metamorpherrat | ee944562089f2d87d209e48d6eb01e5f6261fca76106766ce09ae2241f71969b

General

Target

ee944562089f2d87d209e48d6eb01e5f6261fca76106766ce09ae2241f71969b.exe
Size

78KB
MD5

b6f0674c0f2b31b3b5cefe91be1b6582
SHA1

dd40df38bc722c3dff53ee01a7cc878b75660d83
SHA256

ee944562089f2d87d209e48d6eb01e5f6261fca76106766ce09ae2241f71969b
SHA512

ae15dfb83e002e4de7d57aefefd3ee8e10fd84d7a3839b2c9b58db5e7c8415afa2d78962f6b4cdf7671fffc8693e71b0be295e9f0454f62c8cfe4293f71c3716
SSDEEP

1536:ye58AXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtC6g9/D1B/:ye584SyRxvhTzXPvCbW2UI9//

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	ee944562089f2d87d209e48d6eb01e5f6261fca76106766ce09ae2241f71969b.exe

Deletes itself 1 IoCs

pid	Process
1944	tmp806B.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
1944	tmp806B.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp806B.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp806B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee944562089f2d87d209e48d6eb01e5f6261fca76106766ce09ae2241f71969b.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1928	ee944562089f2d87d209e48d6eb01e5f6261fca76106766ce09ae2241f71969b.exe
Token: SeDebugPrivilege	1944	tmp806B.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 3996	1928	ee944562089f2d87d209e48d6eb01e5f6261fca76106766ce09ae2241f71969b.exe	85
PID 1928 wrote to memory of 3996	1928	ee944562089f2d87d209e48d6eb01e5f6261fca76106766ce09ae2241f71969b.exe	85
PID 1928 wrote to memory of 3996	1928	ee944562089f2d87d209e48d6eb01e5f6261fca76106766ce09ae2241f71969b.exe	85
PID 3996 wrote to memory of 4628	3996	vbc.exe	89
PID 3996 wrote to memory of 4628	3996	vbc.exe	89
PID 3996 wrote to memory of 4628	3996	vbc.exe	89
PID 1928 wrote to memory of 1944	1928	ee944562089f2d87d209e48d6eb01e5f6261fca76106766ce09ae2241f71969b.exe	90
PID 1928 wrote to memory of 1944	1928	ee944562089f2d87d209e48d6eb01e5f6261fca76106766ce09ae2241f71969b.exe	90
PID 1928 wrote to memory of 1944	1928	ee944562089f2d87d209e48d6eb01e5f6261fca76106766ce09ae2241f71969b.exe	90

C:\Users\Admin\AppData\Local\Temp\ee944562089f2d87d209e48d6eb01e5f6261fca76106766ce09ae2241f71969b.exe
"C:\Users\Admin\AppData\Local\Temp\ee944562089f2d87d209e48d6eb01e5f6261fca76106766ce09ae2241f71969b.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\e5swkyas.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3996
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES81A3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFC7C2626AF374EC1ABB3ADE1317E9E69.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4628
- C:\Users\Admin\AppData\Local\Temp\tmp806B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp806B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ee944562089f2d87d209e48d6eb01e5f6261fca76106766ce09ae2241f71969b.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES81A3.tmp

Filesize
1KB

MD5
ca8674de7d676fee03f5e5e82120565b

SHA1
c6f9f2a2aa50a8c5c978299beb9d85e47ffb2199

SHA256
934942ba2c20601cf29ae1b2c333db9ca908ce9a33cb33f11e063c956dfbf483

SHA512
4e32d3b3cfa6c09fd5542c2530f8fa5f9a579a93998c0cd4749447fa9d7f6a482c8ab0211398f96835f88f13873ed9f476df9979f542914db22d859c2327a771

Download Submit
C:\Users\Admin\AppData\Local\Temp\e5swkyas.0.vb

Filesize
14KB

MD5
7e896b2fa76b54fef5b75e143ce777f2

SHA1
732e939e1e7c8f86b64c96dbe7bf7a170bf15edd

SHA256
f1f82433b63ad53b1090ece6dd7326eaabc1f27773d52a7209e3269e404de8c7

SHA512
549a40979ddfb231a21d89ce5bfbde43b7d8ef46ee981adafbb4774b7eaefce6dcc3979b0a7dc542dfbc2f1732e66b369771403fdadf0bf1b542f5b81dc36a94

Download Submit
C:\Users\Admin\AppData\Local\Temp\e5swkyas.cmdline

Filesize
266B

MD5
731752e356fe0be3b35daa5f8c74c00a

SHA1
3f3151f5091ec1c4b88814d4cafe7dc869846a6b

SHA256
004eda545390fbbfe9d5edfd06641f3f95cf8ff36f6ca6834cf0cf435949a624

SHA512
4187bf521454f31a5702a2a49fbb99d74930a3ab0605f657e72a54f27f2c6b50560d38664e4afba3a2f700544fa221794bf5dfaaa2f8d8a92dcf6d1ae63caa22

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp806B.tmp.exe

Filesize
78KB

MD5
b688ea978943c939225574701ba5997a

SHA1
1eac5a4547ee3b50114f374afd0230a5f98f42b4

SHA256
2b20a777ab9ae011fa8693a09a08ecb2da0620a64f745ecfd9c7a3f5739ff86e

SHA512
6ac98b08fdd1dd902e1ca28e2b31d9c18e7f83484c5c4e6b72f735b045b48fb10dd3d39e7fd78bfecb2864a14812631662daac38e5ff9ce4136d6203e50a1916

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFC7C2626AF374EC1ABB3ADE1317E9E69.TMP

Filesize
660B

MD5
e0cf63680ffaf993262fb7e9f3ce3146

SHA1
ea1c1573db540034ccef408f0c87c17eccd2e39c

SHA256
1758cbfdc8125bed239d66fbd019d188772493848b58ac65499fd98998abfd10

SHA512
462d6f2f0d1b90d80768aa0265f15d5d2ecdd9663d49e67805d45d8a45e613f27ae580706061da672d8d643b8313d86c7f1a59b6186d84205dc867886fcdc418

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1928-1-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/1928-2-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/1928-0-0x00000000754D2000-0x00000000754D3000-memory.dmp

Filesize
4KB

Download
memory/1928-22-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/1944-23-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/1944-24-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/1944-26-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/1944-27-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/1944-28-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/3996-18-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/3996-8-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads