metamorpherrat | 6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6f

General

Target

6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6fN.exe
Size

78KB
MD5

e3dbe94d0c54fae63e9347ba0db697d0
SHA1

06db23739a8c3cc35f236963d5ba7797b8848139
SHA256

6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6f
SHA512

62e8badc84efccce08327145e853c94ee94f9256a08e391d1dfe1c2c090680d2eefe8128f0efa276438672246c190eeba9ad80120409b7e667060304ad82eaac
SSDEEP

1536:hPCHY6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtR9/e1ck:hPCHY53Ln7N041QqhgR9/y

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6fN.exe

Executes dropped EXE 1 IoCs

pid	Process
1848	tmpA131.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpA131.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA131.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	972	6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6fN.exe
Token: SeDebugPrivilege	1848	tmpA131.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 972 wrote to memory of 4532	972	6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6fN.exe	85
PID 972 wrote to memory of 4532	972	6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6fN.exe	85
PID 972 wrote to memory of 4532	972	6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6fN.exe	85
PID 4532 wrote to memory of 2704	4532	vbc.exe	88
PID 4532 wrote to memory of 2704	4532	vbc.exe	88
PID 4532 wrote to memory of 2704	4532	vbc.exe	88
PID 972 wrote to memory of 1848	972	6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6fN.exe	90
PID 972 wrote to memory of 1848	972	6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6fN.exe	90
PID 972 wrote to memory of 1848	972	6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6fN.exe	90

C:\Users\Admin\AppData\Local\Temp\6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6fN.exe
"C:\Users\Admin\AppData\Local\Temp\6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6fN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:972
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9lqjckab.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4532
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA3F1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD52F4E4982BF4CADBAFCDFBA9E8E8B7.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2704
- C:\Users\Admin\AppData\Local\Temp\tmpA131.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA131.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6fN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9lqjckab.0.vb

Filesize
15KB

MD5
3fa4857fcf6faea2f60e4607a71f3a14

SHA1
13bf2bb5b3a1bd6c09ebe10596b5ed8cab9091e2

SHA256
6c5b03d7eb1f7f5f82ea1394c18906c4ca8567750120f4b1af2c33eb31251aff

SHA512
095a63a8a7ebf26682b03198981fad59bf5989304626575313f783ee08d2e640a80aed9f1db000692ef0ecb0e0e824de443881c7d95790f3dfe7837c869e1d61

Download Submit
C:\Users\Admin\AppData\Local\Temp\9lqjckab.cmdline

Filesize
266B

MD5
5a4f93433949dc5820764a6f518b4438

SHA1
29981cf283f8e9db0330523134c3f18fa98054f0

SHA256
708708298b599320585ad8546c8bc7b88f852349815c74f9ff01021fd4e13777

SHA512
ca8c91fd3c8dcc83726a4213cbb86f09a6cbb251f63488c3de4465a482fae8885f050495349896193ad117a5c74cebc9ff98de50395dd363528853d9e02b2f22

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA3F1.tmp

Filesize
1KB

MD5
d23aef538326f12bf338abf9e67341ce

SHA1
06800146d843aef228e9c3757e42f1c35f324a6f

SHA256
d1dd0b89f9a5257c5edec3c23601c9db8f35d27c7124714483b83230bdf991d9

SHA512
77d5a5ca06de47ed493e9fbfbb5f0184393322888942ad37b0368b1ebe6ae52510696c19c8f6c6745b89a4ca64f920b8905534a41cbd4e5e096e786a26d8cc32

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA131.tmp.exe

Filesize
78KB

MD5
efed4f1075319786883382939591a906

SHA1
94f54ba61c63106f50920c713cfb534f52aea1e4

SHA256
53560830a6e7d66f2e5ebab83b1a10056c64290604fe1ab3e2822a25898b4fbe

SHA512
2001e0fef992fc987195705e78388bd66559a73dc6305be75b359cdd3a96ffba437124128df2433397f3b9f86ab160e2648e8c9fb859ae7c2fa7b538ae5aed00

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD52F4E4982BF4CADBAFCDFBA9E8E8B7.TMP

Filesize
660B

MD5
d0991d23b25e827b3d68190c6ebaa400

SHA1
cdcfe962aebacddd0f1045850e5db9b6ca05f4fe

SHA256
b7981ff2d60596adc537eb5ddb2105295429abb0fa043651c7a153f82bd440b0

SHA512
6cdb9dbd93f993871abd7071e7b5241a983f06692e4d79720c57a21c1398d53ee1bcd8120515fa2b83e8d50d228b87168e4e01976ff4aed7dab504375911eb37

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/972-1-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download
memory/972-2-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download
memory/972-0-0x0000000074852000-0x0000000074853000-memory.dmp

Filesize
4KB

Download
memory/972-22-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download
memory/1848-23-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download
memory/1848-24-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download
memory/1848-26-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download
memory/1848-27-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download
memory/1848-28-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download
memory/1848-29-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download
memory/1848-30-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download
memory/4532-18-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download
memory/4532-8-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads