metamorpherrat | d7b2f6edbede955f4b35d537df641bf2fc9bd160090f8b7130299587903330d5

General

Target

d7b2f6edbede955f4b35d537df641bf2fc9bd160090f8b7130299587903330d5.exe
Size

78KB
MD5

2e5a6ead9caf085952a822fb68e330f2
SHA1

219de06e9af89f0aa4131450026e7f8f79fb1c81
SHA256

d7b2f6edbede955f4b35d537df641bf2fc9bd160090f8b7130299587903330d5
SHA512

7fe4cde203b8d21df6dc69e47377a2e87be80c40186043bbf8dc53585ace88f7a4eac9fdab7294af146c9600ed19d0307c85cea1f7540b9134fa57ca70de5710
SSDEEP

1536:XPy58Vdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6C9/x19G:XPy58An7N041QqhgK9/c

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	d7b2f6edbede955f4b35d537df641bf2fc9bd160090f8b7130299587903330d5.exe

Executes dropped EXE 1 IoCs

pid	Process
3060	tmpB074.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpB074.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d7b2f6edbede955f4b35d537df641bf2fc9bd160090f8b7130299587903330d5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB074.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4348	d7b2f6edbede955f4b35d537df641bf2fc9bd160090f8b7130299587903330d5.exe
Token: SeDebugPrivilege	3060	tmpB074.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4348 wrote to memory of 5072	4348	d7b2f6edbede955f4b35d537df641bf2fc9bd160090f8b7130299587903330d5.exe	86
PID 4348 wrote to memory of 5072	4348	d7b2f6edbede955f4b35d537df641bf2fc9bd160090f8b7130299587903330d5.exe	86
PID 4348 wrote to memory of 5072	4348	d7b2f6edbede955f4b35d537df641bf2fc9bd160090f8b7130299587903330d5.exe	86
PID 5072 wrote to memory of 1876	5072	vbc.exe	88
PID 5072 wrote to memory of 1876	5072	vbc.exe	88
PID 5072 wrote to memory of 1876	5072	vbc.exe	88
PID 4348 wrote to memory of 3060	4348	d7b2f6edbede955f4b35d537df641bf2fc9bd160090f8b7130299587903330d5.exe	90
PID 4348 wrote to memory of 3060	4348	d7b2f6edbede955f4b35d537df641bf2fc9bd160090f8b7130299587903330d5.exe	90
PID 4348 wrote to memory of 3060	4348	d7b2f6edbede955f4b35d537df641bf2fc9bd160090f8b7130299587903330d5.exe	90

C:\Users\Admin\AppData\Local\Temp\d7b2f6edbede955f4b35d537df641bf2fc9bd160090f8b7130299587903330d5.exe
"C:\Users\Admin\AppData\Local\Temp\d7b2f6edbede955f4b35d537df641bf2fc9bd160090f8b7130299587903330d5.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4348
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xk1wtk7u.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5072
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB1AC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5380FF4EBED444B28ACF57CE42F4B162.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1876
- C:\Users\Admin\AppData\Local\Temp\tmpB074.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB074.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d7b2f6edbede955f4b35d537df641bf2fc9bd160090f8b7130299587903330d5.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB1AC.tmp

Filesize
1KB

MD5
1102b665230e6da8c9fae3df725d7450

SHA1
2940efd54009085554e3e19f8d7b3541db15df9d

SHA256
93ab5db259c0b7c1772a03c4ae943024cb8e27746e31d323dad4f80afe49426a

SHA512
cb36d71a5ebf11711b47aa4f1214a6ad68c7256f28012d911bf0d0975151c5e9597a261e1dbe89d28d9b96e3b8eca823a839badd105a664986ae8615e5a5bfd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB074.tmp.exe

Filesize
78KB

MD5
3095224ff15a884dd0a4f3e0d1dced37

SHA1
3f1fe978526435f68a6fda6f50767cd273be3f73

SHA256
7d0eeb78130d43e3cee95a373cb8b7bd22d770d6ecce3cf087f58e95ec7529f0

SHA512
c348e680ba5955d94836b463cfab15bb292a63a5364ae7443a4044bfe735394d018fe5ae57730504a4a1f1282a04a508d54b0caa3104b3f7f95589a923040815

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5380FF4EBED444B28ACF57CE42F4B162.TMP

Filesize
660B

MD5
9d74b1bdea4a5af8582d7d8fe941561b

SHA1
e6e61870d3e3faaad77081e1c8c45409ca3ef485

SHA256
9962b6406d8d4184af3c65c341cbbf64fcf745ae3551f27529fd6c082d8ce2fb

SHA512
d2c657b794c73896d8fc3ee3d943c9ea8f576198a54ddd2fe1d2f21fe1efc807ed1b28ada26c6cbcbee5b4fe961d00341ae182b2e02e673fa2e12f0d40a1fad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\xk1wtk7u.0.vb

Filesize
14KB

MD5
8c8abb0f73e466625b2f65a8d1cd6015

SHA1
d7bbe0745cd7c3c7ecb24199d541f71e530b43f3

SHA256
77714b219173bbfd6a2ee73750d1223984f0518404f630dac01ea7c63123d8bd

SHA512
f4770a1e68af40fa188dc5dc112c1a35b6e6af3540b911d722a50f95db0a6f1a56220b30c3069e4972caecea7a76a451d610ca623a1c58d00df874383970c5c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\xk1wtk7u.cmdline

Filesize
266B

MD5
e2d379950bd5d144caf4e0a8f2cad8e3

SHA1
a585a34753ef216f115507bada18e51540ff844f

SHA256
4c7d1334966a08fa70e4d2cf3577b43057b59ca700d0bebe84adfbf36cf8e2a5

SHA512
a6bb37235940b08f4429e863a98180c55be890336bf1f2d20f4f58669e5c2574dd02518b14bb65d9705d609f8f763943c3f81835856f40955acf3b81bb4023ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/3060-25-0x0000000074A20000-0x0000000074FD1000-memory.dmp

Filesize
5.7MB

Download
memory/3060-23-0x0000000074A20000-0x0000000074FD1000-memory.dmp

Filesize
5.7MB

Download
memory/3060-24-0x0000000074A20000-0x0000000074FD1000-memory.dmp

Filesize
5.7MB

Download
memory/3060-27-0x0000000074A20000-0x0000000074FD1000-memory.dmp

Filesize
5.7MB

Download
memory/3060-28-0x0000000074A20000-0x0000000074FD1000-memory.dmp

Filesize
5.7MB

Download
memory/3060-29-0x0000000074A20000-0x0000000074FD1000-memory.dmp

Filesize
5.7MB

Download
memory/4348-2-0x0000000074A20000-0x0000000074FD1000-memory.dmp

Filesize
5.7MB

Download
memory/4348-1-0x0000000074A20000-0x0000000074FD1000-memory.dmp

Filesize
5.7MB

Download
memory/4348-22-0x0000000074A20000-0x0000000074FD1000-memory.dmp

Filesize
5.7MB

Download
memory/4348-0-0x0000000074A22000-0x0000000074A23000-memory.dmp

Filesize
4KB

Download
memory/5072-9-0x0000000074A20000-0x0000000074FD1000-memory.dmp

Filesize
5.7MB

Download
memory/5072-18-0x0000000074A20000-0x0000000074FD1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads