metamorpherrat | ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282

General

Target

ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282N.exe
Size

78KB
MD5

081f7eb3cea9d5246d73df6921c44600
SHA1

71c7e898b40db4f7a0a2c4dd242e6afd8b946a93
SHA256

ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282
SHA512

75087f8ff785895fcdc10cee72241e7efaade4ea926310aa3fb4c87df3a95828b033d7cc9f23d555277071e536a50c3e639f0dd74e54f5a624ae5c63e4b0a815
SSDEEP

1536:95jSBXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtN679/I1K4:95jSBSyRxvhTzXPvCbW2UU9/m

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282N.exe

Deletes itself 1 IoCs

pid	Process
4724	tmp28F2.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4724	tmp28F2.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp28F2.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp28F2.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2348	ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282N.exe
Token: SeDebugPrivilege	4724	tmp28F2.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 3200	2348	ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282N.exe	84
PID 2348 wrote to memory of 3200	2348	ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282N.exe	84
PID 2348 wrote to memory of 3200	2348	ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282N.exe	84
PID 3200 wrote to memory of 3320	3200	vbc.exe	87
PID 3200 wrote to memory of 3320	3200	vbc.exe	87
PID 3200 wrote to memory of 3320	3200	vbc.exe	87
PID 2348 wrote to memory of 4724	2348	ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282N.exe	89
PID 2348 wrote to memory of 4724	2348	ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282N.exe	89
PID 2348 wrote to memory of 4724	2348	ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282N.exe	89

C:\Users\Admin\AppData\Local\Temp\ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282N.exe
"C:\Users\Admin\AppData\Local\Temp\ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nczbb3jt.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3200
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2A5A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6BEB8007492C43A69D1AF2AB3F60B6BD.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3320
- C:\Users\Admin\AppData\Local\Temp\tmp28F2.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp28F2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ef3be8443cf12fc13409d6c4506e665a34f05dab8d1f11fe76fac7880cdd5282N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES2A5A.tmp

Filesize
1KB

MD5
48d47d34e4cf71b7f1e070919778d0cc

SHA1
e2bc8a2da393651846ecd9820028e97c98c83526

SHA256
e2eab535150dc93a0d1331301406015df19c9491abfa7af7b53a4b404dec9129

SHA512
01ad665db7220460894c9c6df15e2523219ce7922a8fed2676ea1533dc5047f78f924e0a66fed57ac72255bfbf33e7feeac13b31ab0bb1b171d9b3124d8de61a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nczbb3jt.0.vb

Filesize
14KB

MD5
6e6f7848399fbc3f275e12a85fd1d30b

SHA1
1fcd249f5093b3ededfc08431b51740dac887eaa

SHA256
2f94ce454ebe54a4ec3b17741fa412caa324732960b561a9c1a1fe97b2df2c5a

SHA512
28af742e6679a0385490230d1b325c650782347747ac61a01e1c0a403457761ce61e3609d06221b3cbabbd7f4d4d04c389ab6821ad664a5ec75c75e3d686e326

Download Submit
C:\Users\Admin\AppData\Local\Temp\nczbb3jt.cmdline

Filesize
266B

MD5
e576e2542510fda27ff2b2aa687d6b41

SHA1
50403a0e04518ee3fa85c385173255c350ae3629

SHA256
f8d1913ee5ced5e4c2cda472cf97a7c7f861972134e7ee11a4b013d366b3a411

SHA512
f396e6d0a62f4ed8140d644aedce382419b5f0ef70ef972b3fa9afff68fe39584ae67a1fc271699d75db8c09481905122a99e0b706d6eb1ad3a5124c409f373b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp28F2.tmp.exe

Filesize
78KB

MD5
3ce15271d1d60c1225fea7a3c9c4fef6

SHA1
12e71f5505f09d7a5ef17c9984622e58c9f064a3

SHA256
015d9e59e4f9501637cb1bfb2268558e163312cafd7c114fcb9b25a989292f8a

SHA512
e9a0eb651f6236321ff8749a85f359bb6742f61efa8feb6b435d36cce339a793c0425e737ea9545d7338a8c6800b441b4efa00b29101fd8e21bb355c24c6f7fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6BEB8007492C43A69D1AF2AB3F60B6BD.TMP

Filesize
660B

MD5
2bb62705845b01c988be3ce65c3cd90e

SHA1
4c338ed2668c6848476cc386a3487910a398b2ab

SHA256
72d6fb09748b7c03e60cb7c3d6988a907927134214929d2fdb01c29f53894dbb

SHA512
e5260cd8bd4c548923a9c36f1254d443d34513d36b592a53d65aaf8f6cb27ebedb6626da97d018630856cfc8addf2290bc65ff53dbb3eeb45e072019974af753

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2348-2-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/2348-1-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/2348-0-0x0000000074BB2000-0x0000000074BB3000-memory.dmp

Filesize
4KB

Download
memory/2348-22-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/3200-9-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/3200-18-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/4724-23-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/4724-24-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/4724-25-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/4724-27-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/4724-28-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/4724-29-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads