metamorpherrat | d7eeda6900eb2e9091d4bea1d71aec227307ac3738e78f6b869a2b509943c425

General

Target

d7eeda6900eb2e9091d4bea1d71aec227307ac3738e78f6b869a2b509943c425.exe
Size

78KB
MD5

171c8adeb595a0d620de28f1c284ad3b
SHA1

e1f9764dedcf0dbd52f9ecd49fcf899684ff17ed
SHA256

d7eeda6900eb2e9091d4bea1d71aec227307ac3738e78f6b869a2b509943c425
SHA512

e754da1865b58e534d647cc606ac45aadfa377b7f066d6546609a603441f60e94caf0d99fa0f1ec045891f830caba0019c65a786c442f1abf1cd593d9ad25b4f
SSDEEP

1536:Fe5jSDXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtC699/wU17u:Fe5jSzSyRxvhTzXPvCbW2U19/wf

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	d7eeda6900eb2e9091d4bea1d71aec227307ac3738e78f6b869a2b509943c425.exe

Executes dropped EXE 1 IoCs

pid	Process
3580	tmpD050.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpD050.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d7eeda6900eb2e9091d4bea1d71aec227307ac3738e78f6b869a2b509943c425.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD050.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4744	d7eeda6900eb2e9091d4bea1d71aec227307ac3738e78f6b869a2b509943c425.exe
Token: SeDebugPrivilege	3580	tmpD050.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 2556	4744	d7eeda6900eb2e9091d4bea1d71aec227307ac3738e78f6b869a2b509943c425.exe	85
PID 4744 wrote to memory of 2556	4744	d7eeda6900eb2e9091d4bea1d71aec227307ac3738e78f6b869a2b509943c425.exe	85
PID 4744 wrote to memory of 2556	4744	d7eeda6900eb2e9091d4bea1d71aec227307ac3738e78f6b869a2b509943c425.exe	85
PID 2556 wrote to memory of 4532	2556	vbc.exe	88
PID 2556 wrote to memory of 4532	2556	vbc.exe	88
PID 2556 wrote to memory of 4532	2556	vbc.exe	88
PID 4744 wrote to memory of 3580	4744	d7eeda6900eb2e9091d4bea1d71aec227307ac3738e78f6b869a2b509943c425.exe	90
PID 4744 wrote to memory of 3580	4744	d7eeda6900eb2e9091d4bea1d71aec227307ac3738e78f6b869a2b509943c425.exe	90
PID 4744 wrote to memory of 3580	4744	d7eeda6900eb2e9091d4bea1d71aec227307ac3738e78f6b869a2b509943c425.exe	90

C:\Users\Admin\AppData\Local\Temp\d7eeda6900eb2e9091d4bea1d71aec227307ac3738e78f6b869a2b509943c425.exe
"C:\Users\Admin\AppData\Local\Temp\d7eeda6900eb2e9091d4bea1d71aec227307ac3738e78f6b869a2b509943c425.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z2ruc6kj.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD10B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7438F1669B0747A687953673F0C9398.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4532
- C:\Users\Admin\AppData\Local\Temp\tmpD050.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpD050.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d7eeda6900eb2e9091d4bea1d71aec227307ac3738e78f6b869a2b509943c425.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD10B.tmp

Filesize
1KB

MD5
936ad959eab79eef58e78cb621d924cb

SHA1
e311f5aa7b281f741230e66b60806b4e24820475

SHA256
83e705f6f88d728d3139750caa2eea0f273abfa4e15f3d128c6cfdfc9e4845ee

SHA512
a1388aff1c10252dfb875dd0cf269027eb88320230208dbc81753395df7852ff50f081925e16fe56166a91b00908d5db2dbe5a3dabfdfbceb21ddf14b469cda3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD050.tmp.exe

Filesize
78KB

MD5
5b6c53f41d27bf43d524564b83958f5c

SHA1
991f76d406d6c363438bed30fb07f24e8550eccb

SHA256
9d4d8ba5ea974c67e70735653218455a64128674964b90c187f68e223d92dc6d

SHA512
698dd630b6195b220efb6574491b1cee8f3d0454dbf7acf93e237f3336f6ecdfc327e573e8987a47ed2d1a20314ef215440c0125e42c210a6f6837fceb0d823a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7438F1669B0747A687953673F0C9398.TMP

Filesize
660B

MD5
f09faa0b610f6517e61477610000a488

SHA1
9c555d97a722c78b4d2e2487eb1056463a2cdb34

SHA256
f4fb083753e5fa9a297ffaa4a318a52b3c153e9cfe2a58a4c903f2b26d17f37b

SHA512
c4a685323965def8dcc86c470afd668bd31d0cd950ee6e982a1c659295a9b1ffba7e649238229d64d40baa9d1d44f7967a298de0147964c7681c33a09f1f2163

Download Submit
C:\Users\Admin\AppData\Local\Temp\z2ruc6kj.0.vb

Filesize
14KB

MD5
bfccf0e581c4e91b29f092f129108b67

SHA1
af1011d539032b19978bc542746068027ab878c0

SHA256
f6b9c20492b5070fd721dd1eb757f9d864c26ae74d84f092057371d7e03a56e6

SHA512
b12007ff67fcdac73fbdc3fd7fc8b27aaac1d986dbf8fc90ab4e79040d8ac2e5faf4b9b6bf52f55e517ca72c7c2b9466ba267b28461d17bff9cc76183411ebf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\z2ruc6kj.cmdline

Filesize
266B

MD5
29ba34c20981b228c2a9293f33987aad

SHA1
d56acf803bc44a083c0f8cfa9eb6a664ae1c0728

SHA256
99682f10f555c4c68246ad6db228307952e2fb0183eea820bdd6ed05a98de8e3

SHA512
95d14e43ff8a7ed18ee8506e860e562c58f9d83d54864ba75807bd62c027f86c9963fe279714d502c239fa7332238e3950d19887d8673951e073e13d36c997bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2556-8-0x00000000749F0000-0x0000000074FA1000-memory.dmp

Filesize
5.7MB

Download
memory/2556-18-0x00000000749F0000-0x0000000074FA1000-memory.dmp

Filesize
5.7MB

Download
memory/3580-23-0x00000000749F0000-0x0000000074FA1000-memory.dmp

Filesize
5.7MB

Download
memory/3580-24-0x00000000749F0000-0x0000000074FA1000-memory.dmp

Filesize
5.7MB

Download
memory/3580-26-0x00000000749F0000-0x0000000074FA1000-memory.dmp

Filesize
5.7MB

Download
memory/3580-27-0x00000000749F0000-0x0000000074FA1000-memory.dmp

Filesize
5.7MB

Download
memory/3580-28-0x00000000749F0000-0x0000000074FA1000-memory.dmp

Filesize
5.7MB

Download
memory/4744-0-0x00000000749F2000-0x00000000749F3000-memory.dmp

Filesize
4KB

Download
memory/4744-2-0x00000000749F0000-0x0000000074FA1000-memory.dmp

Filesize
5.7MB

Download
memory/4744-1-0x00000000749F0000-0x0000000074FA1000-memory.dmp

Filesize
5.7MB

Download
memory/4744-22-0x00000000749F0000-0x0000000074FA1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads