metamorpherrat | 29d6b16cc0a579dd0fa8d1d465c7d19fe41bdfa41ed746f7734353603aeffe21

General

Target

29d6b16cc0a579dd0fa8d1d465c7d19fe41bdfa41ed746f7734353603aeffe21N.exe
Size

78KB
MD5

18dbde63e4bcd0d46259fb7e7c590000
SHA1

ef9a97a364a81ad69ac4c55a2e3a13aa75692c6b
SHA256

29d6b16cc0a579dd0fa8d1d465c7d19fe41bdfa41ed746f7734353603aeffe21
SHA512

a20369394b985670b8f4cf63d3e90bf81fe3cbdd752bac972eacebadf38cc5318f82e328be693612388dde68dfd544c320a2317bb5d0ec1be6ab7f9f20d2c274
SSDEEP

1536:HHH638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtV9/M1Dg:HHa3Ln7N041QqhgV9/Z

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	29d6b16cc0a579dd0fa8d1d465c7d19fe41bdfa41ed746f7734353603aeffe21N.exe

Executes dropped EXE 1 IoCs

pid	Process
4056	tmp8A2F.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp8A2F.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	29d6b16cc0a579dd0fa8d1d465c7d19fe41bdfa41ed746f7734353603aeffe21N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8A2F.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2724	29d6b16cc0a579dd0fa8d1d465c7d19fe41bdfa41ed746f7734353603aeffe21N.exe
Token: SeDebugPrivilege	4056	tmp8A2F.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 2264	2724	29d6b16cc0a579dd0fa8d1d465c7d19fe41bdfa41ed746f7734353603aeffe21N.exe	85
PID 2724 wrote to memory of 2264	2724	29d6b16cc0a579dd0fa8d1d465c7d19fe41bdfa41ed746f7734353603aeffe21N.exe	85
PID 2724 wrote to memory of 2264	2724	29d6b16cc0a579dd0fa8d1d465c7d19fe41bdfa41ed746f7734353603aeffe21N.exe	85
PID 2264 wrote to memory of 1380	2264	vbc.exe	89
PID 2264 wrote to memory of 1380	2264	vbc.exe	89
PID 2264 wrote to memory of 1380	2264	vbc.exe	89
PID 2724 wrote to memory of 4056	2724	29d6b16cc0a579dd0fa8d1d465c7d19fe41bdfa41ed746f7734353603aeffe21N.exe	90
PID 2724 wrote to memory of 4056	2724	29d6b16cc0a579dd0fa8d1d465c7d19fe41bdfa41ed746f7734353603aeffe21N.exe	90
PID 2724 wrote to memory of 4056	2724	29d6b16cc0a579dd0fa8d1d465c7d19fe41bdfa41ed746f7734353603aeffe21N.exe	90

C:\Users\Admin\AppData\Local\Temp\29d6b16cc0a579dd0fa8d1d465c7d19fe41bdfa41ed746f7734353603aeffe21N.exe
"C:\Users\Admin\AppData\Local\Temp\29d6b16cc0a579dd0fa8d1d465c7d19fe41bdfa41ed746f7734353603aeffe21N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mrldhz9a.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B19.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc61D89FC273C540E790BC46DF315B78.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1380
- C:\Users\Admin\AppData\Local\Temp\tmp8A2F.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8A2F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\29d6b16cc0a579dd0fa8d1d465c7d19fe41bdfa41ed746f7734353603aeffe21N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8B19.tmp

Filesize
1KB

MD5
8543075552e09da29b94bf49363ec06e

SHA1
a1a4297f46145ff7625b647ee13d9015f425436b

SHA256
a82fc4069d33940b6304dc6cc3d7231e0ef6ce1d048d977a2ffcc7bb3f4149e1

SHA512
b3c861781d3f53094e1554e33f7171233380941fcd822be340f95fb49e29e363e5b640d55bcbb5c13122c1820e23bdcbafab6cf4acf48fe9777625302baa9a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrldhz9a.0.vb

Filesize
15KB

MD5
372400e935398bbbe2ea8419b157a6ce

SHA1
a5a2008e0e8d47bf0c8f369895b4ac82b031df8f

SHA256
dfc1eaa1a951df89bbe03833c3f09581833a92008ebe0edbf194f1f9722e9a20

SHA512
4db0bf315b291093f0f36174e975a27958469db9fefebc34ddd4946c67c12b3d17488915e4786df1c6b0c6998895e16ba1ddd6fbe6929c7ea7112e9945c0ec5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrldhz9a.cmdline

Filesize
266B

MD5
d5e0867dc0e590a80051cd9170e684e9

SHA1
b64bf94504305691b02e7635973c52aa4d4f47ef

SHA256
b154d0a0e2f29860b6c3c0b009799b76cfd05b7f27577d826a256b2ef7e34920

SHA512
2538bbe784c19b0779b7deaaf4a06580614e6204dd58281c173e80f1a8c18229d9ec887911d8747b703d1fb983f334f102abe6e2692f1b18e5c47a3f0a3e66c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8A2F.tmp.exe

Filesize
78KB

MD5
adc4b38421ce1c51caf48156b1b38af2

SHA1
de1f2cff8ac6484a4167b87cf495e61cdfae8994

SHA256
e81681c20c6b0155f383ee220fb4cbf3e5271fec9a61ec1181be95fad5295e94

SHA512
8fad98ee0ac2aa4aa872faa409e5c9e6399d1b98d6dd2db3759d4a3a9be70a327568ed01d70fcd2212169228caebdcdff437b9c003605ec4e4bb43f5df15d2d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc61D89FC273C540E790BC46DF315B78.TMP

Filesize
660B

MD5
5be0d0832c5f60cbb0635f65926d4c8f

SHA1
c046fb24f95c615345b85ace0775cbf9bf2a0aad

SHA256
572e4db4b7df8e9cda1d6943c3e6dcee0ed6e2eecb1a6ef775cecb144ef2f40c

SHA512
cdfc56e95d062b1e7c37b2d19982d7c4e8f905cae7368ceb326dfc603ba409cd1fdd3560fb661472ed222049033ba28092654ecc5b9d043fb8b789f77c11733e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2264-8-0x00000000755A0000-0x0000000075B51000-memory.dmp

Filesize
5.7MB

Download
memory/2264-18-0x00000000755A0000-0x0000000075B51000-memory.dmp

Filesize
5.7MB

Download
memory/2724-0-0x00000000755A2000-0x00000000755A3000-memory.dmp

Filesize
4KB

Download
memory/2724-2-0x00000000755A0000-0x0000000075B51000-memory.dmp

Filesize
5.7MB

Download
memory/2724-1-0x00000000755A0000-0x0000000075B51000-memory.dmp

Filesize
5.7MB

Download
memory/2724-22-0x00000000755A0000-0x0000000075B51000-memory.dmp

Filesize
5.7MB

Download
memory/4056-23-0x00000000755A0000-0x0000000075B51000-memory.dmp

Filesize
5.7MB

Download
memory/4056-24-0x00000000755A0000-0x0000000075B51000-memory.dmp

Filesize
5.7MB

Download
memory/4056-25-0x00000000755A0000-0x0000000075B51000-memory.dmp

Filesize
5.7MB

Download
memory/4056-27-0x00000000755A0000-0x0000000075B51000-memory.dmp

Filesize
5.7MB

Download
memory/4056-28-0x00000000755A0000-0x0000000075B51000-memory.dmp

Filesize
5.7MB

Download
memory/4056-29-0x00000000755A0000-0x0000000075B51000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads