metamorpherrat | 41905b3045bb9dd6ef81ea2d105f1385bfafdd9057461f0cb17f8b9f4f687b0f

General

Target

41905b3045bb9dd6ef81ea2d105f1385bfafdd9057461f0cb17f8b9f4f687b0fN.exe
Size

78KB
MD5

37329365535ff30d183336f754e687a0
SHA1

3b618edab92651d3c272f789ac3c919d96c962e1
SHA256

41905b3045bb9dd6ef81ea2d105f1385bfafdd9057461f0cb17f8b9f4f687b0f
SHA512

afbb2a0375a7ca7865e8a15b9b59b8ab68e801a693458cd19c401357d14ae98a68e754c5fa546cd4e486c7f1e05a32af3aaf4f98f7a4137f68d0245f9390a3d3
SSDEEP

1536:rCHY6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQte59/z1Hl:rCHYnhASyRxvhTzXPvCbW2Ue59/3

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	41905b3045bb9dd6ef81ea2d105f1385bfafdd9057461f0cb17f8b9f4f687b0fN.exe

Deletes itself 1 IoCs

pid	Process
1128	tmp6793.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
1128	tmp6793.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp6793.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6793.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41905b3045bb9dd6ef81ea2d105f1385bfafdd9057461f0cb17f8b9f4f687b0fN.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3028	41905b3045bb9dd6ef81ea2d105f1385bfafdd9057461f0cb17f8b9f4f687b0fN.exe
Token: SeDebugPrivilege	1128	tmp6793.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 4276	3028	41905b3045bb9dd6ef81ea2d105f1385bfafdd9057461f0cb17f8b9f4f687b0fN.exe	85
PID 3028 wrote to memory of 4276	3028	41905b3045bb9dd6ef81ea2d105f1385bfafdd9057461f0cb17f8b9f4f687b0fN.exe	85
PID 3028 wrote to memory of 4276	3028	41905b3045bb9dd6ef81ea2d105f1385bfafdd9057461f0cb17f8b9f4f687b0fN.exe	85
PID 4276 wrote to memory of 1560	4276	vbc.exe	88
PID 4276 wrote to memory of 1560	4276	vbc.exe	88
PID 4276 wrote to memory of 1560	4276	vbc.exe	88
PID 3028 wrote to memory of 1128	3028	41905b3045bb9dd6ef81ea2d105f1385bfafdd9057461f0cb17f8b9f4f687b0fN.exe	90
PID 3028 wrote to memory of 1128	3028	41905b3045bb9dd6ef81ea2d105f1385bfafdd9057461f0cb17f8b9f4f687b0fN.exe	90
PID 3028 wrote to memory of 1128	3028	41905b3045bb9dd6ef81ea2d105f1385bfafdd9057461f0cb17f8b9f4f687b0fN.exe	90

C:\Users\Admin\AppData\Local\Temp\41905b3045bb9dd6ef81ea2d105f1385bfafdd9057461f0cb17f8b9f4f687b0fN.exe
"C:\Users\Admin\AppData\Local\Temp\41905b3045bb9dd6ef81ea2d105f1385bfafdd9057461f0cb17f8b9f4f687b0fN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8fgxpewl.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4276
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES689D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9D4B634B793F4B5387EC7E4BFCF5EA3F.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1560
- C:\Users\Admin\AppData\Local\Temp\tmp6793.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp6793.tmp.exe" C:\Users\Admin\AppData\Local\Temp\41905b3045bb9dd6ef81ea2d105f1385bfafdd9057461f0cb17f8b9f4f687b0fN.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8fgxpewl.0.vb

Filesize
15KB

MD5
52642bcf31475ef590e30469cdd40bf5

SHA1
4477c5f072fb8a45026b62722c1268847c755ff8

SHA256
85e08525105610f2112bf4c5a32b14e151db394d8ec79caba559ec1e9758db66

SHA512
ee5fbb5dbf84f7342bd5c17430ba4b2e280debd4d2696b3351fba3b6de928950743b6b7be54fd156a20c7db6662d64936cc9ade43d42ee2a08a8e5b1cf6fb7c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\8fgxpewl.cmdline

Filesize
266B

MD5
af3d0426f5215ef832055c3875e6dbcf

SHA1
23ba52769c4138950bf672580ae179103e60bc48

SHA256
62fd6172ad694cca6d8353a9b8b4166c9adf52706f76b63c5363b286404513c1

SHA512
813f956bd89ac1ae919af338b4b76e60cd085972c00049d852b66c2223a57946ee1964936f1efca156a2f6012bdf3cc53f08c8bf33daa8c0c718225814875f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES689D.tmp

Filesize
1KB

MD5
6d58e0817d5229e37fdce02900de2f49

SHA1
4f1c522dce310a9b2107ff577ef96b96e997b270

SHA256
f665de987533d95e8ab63a4b503a051374af3c054eb4d931e73dcd56b8fd03dc

SHA512
24b1c451f40be02a22145a097d7a601cff28b8976e5c2e53080e527fb993d7af5d9fc33c24ccd28f9d2322d41a0984df7ef3e3550053f58e9b2ac1e82a6a407d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6793.tmp.exe

Filesize
78KB

MD5
6d6d1a9051be942e5927aebdb128d204

SHA1
3bab17cce7b7335768a8fdd933ec8343e7dc00de

SHA256
943eefb8564bbab18030a36a6394266ebc2d4344db8cecb91999dd82247bccae

SHA512
bab3845e9bc4121e57298b3f995714a86286a55acbe3bb785f0e582acc4044404dcdba85692a3dbd5e8f70cd42de6f1a89ad4e20b2cc4910b766fa488a2963f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9D4B634B793F4B5387EC7E4BFCF5EA3F.TMP

Filesize
660B

MD5
5fe3435b0a909df135ac860a7bc1cc82

SHA1
dc083ab79d0f6baeca248d66f5bc489dab02df2b

SHA256
72f7d6989e6052ee908e4e4b15f3e736df80431f975fe96bd5675e25a772c1b1

SHA512
babd97197cd219c5860ffdb7abefa6f57948e65128de6f58453a963ad6b908a60e7d003aee50a5e54c75769775c405de6cbba23118061261bef974c8f91d192b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1128-23-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/1128-28-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/1128-27-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/1128-26-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/1128-24-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/3028-22-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/3028-0-0x0000000075452000-0x0000000075453000-memory.dmp

Filesize
4KB

Download
memory/3028-2-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/3028-1-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/4276-18-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/4276-8-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads