metamorpherrat | 49c757312ec6d00f120fd11de2b863acefe3b65430e09685d5f7c486fcb09be4

General

Target

49c757312ec6d00f120fd11de2b863acefe3b65430e09685d5f7c486fcb09be4N.exe
Size

78KB
MD5

1f1e0e927b192f9d4646c233e8f59080
SHA1

532c3458cb025a90f97787fbec0856bf7df0abac
SHA256

49c757312ec6d00f120fd11de2b863acefe3b65430e09685d5f7c486fcb09be4
SHA512

ad141c3f301d90ed09129db0da61043627d8427b75dc793956ad24d6bc7edd47d4b6c3065cc8deb3e3b4aa0074ccec678faa3ad7e15b96cdede18ed8e2dc6a7a
SSDEEP

1536:Me5vXT0XRhyRjVf3HaXOJR0zcEIvCZ1xjs9np/IPioYJbQtS6B9/h21Vj:Me5PSyRxvHF5vCbxwpI6Wp9/hu

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	49c757312ec6d00f120fd11de2b863acefe3b65430e09685d5f7c486fcb09be4N.exe

Executes dropped EXE 1 IoCs

pid	Process
3592	tmpAD57.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_perf2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\mscordbi.exe\""	tmpAD57.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49c757312ec6d00f120fd11de2b863acefe3b65430e09685d5f7c486fcb09be4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpAD57.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1960	49c757312ec6d00f120fd11de2b863acefe3b65430e09685d5f7c486fcb09be4N.exe
Token: SeDebugPrivilege	3592	tmpAD57.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 4368	1960	49c757312ec6d00f120fd11de2b863acefe3b65430e09685d5f7c486fcb09be4N.exe	85
PID 1960 wrote to memory of 4368	1960	49c757312ec6d00f120fd11de2b863acefe3b65430e09685d5f7c486fcb09be4N.exe	85
PID 1960 wrote to memory of 4368	1960	49c757312ec6d00f120fd11de2b863acefe3b65430e09685d5f7c486fcb09be4N.exe	85
PID 4368 wrote to memory of 4508	4368	vbc.exe	88
PID 4368 wrote to memory of 4508	4368	vbc.exe	88
PID 4368 wrote to memory of 4508	4368	vbc.exe	88
PID 1960 wrote to memory of 3592	1960	49c757312ec6d00f120fd11de2b863acefe3b65430e09685d5f7c486fcb09be4N.exe	89
PID 1960 wrote to memory of 3592	1960	49c757312ec6d00f120fd11de2b863acefe3b65430e09685d5f7c486fcb09be4N.exe	89
PID 1960 wrote to memory of 3592	1960	49c757312ec6d00f120fd11de2b863acefe3b65430e09685d5f7c486fcb09be4N.exe	89

C:\Users\Admin\AppData\Local\Temp\49c757312ec6d00f120fd11de2b863acefe3b65430e09685d5f7c486fcb09be4N.exe
"C:\Users\Admin\AppData\Local\Temp\49c757312ec6d00f120fd11de2b863acefe3b65430e09685d5f7c486fcb09be4N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q8nbamli.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4368
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE9F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA6209CAC34444BD6B9BC28E99BCF643E.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4508
- C:\Users\Admin\AppData\Local\Temp\tmpAD57.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpAD57.tmp.exe" C:\Users\Admin\AppData\Local\Temp\49c757312ec6d00f120fd11de2b863acefe3b65430e09685d5f7c486fcb09be4N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESAE9F.tmp

Filesize
1KB

MD5
e8118f724828c8b684cd86234c338aed

SHA1
7a9f5750e37fd485352d40d9f650884d8caeb762

SHA256
62b85fc5b392836401bdf3269805363b63ef0d007d9c9490df078654c95b5286

SHA512
d312e81bbdf24cfb2d04639787ec92fa4f0339472df88a3d656301f38f22447b45bc2d35d6a5b072e82b2d2a92875753bd405a7c12bf7c8dc2df4251f51972c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\q8nbamli.0.vb

Filesize
14KB

MD5
81f6c48e2391a2478a0f823145c3ca7e

SHA1
5a7b7e68069403fb6964efe0a2f9ad1a27273603

SHA256
ca9477a8f54a0625d93ddf6cc8c60c5829be35658d0b0a3f6ca31704dfb98d13

SHA512
58f4abe39c4b5d9dad05f705ac91b0454927f31e2016d94c34b557ec56151a57fa5a7bc31b14852d5a032526deb4720ff2aa7bcc58d0bac7626117b7c9881e94

Download Submit
C:\Users\Admin\AppData\Local\Temp\q8nbamli.cmdline

Filesize
266B

MD5
fe875b80c024b749e0c40b10162a776b

SHA1
ad3ed2d2b9d87dd4e09720a19868c9bf79bacd10

SHA256
c2b89be13dc55ac030b31534f8d0ea503b94bb92ed100b50e80c1660a21429e8

SHA512
1156da738264be33cb8458338433d2095e7ce4a13eb583777ffb34965fd4fd65186b197c9601c0f0705a069076da6f14d975ef4af492d351446bd52ea8bda141

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAD57.tmp.exe

Filesize
78KB

MD5
a27c29b3e1099882ee6e7388f2cd82f9

SHA1
90d280e424070274ce4fc8b3798598d3fa25bfa2

SHA256
1b33241f47c6aaa608e11f36e595f929bb96560a610ed3d8fd0cb203e4922357

SHA512
23a873d1c0e68c50dab1c31a062d8d3971e67fb022d47b89f3497a5ed765236eedfe5429b8730f2feeeb8c08e7a80f6dc8e5e9d65af6c7557cfda3ed77497e44

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA6209CAC34444BD6B9BC28E99BCF643E.TMP

Filesize
660B

MD5
76e7848c5cb28c9e0514d5e4cca7895c

SHA1
8cc61e8ea5da1538895f98caaca364b4ad4f82b5

SHA256
2f669020c8187e11f2529f484e61d6e78a666d8df7c6295fb72438392c456986

SHA512
26f0dc16e30b9aad75802b2dceb8e9821c31eca57055468391448fae449a3994a3bf10969af3f2139436ac9ad2c29dd6cde869d9df852f92988bd7922c96240b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
097dd7d3902f824a3960ad33401b539f

SHA1
4e5c80de6a0886a8b02592a0c980b2bc2d9a4a8f

SHA256
e2eb52524ddfed5e52a54484b3fecdc9ebe24fb141d1445d37c99c0ab615df4f

SHA512
bb77c3f7b9b8c461b149f540a0dab99fdde474484b046d663228d8c0f1b6a20b72892643935069dd74134c8ab8e8f26b6badc210a6929a737541b9861007fbe4

Download Submit
memory/1960-1-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/1960-2-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/1960-0-0x0000000074F42000-0x0000000074F43000-memory.dmp

Filesize
4KB

Download
memory/1960-22-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/3592-23-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/3592-24-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/3592-26-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/3592-27-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/3592-28-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/3592-29-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/3592-30-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/4368-18-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/4368-9-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads