metamorpherrat | 2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699

General

Target

2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699N.exe
Size

78KB
MD5

4a2966b481f738097e4c0a574ed70d00
SHA1

94b17490616dbc1499ea0e0ee39f43eb4f709615
SHA256

2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699
SHA512

bc8e321b039c23a64fd55743a3cad9f29f0fd53e258231b107988ae6761698de12c83a8d229108cab612cbd43d39a8f2195a567be5fea85868fba4ee81f256c2
SSDEEP

1536:6tHHM7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtwF9/jM1uQ:6tHshASyRxvhTzXPvCbW2UwF9/m

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699N.exe

Executes dropped EXE 1 IoCs

pid	Process
2012	tmp7C06.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp7C06.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7C06.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2520	2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699N.exe
Token: SeDebugPrivilege	2012	tmp7C06.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 3164	2520	2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699N.exe	84
PID 2520 wrote to memory of 3164	2520	2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699N.exe	84
PID 2520 wrote to memory of 3164	2520	2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699N.exe	84
PID 3164 wrote to memory of 3400	3164	vbc.exe	88
PID 3164 wrote to memory of 3400	3164	vbc.exe	88
PID 3164 wrote to memory of 3400	3164	vbc.exe	88
PID 2520 wrote to memory of 2012	2520	2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699N.exe	90
PID 2520 wrote to memory of 2012	2520	2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699N.exe	90
PID 2520 wrote to memory of 2012	2520	2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699N.exe	90

C:\Users\Admin\AppData\Local\Temp\2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699N.exe
"C:\Users\Admin\AppData\Local\Temp\2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bggkcfnr.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3164
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7D3E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEE0FCD3878E343F0B2E0FA45BAB95186.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3400
- C:\Users\Admin\AppData\Local\Temp\tmp7C06.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7C06.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7D3E.tmp

Filesize
1KB

MD5
c0e8b9b6bb29ac451c9e090515fb074e

SHA1
91192c37c95df7ce9610df2ad6b5f4fc7714b84c

SHA256
1035a1f54a4ffa98563d0b0297b1da6e7262981aae278daa4bf52d63f3cfa1d1

SHA512
3d4cde11ba41fbd5a23def8bb5d78781aad0f9202ab694355b86dbe4334aa11fee0984047de5eaf42caf68b67cefc089c2c0da09a66d8cfb49ee246897678144

Download Submit
C:\Users\Admin\AppData\Local\Temp\bggkcfnr.0.vb

Filesize
15KB

MD5
950eb095c6a161505f0bd962dc570afe

SHA1
b785ea7669469dd945ceffcec989b26f1c830d4b

SHA256
265614a87425f1d6a2d891d7aa9bbdc9fe3063c553363774c415c70b371a51db

SHA512
12429f73abe27efd1ed089428a4a6a42ee8406e0aa3abf12d4f288f157c2a7e33cd573e3ddbe3c73be8b0064dd6a900941928d5fbfb59114730f9595f25b6dab

Download Submit
C:\Users\Admin\AppData\Local\Temp\bggkcfnr.cmdline

Filesize
266B

MD5
6eb56e4922ecebd6988a57231dea4fc9

SHA1
b103bca1146ec9829fd4f94b6b7051d82f0e41f4

SHA256
266e49589e2b811249a49a14c3e9f2f45770d6f874e4ecf95c487a16d48668fe

SHA512
bedfaa7053a5c64b17da1ee7d60c1edde9a875383d18fed85d57deb95a0c4232bdef3b063d988fa63cac7f234639b19cd7a0d6ebf30437a86a51ea4a1aae2ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7C06.tmp.exe

Filesize
78KB

MD5
438dabc0c9c8c511365a1de3866fdfe5

SHA1
14ada92908d3f6e943088fb0b481d976a6c3143e

SHA256
831a61053df0496652a22de2654405e24ba206a7f006e3de4449a286a076d7aa

SHA512
8d7f3e41ad7d9726a667805709a6e8534cb54646b43b1e7671daf647651a0f9cc9eafaeede55a9c87aeb58dee838847341d4f1b87f9089fe09136cf817363824

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEE0FCD3878E343F0B2E0FA45BAB95186.TMP

Filesize
660B

MD5
31ca24833a229561cf333016faa660bf

SHA1
c6edc95a35432a660eba1253062bbb1651b00e83

SHA256
69f3f99084c234359f6264cc21ea6770a946514e75dacec23fe8287a2f1b0bbe

SHA512
fdc925b1b67a77752ff3854c2f6bd121b0c6901ca4c470d103310a6d1f98e2231a128d2a2284c38f18eabf906291fad7421f1c4c05e77944ef606b98e36a6c09

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2012-22-0x0000000074E40000-0x00000000753F1000-memory.dmp

Filesize
5.7MB

Download
memory/2012-24-0x0000000074E40000-0x00000000753F1000-memory.dmp

Filesize
5.7MB

Download
memory/2012-26-0x0000000074E40000-0x00000000753F1000-memory.dmp

Filesize
5.7MB

Download
memory/2012-27-0x0000000074E40000-0x00000000753F1000-memory.dmp

Filesize
5.7MB

Download
memory/2012-28-0x0000000074E40000-0x00000000753F1000-memory.dmp

Filesize
5.7MB

Download
memory/2520-2-0x0000000074E40000-0x00000000753F1000-memory.dmp

Filesize
5.7MB

Download
memory/2520-1-0x0000000074E40000-0x00000000753F1000-memory.dmp

Filesize
5.7MB

Download
memory/2520-23-0x0000000074E40000-0x00000000753F1000-memory.dmp

Filesize
5.7MB

Download
memory/2520-0-0x0000000074E42000-0x0000000074E43000-memory.dmp

Filesize
4KB

Download
memory/3164-9-0x0000000074E40000-0x00000000753F1000-memory.dmp

Filesize
5.7MB

Download
memory/3164-18-0x0000000074E40000-0x00000000753F1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads