metamorpherrat | 9f8455cfe072f34e23e35a8a542d177665a4301f2b139f399607d6d0d9470d5c

General

Target

9f8455cfe072f34e23e35a8a542d177665a4301f2b139f399607d6d0d9470d5cN.exe
Size

78KB
MD5

a9b12f41d2efd93bba14633643e78510
SHA1

24030cc0732b1db95e6d8a0f7806ce2942aeaeac
SHA256

9f8455cfe072f34e23e35a8a542d177665a4301f2b139f399607d6d0d9470d5c
SHA512

f34792304ebec93288718e1f7426966e7bfda18d2a2565a08a3cf4322634a8d17b6a52b7a77c604d4f54ee21ff2dad68b1ef6a1c984cc17ca27d49a430c75b17
SSDEEP

1536:Hc5Ody0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6u9/Ph187:Hc55n7N041QqhgW9/u

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	9f8455cfe072f34e23e35a8a542d177665a4301f2b139f399607d6d0d9470d5cN.exe

Deletes itself 1 IoCs

pid	Process
3380	tmp7BF6.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3380	tmp7BF6.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp7BF6.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7BF6.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9f8455cfe072f34e23e35a8a542d177665a4301f2b139f399607d6d0d9470d5cN.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4232	9f8455cfe072f34e23e35a8a542d177665a4301f2b139f399607d6d0d9470d5cN.exe
Token: SeDebugPrivilege	3380	tmp7BF6.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4232 wrote to memory of 4076	4232	9f8455cfe072f34e23e35a8a542d177665a4301f2b139f399607d6d0d9470d5cN.exe	87
PID 4232 wrote to memory of 4076	4232	9f8455cfe072f34e23e35a8a542d177665a4301f2b139f399607d6d0d9470d5cN.exe	87
PID 4232 wrote to memory of 4076	4232	9f8455cfe072f34e23e35a8a542d177665a4301f2b139f399607d6d0d9470d5cN.exe	87
PID 4076 wrote to memory of 4632	4076	vbc.exe	89
PID 4076 wrote to memory of 4632	4076	vbc.exe	89
PID 4076 wrote to memory of 4632	4076	vbc.exe	89
PID 4232 wrote to memory of 3380	4232	9f8455cfe072f34e23e35a8a542d177665a4301f2b139f399607d6d0d9470d5cN.exe	90
PID 4232 wrote to memory of 3380	4232	9f8455cfe072f34e23e35a8a542d177665a4301f2b139f399607d6d0d9470d5cN.exe	90
PID 4232 wrote to memory of 3380	4232	9f8455cfe072f34e23e35a8a542d177665a4301f2b139f399607d6d0d9470d5cN.exe	90

C:\Users\Admin\AppData\Local\Temp\9f8455cfe072f34e23e35a8a542d177665a4301f2b139f399607d6d0d9470d5cN.exe
"C:\Users\Admin\AppData\Local\Temp\9f8455cfe072f34e23e35a8a542d177665a4301f2b139f399607d6d0d9470d5cN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\twarxx2u.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4076
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7D5E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc54E439E15E004548B9E820CBEE5E3563.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4632
- C:\Users\Admin\AppData\Local\Temp\tmp7BF6.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7BF6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9f8455cfe072f34e23e35a8a542d177665a4301f2b139f399607d6d0d9470d5cN.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7D5E.tmp

Filesize
1KB

MD5
357da35b61b64411afc7e98bfb0757ef

SHA1
df8321f871d9aef28acaecdc5fb5e1eae3c9499d

SHA256
92e2bf4f7fe7e2c546fd2d8687c2731a867f78b1e1daaaa96ba2c9f0560246e1

SHA512
b91f7fa2b6618d05f29d7648dcc1e32298ddf5f881a83e9f22749fa144d5abafcd667dc1cdc697df6349947be3b011e72c8b52f58aff8ecb6798f626a5563f67

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7BF6.tmp.exe

Filesize
78KB

MD5
911edaa550a2c891a45b317b8d26a1f3

SHA1
83bc1a483607707fbe0f8ba1ac41df5a2c09a70a

SHA256
b52b9dc20ccdf041eb7dbfb2ec77fe21acc2d30145726aebfe9a88edbeb53bca

SHA512
97fb1148105c114ec050cc04149e048f8a97be90716ba13876cf25502b8172d84853ece745e81af698b1374f1298eb6657702e4b2b800a56c99ede4e87c64ecf

Download Submit
C:\Users\Admin\AppData\Local\Temp\twarxx2u.0.vb

Filesize
14KB

MD5
b7067306e1d38dddb89f12831092d993

SHA1
51439f81baf779e0b0c4615d8eda9c3debf3ef26

SHA256
5327f14333ec35613ad865a37271f180e9b15510e713a3659eef8142bc81a503

SHA512
79f6fa003aa3c8da54ef0ca9700b7c1780f5b9c5ea180d581ce093728dfb4998afe34cce81c80bb38e226b32245d89a9356dfa3624eecee3fe8173272858010e

Download Submit
C:\Users\Admin\AppData\Local\Temp\twarxx2u.cmdline

Filesize
266B

MD5
29f96211d4e5ce856ac8efe0f8e98f5f

SHA1
ded0b39c1a379ceeb8fa2dd429a9210d9faf866b

SHA256
ab416247eaf494747694a2ba7206147ad5be1c6da9c8964fa72303e7ecb2af0d

SHA512
87e42cd666a3400607429c07325a9bf45ff7ec952400fd2302ff0ce8e9abb975427bbcdad9716bca3265fe3e09c5567a7c1c54f1cdecdcca44aca327d1aa8c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc54E439E15E004548B9E820CBEE5E3563.TMP

Filesize
660B

MD5
d00cff24677554e45db3e7ba0952b797

SHA1
1652f1dc2e678d614c90c0053ec5a03790eaac99

SHA256
812840dfe3678ad07887cfd337c1bbb9f716ccc0a82a7cb6229615718b94bad6

SHA512
3adcace8710734e60ff1a195d0e3689b6ec9b7f30834f4fb50fa7cb07667683940fef111aff02b9f96c282787ab05ef208ed38b5c577db38d217762c9a3fac1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/3380-23-0x0000000074BA0000-0x0000000075151000-memory.dmp

Filesize
5.7MB

Download
memory/3380-25-0x0000000074BA0000-0x0000000075151000-memory.dmp

Filesize
5.7MB

Download
memory/3380-26-0x0000000074BA0000-0x0000000075151000-memory.dmp

Filesize
5.7MB

Download
memory/3380-27-0x0000000074BA0000-0x0000000075151000-memory.dmp

Filesize
5.7MB

Download
memory/4076-9-0x0000000074BA0000-0x0000000075151000-memory.dmp

Filesize
5.7MB

Download
memory/4076-18-0x0000000074BA0000-0x0000000075151000-memory.dmp

Filesize
5.7MB

Download
memory/4232-2-0x0000000074BA0000-0x0000000075151000-memory.dmp

Filesize
5.7MB

Download
memory/4232-1-0x0000000074BA0000-0x0000000075151000-memory.dmp

Filesize
5.7MB

Download
memory/4232-22-0x0000000074BA0000-0x0000000075151000-memory.dmp

Filesize
5.7MB

Download
memory/4232-0-0x0000000074BA2000-0x0000000074BA3000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads