metamorpherrat | 7af1ed80aceb58d7e48c78e1305a310bda5791e37ad8287d7452dd4b8ecd6e8e

General

Target

7af1ed80aceb58d7e48c78e1305a310bda5791e37ad8287d7452dd4b8ecd6e8e.exe
Size

78KB
MD5

9a5b36dbb2aef49ab0cea07620de1f6a
SHA1

b22fafa901c53180bdac54793ba4afa3d3a640db
SHA256

7af1ed80aceb58d7e48c78e1305a310bda5791e37ad8287d7452dd4b8ecd6e8e
SHA512

20226a19c0c4b8f6a1a6ae8d05727e804c275013ebb60b052339e619ff98b2f128defdec84834493dd01bfec00e258ad14ff55a62635047cd4476f8e5e36b3ea
SSDEEP

1536:65OXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtN6Y9/qj01KP:65GSyRxvhTzXPvCbW2U39/qJ

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	7af1ed80aceb58d7e48c78e1305a310bda5791e37ad8287d7452dd4b8ecd6e8e.exe

Executes dropped EXE 1 IoCs

pid	Process
5012	tmp8BB5.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp8BB5.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7af1ed80aceb58d7e48c78e1305a310bda5791e37ad8287d7452dd4b8ecd6e8e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8BB5.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4132	7af1ed80aceb58d7e48c78e1305a310bda5791e37ad8287d7452dd4b8ecd6e8e.exe
Token: SeDebugPrivilege	5012	tmp8BB5.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4132 wrote to memory of 4500	4132	7af1ed80aceb58d7e48c78e1305a310bda5791e37ad8287d7452dd4b8ecd6e8e.exe	84
PID 4132 wrote to memory of 4500	4132	7af1ed80aceb58d7e48c78e1305a310bda5791e37ad8287d7452dd4b8ecd6e8e.exe	84
PID 4132 wrote to memory of 4500	4132	7af1ed80aceb58d7e48c78e1305a310bda5791e37ad8287d7452dd4b8ecd6e8e.exe	84
PID 4500 wrote to memory of 412	4500	vbc.exe	86
PID 4500 wrote to memory of 412	4500	vbc.exe	86
PID 4500 wrote to memory of 412	4500	vbc.exe	86
PID 4132 wrote to memory of 5012	4132	7af1ed80aceb58d7e48c78e1305a310bda5791e37ad8287d7452dd4b8ecd6e8e.exe	90
PID 4132 wrote to memory of 5012	4132	7af1ed80aceb58d7e48c78e1305a310bda5791e37ad8287d7452dd4b8ecd6e8e.exe	90
PID 4132 wrote to memory of 5012	4132	7af1ed80aceb58d7e48c78e1305a310bda5791e37ad8287d7452dd4b8ecd6e8e.exe	90

C:\Users\Admin\AppData\Local\Temp\7af1ed80aceb58d7e48c78e1305a310bda5791e37ad8287d7452dd4b8ecd6e8e.exe
"C:\Users\Admin\AppData\Local\Temp\7af1ed80aceb58d7e48c78e1305a310bda5791e37ad8287d7452dd4b8ecd6e8e.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4132
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mmf4uugq.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8CFE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD5EFFFE3771147768B4A421DA87BFEE.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:412
- C:\Users\Admin\AppData\Local\Temp\tmp8BB5.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8BB5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7af1ed80aceb58d7e48c78e1305a310bda5791e37ad8287d7452dd4b8ecd6e8e.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8CFE.tmp

Filesize
1KB

MD5
65f29ec967fc34b57b6f59c5d55362f4

SHA1
ee889b2ee5406e406ec6655a9821c6b0a4c15b26

SHA256
c1704a40b71eb4207c46bd3e1bdc67e47db6c40d64c65548e9fe7d73d6ede172

SHA512
86ee319eb304d2ab63702afb0ab88536f713e958bc8b0327152e7e76344f71d5cbf3347fe51209491bacafe0ef8b92981381f5c75e7ad2729a38665aef381f1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mmf4uugq.0.vb

Filesize
14KB

MD5
8e005e72d3d4991fc4c42be6813f457b

SHA1
154497e1b953623afde6b052c5d0326ef32219d0

SHA256
d550968bc8f7bf4a8a5f2e4ed3a56fe290348e8714ec90ff8c4de3cc00059c5f

SHA512
a1c6e975cd36601f8fc1d3f1f876e019c1632b91b380d8d352a4f548a3615b6479508335c88168227065ed701ad55a26a4805c5ac96019c109669fdcb34677da

Download Submit
C:\Users\Admin\AppData\Local\Temp\mmf4uugq.cmdline

Filesize
266B

MD5
76f0167f8082bcfdc94de3e345acf4f7

SHA1
eb9aeb91e7ac7ff4e10b93227ca3ac2c61f5d749

SHA256
3fc46328cb0d011d03fe02e4ab55ca0921ef95ae790ed4b538e121377edf26ef

SHA512
739d96a96bc9ff5b5ae9eab8c9301800dfeca633b9f8cc8832916eb1e50a6d3e3e1fe8c8fbdcc42b4f3a497036c94fd764087a97cfbb006fc1754f8eed68ec04

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8BB5.tmp.exe

Filesize
78KB

MD5
7d0ffe23ef7b17544269134e2d2699a8

SHA1
0b5c6c33f58a449c2a88bf4cd0d15d03df67c00f

SHA256
c068425d4b6542613735c3965900b061e871886df14dcbccceee4388f001f691

SHA512
153816b8690e7f0dde580ad1b88de7e29349de6db9cfbb8d1100eeb146a2418488bbac247afa7466d0589e02ef70d7ff3f764a74622a84a24d0ba27ce1f53ff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD5EFFFE3771147768B4A421DA87BFEE.TMP

Filesize
660B

MD5
e8a13305f7f5ca3b35eea19721cf62c0

SHA1
f2e0bcf430ecffbdcc96d387592566c5cf3a8dfe

SHA256
fdd456566961795d2c883ed0595382bd054889c9a89168e43aa2cafa7fa038b2

SHA512
069f0b29973d8da8fb1067953809a6ef0ebf0a0d40d7b66b5259db6fcab3b3e76e7f5d5752da1e81aeb6ed67bfaa94c3a131c5dee9f56760ffa66282829e8acd

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/4132-0-0x0000000074862000-0x0000000074863000-memory.dmp

Filesize
4KB

Download
memory/4132-1-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/4132-2-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/4132-22-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/4500-18-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/4500-9-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/5012-23-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/5012-24-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/5012-26-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/5012-27-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/5012-28-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads