metamorpherrat | 674e2b13d656ae775ed50d4c0f0fdec224d493026bb9b3c71488467a2db5f04e

General

Target

674e2b13d656ae775ed50d4c0f0fdec224d493026bb9b3c71488467a2db5f04eN.exe
Size

78KB
MD5

cfac1a9904f7bc099a0aa77aa2af6860
SHA1

0acdf75f10e712b89cb301a68b52e85e3021bc68
SHA256

674e2b13d656ae775ed50d4c0f0fdec224d493026bb9b3c71488467a2db5f04e
SHA512

7f4dc4408a8e6c17218cc0ba3e95a4bc5b3b3d3b6bd905a6b1b0437ad3e75561508236f42f2d6fa0485fc2ed759cf8f41114ecd74dd5ea38376210e6bfc8dc62
SSDEEP

1536:sPWtHFo6rdELT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQty9/g10:sPWtHFo8dSE2EwR4uY41HyvYy9/V

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	674e2b13d656ae775ed50d4c0f0fdec224d493026bb9b3c71488467a2db5f04eN.exe

Executes dropped EXE 1 IoCs

pid	Process
5044	tmp91D0.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmp91D0.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	674e2b13d656ae775ed50d4c0f0fdec224d493026bb9b3c71488467a2db5f04eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp91D0.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3604	674e2b13d656ae775ed50d4c0f0fdec224d493026bb9b3c71488467a2db5f04eN.exe
Token: SeDebugPrivilege	5044	tmp91D0.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3604 wrote to memory of 1880	3604	674e2b13d656ae775ed50d4c0f0fdec224d493026bb9b3c71488467a2db5f04eN.exe	84
PID 3604 wrote to memory of 1880	3604	674e2b13d656ae775ed50d4c0f0fdec224d493026bb9b3c71488467a2db5f04eN.exe	84
PID 3604 wrote to memory of 1880	3604	674e2b13d656ae775ed50d4c0f0fdec224d493026bb9b3c71488467a2db5f04eN.exe	84
PID 1880 wrote to memory of 2960	1880	vbc.exe	88
PID 1880 wrote to memory of 2960	1880	vbc.exe	88
PID 1880 wrote to memory of 2960	1880	vbc.exe	88
PID 3604 wrote to memory of 5044	3604	674e2b13d656ae775ed50d4c0f0fdec224d493026bb9b3c71488467a2db5f04eN.exe	90
PID 3604 wrote to memory of 5044	3604	674e2b13d656ae775ed50d4c0f0fdec224d493026bb9b3c71488467a2db5f04eN.exe	90
PID 3604 wrote to memory of 5044	3604	674e2b13d656ae775ed50d4c0f0fdec224d493026bb9b3c71488467a2db5f04eN.exe	90

C:\Users\Admin\AppData\Local\Temp\674e2b13d656ae775ed50d4c0f0fdec224d493026bb9b3c71488467a2db5f04eN.exe
"C:\Users\Admin\AppData\Local\Temp\674e2b13d656ae775ed50d4c0f0fdec224d493026bb9b3c71488467a2db5f04eN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3604
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r46dj01n.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES92F9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3FDC3825671343D3AB6FF7E9789B7CC5.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2960
- C:\Users\Admin\AppData\Local\Temp\tmp91D0.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp91D0.tmp.exe" C:\Users\Admin\AppData\Local\Temp\674e2b13d656ae775ed50d4c0f0fdec224d493026bb9b3c71488467a2db5f04eN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES92F9.tmp

Filesize
1KB

MD5
a25e35cdeef9c80f4d1b337869d20871

SHA1
de5f71dd3e69c51b02569098879a13440cb6c7dd

SHA256
7c080dc23ef9e6744bebebb76625d7ec40c898733560eb73fe8f8f947498871b

SHA512
371c805e629a24d4a70098223fc6e5e623a8f82afad025df710580cff7e8e43a695715df0f0c91b074e8cb52f236ffe81b163f699eaf327199e8e119ed5c91dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\r46dj01n.0.vb

Filesize
15KB

MD5
e3fb4d88713cfa0504d8305dd95dba00

SHA1
d3c546d5f7dd00db5c695f07aff3b2d80e4bb72b

SHA256
738aa4b78654af84b7c13e73f2447212caaae895ba0f89e0ebd62bced289f011

SHA512
f41a7cbe1cccca876af97307e3286c6c3281293856d21e63e5e1e33c9786554e4db20f12aeb8696ceb3305361c28814a5d959c7abf2cffc630056e626406b842

Download Submit
C:\Users\Admin\AppData\Local\Temp\r46dj01n.cmdline

Filesize
266B

MD5
d8f562347ffdb8fa08dddf33dd130bad

SHA1
365a0b827fdd0b0155cd107079d78c661434cf2e

SHA256
bb4704fe981d8d99f0311c948e85168742195187dc0198d72ce0a92c32efaa80

SHA512
965ef7bacdc1c9ec1bd20dbf4595ef529058a8dbf9b09ea900f8a26d3a54d0fc617327df6f93edfd10dda2f4f526ae9cb5b2cce5e25630c73740dfbfe52d0e5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp91D0.tmp.exe

Filesize
78KB

MD5
de07728bcbc88d3bff7bfe92a92a6dd7

SHA1
f1fb3d62dce0528f215451b9ee26942c3f776f17

SHA256
4491044c66576b60e34f7020d357fb07893013af07f4f9fd5c9859e409620b42

SHA512
f36232e57883881f6d4eff0eb95b438e3b18cf7817515aa746971887f4be775b09e35a67cba35633b742321c77a9d71ef34b976e6da91f09439f4d2d47eda682

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3FDC3825671343D3AB6FF7E9789B7CC5.TMP

Filesize
660B

MD5
37b62cf3b26bf3065fbde1b90c9801fb

SHA1
ae0404b8fe289c73c6067eb9b7554907342579aa

SHA256
241cab1a84ce05dd0056c91bbbdf44668216cf69ee50308c900f707a260deab5

SHA512
fad01314f49ab17d820baff5c05eb2eee19b538f265af288333754449f99ef0a97463df46a44f940003d57264e5cf29e33ce12c4478b062fba0cc6d04e7bae24

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/1880-8-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/1880-18-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/3604-0-0x00000000754D2000-0x00000000754D3000-memory.dmp

Filesize
4KB

Download
memory/3604-2-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/3604-1-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/3604-22-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/5044-23-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/5044-24-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/5044-26-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/5044-27-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/5044-28-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/5044-29-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads