffa2c3e7182d9da5a2097bc273758a55e0c66edc58aebd40da4113fe1374c3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3212	aaffa2c3e7182d9da5a2097bc273758a55e0c66edc58aebd40da4113fe1374c3N.exe
Token: SeDebugPrivilege	4836	tmpCF08.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3212 wrote to memory of 1832	3212	aaffa2c3e7182d9da5a2097bc273758a55e0c66edc58aebd40da4113fe1374c3N.exe	85
PID 3212 wrote to memory of 1832	3212	aaffa2c3e7182d9da5a2097bc273758a55e0c66edc58aebd40da4113fe1374c3N.exe	85
PID 3212 wrote to memory of 1832	3212	aaffa2c3e7182d9da5a2097bc273758a55e0c66edc58aebd40da4113fe1374c3N.exe	85
PID 1832 wrote to memory of 552	1832	vbc.exe	88
PID 1832 wrote to memory of 552	1832	vbc.exe	88
PID 1832 wrote to memory of 552	1832	vbc.exe	88
PID 3212 wrote to memory of 4836	3212	aaffa2c3e7182d9da5a2097bc273758a55e0c66edc58aebd40da4113fe1374c3N.exe	89
PID 3212 wrote to memory of 4836	3212	aaffa2c3e7182d9da5a2097bc273758a55e0c66edc58aebd40da4113fe1374c3N.exe	89
PID 3212 wrote to memory of 4836	3212	aaffa2c3e7182d9da5a2097bc273758a55e0c66edc58aebd40da4113fe1374c3N.exe	89

C:\Users\Admin\AppData\Local\Temp\aaffa2c3e7182d9da5a2097bc273758a55e0c66edc58aebd40da4113fe1374c3N.exe
"C:\Users\Admin\AppData\Local\Temp\aaffa2c3e7182d9da5a2097bc273758a55e0c66edc58aebd40da4113fe1374c3N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3212
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_oj4qpe0.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD050.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc35977BABCAF740AC9FAEA5F617D177B.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:552
- C:\Users\Admin\AppData\Local\Temp\tmpCF08.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpCF08.tmp.exe" C:\Users\Admin\AppData\Local\Temp\aaffa2c3e7182d9da5a2097bc273758a55e0c66edc58aebd40da4113fe1374c3N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD050.tmp

Filesize
1KB

MD5
3deae0dda38783bd23279792a1de78e8

SHA1
24a840a7941f443e1a5486928d3717813b9c97fb

SHA256
9191ce604b8634a518077b647b7dbf00e81b55f5e93f878ddf781ad162fc3408

SHA512
632ba16446fa3647eb8d225418b7a1d183ff4291ba84b109bb2225d725204b9323473a03483ecf2d5f32109d1400798bf2a566df93535032d73514b199e33476

Download Submit
C:\Users\Admin\AppData\Local\Temp\_oj4qpe0.0.vb

Filesize
15KB

MD5
dbd4949fd26ab793711f58e31bff1eb8

SHA1
71d516c09366a105fba7aef3914bb5b7277e771d

SHA256
bd9b468d91f82ae620f4fe9f04abed63a0b36ef48beaebbc1ecf8535c72b8180

SHA512
84652c8f4d020af88eb0f1c92dc5c508f87a8fa590e3b1605f0c420818cfc682ec331d100a2154e915c3180e8435b210eafadeb23c20ee463d3d2a0731494406

Download Submit
C:\Users\Admin\AppData\Local\Temp\_oj4qpe0.cmdline

Filesize
266B

MD5
40bdd92737798e07c27c1d54dd4cdb92

SHA1
c24757c1705cda631dcfc108fbc0f402ad062c44

SHA256
8605e7ca63d25745be33b0959a93b3e95467858d095d694432cadc8def6b1a1d

SHA512
0990c62f05943a113c7306e545f834df5f0730f6a7042d3e0210ea3505f1936a67128a194f211d267d9adb5002afe2353c4edf471e3fa846439e42b4b15bdf60

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCF08.tmp.exe

Filesize
78KB

MD5
4be453274150509962127c0a8901120a

SHA1
d4eefd6365956a59ed29cd8b3096b2e99111372d

SHA256
1d94161ec98380d95ec0f60561d01b7127e205b029114aedc97519f047395a24

SHA512
3e937f567119e36f61872401c90f9423568cd31b3e8dbd6c63e54c52f55fb11ceb793a23f08759e5d432adf5b703d0815e32c45474bab8e7ca4a55b373a448b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc35977BABCAF740AC9FAEA5F617D177B.TMP

Filesize
660B

MD5
94c11f12d4909afbe9f97ec863707cce

SHA1
e7e8e792768b61203cb57818b44052dc7341fb60

SHA256
28301ddab183b7913b3c199c743f517c8daf6ab6bde0a95094a83fae28e112f9

SHA512
3b8b7b51a4d1d461ecf0523c7dda1c388ce0f64794db839e08b14de6fdee9e51af2a48288693c24aa1acdee7cb42c22188c774dd7377fa9d11755a6ed8224793

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/1832-13-0x0000000074CE0000-0x0000000075291000-memory.dmp

Filesize
5.7MB

Download
memory/1832-18-0x0000000074CE0000-0x0000000075291000-memory.dmp

Filesize
5.7MB

Download
memory/3212-22-0x0000000074CE0000-0x0000000075291000-memory.dmp

Filesize
5.7MB

Download
memory/3212-1-0x0000000074CE0000-0x0000000075291000-memory.dmp

Filesize
5.7MB

Download
memory/3212-2-0x0000000074CE0000-0x0000000075291000-memory.dmp

Filesize
5.7MB

Download
memory/3212-0-0x0000000074CE2000-0x0000000074CE3000-memory.dmp

Filesize
4KB

Download
memory/4836-23-0x0000000074CE0000-0x0000000075291000-memory.dmp

Filesize
5.7MB

Download
memory/4836-25-0x0000000074CE0000-0x0000000075291000-memory.dmp

Filesize
5.7MB

Download
memory/4836-24-0x0000000074CE0000-0x0000000075291000-memory.dmp

Filesize
5.7MB

Download
memory/4836-27-0x0000000074CE0000-0x0000000075291000-memory.dmp

Filesize
5.7MB

Download
memory/4836-28-0x0000000074CE0000-0x0000000075291000-memory.dmp

Filesize
5.7MB

Download
memory/4836-29-0x0000000074CE0000-0x0000000075291000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads