metamorpherrat | e30c22ecf2bf9e1aa974601f92ee37e3190dd0e0507c288acaff96539af943c1

General

Target

e30c22ecf2bf9e1aa974601f92ee37e3190dd0e0507c288acaff96539af943c1N.exe
Size

78KB
MD5

2bc878972703638ced758864b4ddb900
SHA1

6ff44cd73397f1118a798d81d2b245aeec080106
SHA256

e30c22ecf2bf9e1aa974601f92ee37e3190dd0e0507c288acaff96539af943c1
SHA512

709871b2d07e1b36d46b315ca266536a72a776345b9fb50a82018df5c42f0ffc550267b644109bdeceec91a7d99c4ac1b1912aae4c51202a835241d4214b685b
SSDEEP

1536:7WtHFo6rdELT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtLk9/21u:7WtHFo8dSE2EwR4uY41HyvYLk9/p

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	e30c22ecf2bf9e1aa974601f92ee37e3190dd0e0507c288acaff96539af943c1N.exe

Executes dropped EXE 1 IoCs

pid	Process
4440	tmp6BCA.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmp6BCA.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e30c22ecf2bf9e1aa974601f92ee37e3190dd0e0507c288acaff96539af943c1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6BCA.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4172	e30c22ecf2bf9e1aa974601f92ee37e3190dd0e0507c288acaff96539af943c1N.exe
Token: SeDebugPrivilege	4440	tmp6BCA.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4172 wrote to memory of 936	4172	e30c22ecf2bf9e1aa974601f92ee37e3190dd0e0507c288acaff96539af943c1N.exe	84
PID 4172 wrote to memory of 936	4172	e30c22ecf2bf9e1aa974601f92ee37e3190dd0e0507c288acaff96539af943c1N.exe	84
PID 4172 wrote to memory of 936	4172	e30c22ecf2bf9e1aa974601f92ee37e3190dd0e0507c288acaff96539af943c1N.exe	84
PID 936 wrote to memory of 1248	936	vbc.exe	86
PID 936 wrote to memory of 1248	936	vbc.exe	86
PID 936 wrote to memory of 1248	936	vbc.exe	86
PID 4172 wrote to memory of 4440	4172	e30c22ecf2bf9e1aa974601f92ee37e3190dd0e0507c288acaff96539af943c1N.exe	88
PID 4172 wrote to memory of 4440	4172	e30c22ecf2bf9e1aa974601f92ee37e3190dd0e0507c288acaff96539af943c1N.exe	88
PID 4172 wrote to memory of 4440	4172	e30c22ecf2bf9e1aa974601f92ee37e3190dd0e0507c288acaff96539af943c1N.exe	88

C:\Users\Admin\AppData\Local\Temp\e30c22ecf2bf9e1aa974601f92ee37e3190dd0e0507c288acaff96539af943c1N.exe
"C:\Users\Admin\AppData\Local\Temp\e30c22ecf2bf9e1aa974601f92ee37e3190dd0e0507c288acaff96539af943c1N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4172
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vrjp3kiv.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6CF2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5EC1793F3DD41878E14D8A22299DF4.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1248
- C:\Users\Admin\AppData\Local\Temp\tmp6BCA.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp6BCA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e30c22ecf2bf9e1aa974601f92ee37e3190dd0e0507c288acaff96539af943c1N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6CF2.tmp

Filesize
1KB

MD5
2de6c3a432964beb4407cbaec4b8189c

SHA1
5ab32446599cd86f21cbaea692efc704d950e736

SHA256
6ad807e48bbaebeb33ba6f793c9b1a7ad754076e2e5c84b4725cb860eea9228a

SHA512
f297b8380bb25a37691c2d1eb8a1531664dd917c3d841dfe53bfc605dcea9e62a0c7760aead0fdc961eeb2197070d51b7e09c04d71a36911ac96400204f86499

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6BCA.tmp.exe

Filesize
78KB

MD5
34f02c9de2f7b13a6102ad891df74608

SHA1
be0428d75f2fab7f89e199315964188e6226df26

SHA256
7c0cec4a3bcffda4255c261fbcb7873fe4b4ced6eb584b0a0a5581dab4bb8adf

SHA512
34ef0d4356498e10eb788cbc726eedd3c047edf63839390b42d475c92921ef8f90bae686d0b5d6bfa9112b6379a634ba38224f29cb16cc43d14e4abdab6c3eef

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5EC1793F3DD41878E14D8A22299DF4.TMP

Filesize
660B

MD5
e9d7619c1d2546e2dab4628ae1f0ea1c

SHA1
29a59d5f2898abdc304d38b31527f231554eab63

SHA256
d1e956b1bfca28ee13b6fe03ee4a5f603b54a6603ddad4a17faacaec5131900c

SHA512
9aa985f1fc3a03b96c7484b8d1a594427cce6ded3f62ec10607349d1a6a2e77c570e27a7b2495c9bcf6224420f8fd78ebd94a9e057d54381c4d96c8a6e51affc

Download Submit
C:\Users\Admin\AppData\Local\Temp\vrjp3kiv.0.vb

Filesize
15KB

MD5
9b773205203a71e5ee645d23793c1725

SHA1
55c1f0f15dad6e624c45f24012aa22361c844bc0

SHA256
83235fc0c00f257567ea53b961b944b6859cdcc361981071650ddecb84841bc6

SHA512
2c5fa59e1eeca434d971c323b15ba3dae5ca218948a598ee340611ca3cfe0fba4f75350e1ca60467f6ca88514b292be1464ce9905913f4743a640f86913c8a92

Download Submit
C:\Users\Admin\AppData\Local\Temp\vrjp3kiv.cmdline

Filesize
266B

MD5
6b7a019872a8e2c4d41316bb4f021b3c

SHA1
6924a99efc5472459ef48116b482e36d38736147

SHA256
e857c6c24c7c46e4f5ced84fbb66e6a0af9f07e51d37d78009f7adcf876b38ea

SHA512
bcaffbf1e10689067b94a06cdf2fd0dacc9377c7b472c0ba1a75b038c5acadcc4cd3e26dcfcb9ecfb12f766aac5dce67ddac1c6ee9a2084057344b3d083ef0f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/936-8-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/936-18-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/4172-0-0x0000000074892000-0x0000000074893000-memory.dmp

Filesize
4KB

Download
memory/4172-2-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/4172-1-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/4172-23-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/4440-22-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/4440-25-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/4440-26-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/4440-27-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads