metamorpherrat | c19aadb23fb89687aa8150708f6519c071c6dcc55029ad888b288a067556aa11

General

Target

c19aadb23fb89687aa8150708f6519c071c6dcc55029ad888b288a067556aa11N.exe
Size

78KB
MD5

d33d0480db077326513829ec447228e0
SHA1

f31fcdbc6d2d8d3412a098ba88a80eb5b545ebaf
SHA256

c19aadb23fb89687aa8150708f6519c071c6dcc55029ad888b288a067556aa11
SHA512

70e76359a1c4a8e64727b5617becfd945bd897ed9596374c31d9098c4644ebe8a35b8e7628fa24541f3cbdbbf3c0fd894ad6c263a46c82f31e0a72c4a4c2dedf
SSDEEP

1536:F4tHY6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt1d9/n1c1:F4tHYnhASyRxvhTzXPvCbW2U1d9/u

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	c19aadb23fb89687aa8150708f6519c071c6dcc55029ad888b288a067556aa11N.exe

Executes dropped EXE 1 IoCs

pid	Process
3444	tmp99FE.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp99FE.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c19aadb23fb89687aa8150708f6519c071c6dcc55029ad888b288a067556aa11N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp99FE.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3544	c19aadb23fb89687aa8150708f6519c071c6dcc55029ad888b288a067556aa11N.exe
Token: SeDebugPrivilege	3444	tmp99FE.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3544 wrote to memory of 1772	3544	c19aadb23fb89687aa8150708f6519c071c6dcc55029ad888b288a067556aa11N.exe	86
PID 3544 wrote to memory of 1772	3544	c19aadb23fb89687aa8150708f6519c071c6dcc55029ad888b288a067556aa11N.exe	86
PID 3544 wrote to memory of 1772	3544	c19aadb23fb89687aa8150708f6519c071c6dcc55029ad888b288a067556aa11N.exe	86
PID 1772 wrote to memory of 2876	1772	vbc.exe	89
PID 1772 wrote to memory of 2876	1772	vbc.exe	89
PID 1772 wrote to memory of 2876	1772	vbc.exe	89
PID 3544 wrote to memory of 3444	3544	c19aadb23fb89687aa8150708f6519c071c6dcc55029ad888b288a067556aa11N.exe	90
PID 3544 wrote to memory of 3444	3544	c19aadb23fb89687aa8150708f6519c071c6dcc55029ad888b288a067556aa11N.exe	90
PID 3544 wrote to memory of 3444	3544	c19aadb23fb89687aa8150708f6519c071c6dcc55029ad888b288a067556aa11N.exe	90

C:\Users\Admin\AppData\Local\Temp\c19aadb23fb89687aa8150708f6519c071c6dcc55029ad888b288a067556aa11N.exe
"C:\Users\Admin\AppData\Local\Temp\c19aadb23fb89687aa8150708f6519c071c6dcc55029ad888b288a067556aa11N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3544
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cudb_5u6.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1772
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9AF8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc36AF2C30F394CFA8255F1DFEB38065.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2876
- C:\Users\Admin\AppData\Local\Temp\tmp99FE.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp99FE.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c19aadb23fb89687aa8150708f6519c071c6dcc55029ad888b288a067556aa11N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9AF8.tmp

Filesize
1KB

MD5
c93e4bab433df4b3b0c46fb32a5fca48

SHA1
209d7dbdb00e48aab4e830421f8f45d07327c278

SHA256
0ca2e111e86614e8a7b9a37673ecd0c805637d3c5b35b708f3a04a10ae92cfff

SHA512
3b6788ccb2b5f47f8053e090514d75856d93a3017119c273ab212d1124c8a07105a6d8c018d8d976b9ab960f58e11c0468ac9d6af8aca3eb7599486b71080013

Download Submit
C:\Users\Admin\AppData\Local\Temp\cudb_5u6.0.vb

Filesize
15KB

MD5
a1fe4f40a83da5c5a6782866d0dd665a

SHA1
ad98811e850e9875c6db06a607e692e6dc6da239

SHA256
2d1de20bdb12f02d35ab05ce69b4be08183d94465ee82e9104e5e8fd2fd85985

SHA512
0170e69be5e2b57d234fcab609e622df581ff4c5e1ac20af1cd678688b038ef4f0c02f1ed2b297212ed9bc97f26f3d6e214805f6f27fde4d6e62cac90b43a3ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\cudb_5u6.cmdline

Filesize
266B

MD5
fc36b93b5aaf85d1788370cd5ba7fc9b

SHA1
f314f7c1205677d3c931911d3f81c8b9d631617a

SHA256
e5767f54007ec441b5965cfbf0b40fe2951c5e9e602915c6a86f1b4aad937fa1

SHA512
45a71797cb893b459f7f971eac5a285725d94497f938caabaaf18ec73888e0d84312373396ee56feacce9e81cfcb0faeb78e10c6352b0cf43d1798330e3a1d2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp99FE.tmp.exe

Filesize
78KB

MD5
b7960460ffdadd5f0d6945925353fcd2

SHA1
09b67f6a1194a368b2b19ef94660f90693400735

SHA256
f157b0972ba3b2ec156cf833875a554e80abe469fc69a6cc9d3473002b630452

SHA512
a71b1f9e6837967fe139c6f3ddeea5b0f94f797b3b264c821d4b451232da625ff8b5cd72b91cbc61f443e83ca4bc0efccedfee93c351515170fc73cbf6146615

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc36AF2C30F394CFA8255F1DFEB38065.TMP

Filesize
660B

MD5
23b73de0c7b0c0c69ed2f103e81be633

SHA1
b41b9292b924bdf95fba934ee4e1ff12ee35c6a5

SHA256
a96e66c270db2ab57d96739b5c40d4533b58b1082cba920b2ad7855ef9170f81

SHA512
4286732d2524d7e1e797b4f240fb0da720aafa7d181c0e99c1709c5fa2375b0f538ddc58903962faa84cfa9fb48afdcd6f173b8ce39d9070dd2f8b30b3559bf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1772-8-0x0000000074620000-0x0000000074BD1000-memory.dmp

Filesize
5.7MB

Download
memory/1772-18-0x0000000074620000-0x0000000074BD1000-memory.dmp

Filesize
5.7MB

Download
memory/3444-23-0x0000000074620000-0x0000000074BD1000-memory.dmp

Filesize
5.7MB

Download
memory/3444-25-0x0000000074620000-0x0000000074BD1000-memory.dmp

Filesize
5.7MB

Download
memory/3444-24-0x0000000074620000-0x0000000074BD1000-memory.dmp

Filesize
5.7MB

Download
memory/3444-27-0x0000000074620000-0x0000000074BD1000-memory.dmp

Filesize
5.7MB

Download
memory/3444-28-0x0000000074620000-0x0000000074BD1000-memory.dmp

Filesize
5.7MB

Download
memory/3444-29-0x0000000074620000-0x0000000074BD1000-memory.dmp

Filesize
5.7MB

Download
memory/3544-0-0x0000000074622000-0x0000000074623000-memory.dmp

Filesize
4KB

Download
memory/3544-2-0x0000000074620000-0x0000000074BD1000-memory.dmp

Filesize
5.7MB

Download
memory/3544-1-0x0000000074620000-0x0000000074BD1000-memory.dmp

Filesize
5.7MB

Download
memory/3544-22-0x0000000074620000-0x0000000074BD1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads