metamorpherrat | a0b147e32515025bdeff6ff73269866087184d18eb5f340d2c9f24df326a574e

General

Target

a0b147e32515025bdeff6ff73269866087184d18eb5f340d2c9f24df326a574eN.exe
Size

78KB
MD5

a65c69d42cc4f3c745b06cb637fb4e10
SHA1

2ad3690ac16f708eb6ba306aa24b981b193191c0
SHA256

a0b147e32515025bdeff6ff73269866087184d18eb5f340d2c9f24df326a574e
SHA512

c26b9c888c5776036d3ee80bfda06d8e5fb0343560e3735e598875a43a92d7cdc171c9bafa93706023f0bb6a3b8d30b7b9636fd8ce6f67aa3b4872e89181505d
SSDEEP

1536:Vy58AXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtN6B9/u1y0:Vy584SyRxvhTzXPvCbW2U69/Q

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	a0b147e32515025bdeff6ff73269866087184d18eb5f340d2c9f24df326a574eN.exe

Executes dropped EXE 1 IoCs

pid	Process
1420	tmp6B2A.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp6B2A.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a0b147e32515025bdeff6ff73269866087184d18eb5f340d2c9f24df326a574eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6B2A.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2304	a0b147e32515025bdeff6ff73269866087184d18eb5f340d2c9f24df326a574eN.exe
Token: SeDebugPrivilege	1420	tmp6B2A.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2544	2304	a0b147e32515025bdeff6ff73269866087184d18eb5f340d2c9f24df326a574eN.exe	85
PID 2304 wrote to memory of 2544	2304	a0b147e32515025bdeff6ff73269866087184d18eb5f340d2c9f24df326a574eN.exe	85
PID 2304 wrote to memory of 2544	2304	a0b147e32515025bdeff6ff73269866087184d18eb5f340d2c9f24df326a574eN.exe	85
PID 2544 wrote to memory of 3080	2544	vbc.exe	88
PID 2544 wrote to memory of 3080	2544	vbc.exe	88
PID 2544 wrote to memory of 3080	2544	vbc.exe	88
PID 2304 wrote to memory of 1420	2304	a0b147e32515025bdeff6ff73269866087184d18eb5f340d2c9f24df326a574eN.exe	89
PID 2304 wrote to memory of 1420	2304	a0b147e32515025bdeff6ff73269866087184d18eb5f340d2c9f24df326a574eN.exe	89
PID 2304 wrote to memory of 1420	2304	a0b147e32515025bdeff6ff73269866087184d18eb5f340d2c9f24df326a574eN.exe	89

C:\Users\Admin\AppData\Local\Temp\a0b147e32515025bdeff6ff73269866087184d18eb5f340d2c9f24df326a574eN.exe
"C:\Users\Admin\AppData\Local\Temp\a0b147e32515025bdeff6ff73269866087184d18eb5f340d2c9f24df326a574eN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ctytsrdn.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6C72.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDCE63C29B9F145E49097A3457960732D.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3080
- C:\Users\Admin\AppData\Local\Temp\tmp6B2A.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp6B2A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a0b147e32515025bdeff6ff73269866087184d18eb5f340d2c9f24df326a574eN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6C72.tmp

Filesize
1KB

MD5
feff7cc5da4328f2d17f0152a36fae6d

SHA1
f823135225bc2a1b16b7b71b7ca0bd44ae6c025a

SHA256
26a5f8c61c6df262a97ac03c4c3f44d910467b51e09874b1b11fd198cb889c53

SHA512
a43f3dbb30751f469585bbd03b5476c14660aa8f7f759f8790d4034361cfd590fd1199b4a50fa41353097d456d3cd4093f86293de907df3bc05596ccebbff62d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ctytsrdn.0.vb

Filesize
14KB

MD5
20c8c647422bebae6ece91c8694b90f7

SHA1
b23e1e792588dd3de174fda8a89ee3780db72de2

SHA256
566af844d820be8a576e38bf1b4b3ce1d6e754936bf5b1e477a35df336fb4680

SHA512
ec25c84c115d2ea5542e151b9a838d3c3721e3fd296853dd5ce9629d2ab43054fb7799b3f534372d97da5e6bf04483d698b0dab296d44b4a66759b4a70a3f2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ctytsrdn.cmdline

Filesize
266B

MD5
04939423c241c7dd4fb8893efae1e551

SHA1
425645e296cbcbbd90aa7d4fb6caae9869c10069

SHA256
fd609840f4f1c1e3b8edaf39b6c9f82924d567dfff36d8ece3649b0607dc356b

SHA512
4d5313844f35f431e9b571b8201a6a37decfcc51f3b8c2e1123c18c36407f77e467c2ad451d0deeae30d83efad7ec91262a6d2c41c0f9eba8599f2a7f62d5b12

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6B2A.tmp.exe

Filesize
78KB

MD5
0a51dd4dfc1b0fe66bd0b6e9e64bb73f

SHA1
df4b1db92d78deb27971a4ec85d84a5112e43b1f

SHA256
4e48477469d3ecfb9e5b0a07df9148cc042c13a579e20d21168e55d306aa2f6c

SHA512
05384bbe1c4598dec95798ff5ca4614b469b2f16d25e25d9053d5070e86509ca2d3d6fe40cb0b67b58816ca71b9e3f66b887fcc90202dd833b953ce0088a1b40

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDCE63C29B9F145E49097A3457960732D.TMP

Filesize
660B

MD5
d84cf0397ed89ba6a2a6b8613b4702d4

SHA1
3502a07e770fcf30b4a1a4747ded423e4e438388

SHA256
5f0b6c14f409850bdbb318282d5aeb6266a431aa675565ffbbd530d52a8d3cde

SHA512
ef5ff5a342e78a9e9d320ea73900986b575b6105ad11528da5ef72bda9f164a4017a572083c74e7e9411150723837f6e73f007d3ba2bae0b7a43af9fc1f1e1d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1420-23-0x00000000754B0000-0x0000000075A61000-memory.dmp

Filesize
5.7MB

Download
memory/1420-24-0x00000000754B0000-0x0000000075A61000-memory.dmp

Filesize
5.7MB

Download
memory/1420-25-0x00000000754B0000-0x0000000075A61000-memory.dmp

Filesize
5.7MB

Download
memory/1420-27-0x00000000754B0000-0x0000000075A61000-memory.dmp

Filesize
5.7MB

Download
memory/1420-28-0x00000000754B0000-0x0000000075A61000-memory.dmp

Filesize
5.7MB

Download
memory/1420-29-0x00000000754B0000-0x0000000075A61000-memory.dmp

Filesize
5.7MB

Download
memory/2304-22-0x00000000754B0000-0x0000000075A61000-memory.dmp

Filesize
5.7MB

Download
memory/2304-1-0x00000000754B0000-0x0000000075A61000-memory.dmp

Filesize
5.7MB

Download
memory/2304-2-0x00000000754B0000-0x0000000075A61000-memory.dmp

Filesize
5.7MB

Download
memory/2304-0-0x00000000754B2000-0x00000000754B3000-memory.dmp

Filesize
4KB

Download
memory/2544-9-0x00000000754B0000-0x0000000075A61000-memory.dmp

Filesize
5.7MB

Download
memory/2544-18-0x00000000754B0000-0x0000000075A61000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads