metamorpherrat | a8292e7f6ebbec53825af1141df019ff186ce49aaba04b4be18831398aad2fa2

General

Target

a8292e7f6ebbec53825af1141df019ff186ce49aaba04b4be18831398aad2fa2N.exe
Size

78KB
MD5

48cb801e22778f2bcb604511d8cb1010
SHA1

d131055e05f7dd79e85b28142b665b1175fb6a1e
SHA256

a8292e7f6ebbec53825af1141df019ff186ce49aaba04b4be18831398aad2fa2
SHA512

f03ceb8c608f3c9714ea082225f7de0721feb72300e6de5311bd80bc8c5b8954f0795a967662d81cd87ba0b3c0eb7315603b9ad03469fe3d0df5a7255a93b63a
SSDEEP

1536:xy5jVvZv0kH9gDDtWzYCnJPeoYrGQt961M9/O1qw:xy5jVl0Y9MDYrm7GM9/s

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	a8292e7f6ebbec53825af1141df019ff186ce49aaba04b4be18831398aad2fa2N.exe

Executes dropped EXE 1 IoCs

pid	Process
1392	tmp90B7.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmp90B7.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a8292e7f6ebbec53825af1141df019ff186ce49aaba04b4be18831398aad2fa2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp90B7.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3352	a8292e7f6ebbec53825af1141df019ff186ce49aaba04b4be18831398aad2fa2N.exe
Token: SeDebugPrivilege	1392	tmp90B7.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3352 wrote to memory of 3140	3352	a8292e7f6ebbec53825af1141df019ff186ce49aaba04b4be18831398aad2fa2N.exe	86
PID 3352 wrote to memory of 3140	3352	a8292e7f6ebbec53825af1141df019ff186ce49aaba04b4be18831398aad2fa2N.exe	86
PID 3352 wrote to memory of 3140	3352	a8292e7f6ebbec53825af1141df019ff186ce49aaba04b4be18831398aad2fa2N.exe	86
PID 3140 wrote to memory of 3372	3140	vbc.exe	88
PID 3140 wrote to memory of 3372	3140	vbc.exe	88
PID 3140 wrote to memory of 3372	3140	vbc.exe	88
PID 3352 wrote to memory of 1392	3352	a8292e7f6ebbec53825af1141df019ff186ce49aaba04b4be18831398aad2fa2N.exe	90
PID 3352 wrote to memory of 1392	3352	a8292e7f6ebbec53825af1141df019ff186ce49aaba04b4be18831398aad2fa2N.exe	90
PID 3352 wrote to memory of 1392	3352	a8292e7f6ebbec53825af1141df019ff186ce49aaba04b4be18831398aad2fa2N.exe	90

C:\Users\Admin\AppData\Local\Temp\a8292e7f6ebbec53825af1141df019ff186ce49aaba04b4be18831398aad2fa2N.exe
"C:\Users\Admin\AppData\Local\Temp\a8292e7f6ebbec53825af1141df019ff186ce49aaba04b4be18831398aad2fa2N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3352
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\aqr1mxq0.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3140
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9191.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD017D8A9ABEF441781A21865F927EB1F.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3372
- C:\Users\Admin\AppData\Local\Temp\tmp90B7.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp90B7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a8292e7f6ebbec53825af1141df019ff186ce49aaba04b4be18831398aad2fa2N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9191.tmp

Filesize
1KB

MD5
e856bba380aef21e2178ce3796f4af8d

SHA1
4e516e1d64145b293419f4e95921de7d23ffd43a

SHA256
0756cbebcfe70e627fb775b20cdb50bd3c4af01fc59f5039d9c877d5d2e7410c

SHA512
301d37ad7ab5900c6f797b784d3ea55619a543b739c31422ec839947259293f0ca675c7690d384b163afd53da746e1cc8a9c285e5b9a4e96565c759a2703e690

Download Submit
C:\Users\Admin\AppData\Local\Temp\aqr1mxq0.0.vb

Filesize
14KB

MD5
9dad2a52be43b6c44824eb33a0d98fcf

SHA1
372cf9d15cbffb47ddcedd2234c5d8015c0af7c7

SHA256
2f0ba45a9667ee4e5bff42b19929065f0d968e940243dd18d3d733f5a7fedebe

SHA512
6b7482564b6b87c8ef8a61d7eea260d4b4d50b9d65eb150511847ca3bf3e00943715fbc6fcde433c1d89a07e94dfc487336fd583544d713c0d03ffb9241104e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\aqr1mxq0.cmdline

Filesize
266B

MD5
3b844fc2871b25c412cc4bb1d15250ce

SHA1
f73aaa595741451a98af46e0a6d452f0500481a5

SHA256
e0b174776abf91157150ca9c3f20f2438f6df0f8bbec11887f06312407a4881a

SHA512
154e8600fbfb5cd0ccdc9b2b4331ba3b5a16df13cbc34af7efd54572d89b27094282629d153cfbd3ee2c3de987cfbe533761c49bedf0a54dee284438fbee845c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp90B7.tmp.exe

Filesize
78KB

MD5
23774301093364537d1a21c2e2ed0ad5

SHA1
35cc3f2e860131fbef1c050145383d10b163df75

SHA256
731e4335b196e51a835e9f0431a0bec4d49d47885c43062987821bbccde956cf

SHA512
80f5d9f5e248d3bc7d2529cee7d39105d9307feefc15262ac2704728a16bfbc72009ff432732ab36791bd4c6128cdbf62c609b1e49dde82f0c51a7269aa35ee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD017D8A9ABEF441781A21865F927EB1F.TMP

Filesize
660B

MD5
85f2948b690cf095ac7637753fbcbe3a

SHA1
59fbb53adb7a4298ef5bc8df1ffacc999191e70d

SHA256
a850c4e06d122d25416cf9357b8d9065e4e1724afcd3a9e71ff719afec48230d

SHA512
592ecad665bd6bd827d6a0b223bbd99709662de9effcacc9b827f35c64e2ab69576f617e6a03c329b88a359f9cf590cf9091f467763e4e18d1712006b6e16330

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/1392-27-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/1392-30-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/1392-23-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/1392-24-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/1392-26-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/1392-28-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/1392-29-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/3140-9-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/3140-18-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/3352-1-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/3352-0-0x0000000074812000-0x0000000074813000-memory.dmp

Filesize
4KB

Download
memory/3352-22-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/3352-2-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads