metamorpherrat | a655fdc241f9ca03dfb0de2d52212a1d1557590482593024ec3a6b681bd2b906

General

Target

a655fdc241f9ca03dfb0de2d52212a1d1557590482593024ec3a6b681bd2b906N.exe
Size

78KB
MD5

a7989493a8e5fd945b366d1230069c50
SHA1

21144907dbdbaa2ad41da6dfed7b3a93dd104b71
SHA256

a655fdc241f9ca03dfb0de2d52212a1d1557590482593024ec3a6b681bd2b906
SHA512

332e1ca4b60410afa1fb39b1edddfdd6d86d5168300eaec9a79e4ffaa5086f94ffaedf4f0cadb34eb717342db111eef41bdd38ea6519f4eadbcbf86af15009db
SSDEEP

1536:jPWtHH638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtD9/u1vM:jPWtHa3Ln7N041QqhgD9/z

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	a655fdc241f9ca03dfb0de2d52212a1d1557590482593024ec3a6b681bd2b906N.exe

Executes dropped EXE 1 IoCs

pid	Process
1488	tmpA299.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpA299.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a655fdc241f9ca03dfb0de2d52212a1d1557590482593024ec3a6b681bd2b906N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA299.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	448	a655fdc241f9ca03dfb0de2d52212a1d1557590482593024ec3a6b681bd2b906N.exe
Token: SeDebugPrivilege	1488	tmpA299.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 3812	448	a655fdc241f9ca03dfb0de2d52212a1d1557590482593024ec3a6b681bd2b906N.exe	84
PID 448 wrote to memory of 3812	448	a655fdc241f9ca03dfb0de2d52212a1d1557590482593024ec3a6b681bd2b906N.exe	84
PID 448 wrote to memory of 3812	448	a655fdc241f9ca03dfb0de2d52212a1d1557590482593024ec3a6b681bd2b906N.exe	84
PID 3812 wrote to memory of 3572	3812	vbc.exe	88
PID 3812 wrote to memory of 3572	3812	vbc.exe	88
PID 3812 wrote to memory of 3572	3812	vbc.exe	88
PID 448 wrote to memory of 1488	448	a655fdc241f9ca03dfb0de2d52212a1d1557590482593024ec3a6b681bd2b906N.exe	90
PID 448 wrote to memory of 1488	448	a655fdc241f9ca03dfb0de2d52212a1d1557590482593024ec3a6b681bd2b906N.exe	90
PID 448 wrote to memory of 1488	448	a655fdc241f9ca03dfb0de2d52212a1d1557590482593024ec3a6b681bd2b906N.exe	90

C:\Users\Admin\AppData\Local\Temp\a655fdc241f9ca03dfb0de2d52212a1d1557590482593024ec3a6b681bd2b906N.exe
"C:\Users\Admin\AppData\Local\Temp\a655fdc241f9ca03dfb0de2d52212a1d1557590482593024ec3a6b681bd2b906N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:448
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uhlj5xdx.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3812
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA3D1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBC46E2461FEE4808A1F1244B30F956DE.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3572
- C:\Users\Admin\AppData\Local\Temp\tmpA299.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA299.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a655fdc241f9ca03dfb0de2d52212a1d1557590482593024ec3a6b681bd2b906N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA3D1.tmp

Filesize
1KB

MD5
fb9e7650ef6642385e8153c72770b439

SHA1
115797d1a7f104b8b5e2a5ae4a6a283b9b7947e5

SHA256
54dcd9cd67fbe97302a63928df6d46643ce12dec661198e64ebe9f1bf99906ee

SHA512
2916e0243137a767c80927efe77e1089d33ae202d2d8293b85ecb0e300433d01f1f2dc8f82e137c37c956749a24e7cbabad89dd1543be8ccd9f437791cfd29c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA299.tmp.exe

Filesize
78KB

MD5
faf4e1df15c3d88f0b274bae62d4182b

SHA1
6f255adef22c931787da5374758b8032a9e11448

SHA256
566dc6446a88a6031d58d241e9f65889acf0c4bf3fe59b9c10f3263a4709f49e

SHA512
0ffd9e6b492ff27b76bcb54214ee51ecc0a070132bad4e843b4ad109ac3e4a8a991b17fc37bfad198b5964d5415a3131d9ed4e98fca0e9e95c7dacb8660207dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\uhlj5xdx.0.vb

Filesize
15KB

MD5
5221d7380097cc0b01a97dda90ad3fdb

SHA1
bdb9d92acaaefef62e88746c8e7c977b73b8f437

SHA256
e45b1e751a507d519ad2e7da708ed73549661506a54441ee523ac6523e475c13

SHA512
377b06318e9db6ef5993ed9025086e2bb0331aaf9684042afc2ef0f643a868469f6e196522ffc7511232f079e919a426c6926155b9d99b0e2dcd837f47c0ad2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uhlj5xdx.cmdline

Filesize
266B

MD5
0739572656b8d31bb4bfcc5eb966763c

SHA1
b444cfa382d1dc6cf9bf4126d52acb5db4906bd1

SHA256
7cfa712a69d04fac85d01e9959c3798b71f1793afbc48b80d78d76d9a18ff920

SHA512
2746fa39efbd43e84df88a4aa0ee4d5641efc72bd1c04de06b88e3f16ddf3693613d582ce074323da54e6b57989c79fbe18c364850abb1e9ae7ad9665691e2a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBC46E2461FEE4808A1F1244B30F956DE.TMP

Filesize
660B

MD5
5dbd73b17635d94b2de9f0d0510040ae

SHA1
d16723eaa9a1c6bf5be3201dbc816c8b4850f3ef

SHA256
af786fb8d8442e75624182c95a2235cbc676af4c84b53fc3b95cda4418125ca3

SHA512
0a9edf03491c78fc48f632ad6236a290d83869b7357a7dfeaf5265cffbe739060bda309a35460d225e2f8d5910c680de3d9d5c9b6fc9040005e9d0d379389e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/448-1-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/448-2-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/448-0-0x0000000074BB2000-0x0000000074BB3000-memory.dmp

Filesize
4KB

Download
memory/448-22-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/1488-23-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/1488-24-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/1488-26-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/1488-27-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/1488-28-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/3812-18-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/3812-8-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads