metamorpherrat | 4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64

General

Target

4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64N.exe
Size

78KB
MD5

3be3da337f614dc1ea0697ee3da2f670
SHA1

2757deb690cef71fea6d519d7db774a3fab47888
SHA256

4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64
SHA512

eaf2896b8c0b5be90d166929e452872c530669f4d94a3c1daffd17a5d17bc96ee8a9999abe9f14781917c952b7fbd272e5466dcd0af01a90cb3f090644781c57
SSDEEP

1536:VStHFo6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQte19/e1k/:VStHFonhASyRxvhTzXPvCbW2Ue19/h

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64N.exe

Executes dropped EXE 1 IoCs

pid	Process
3088	tmpC36F.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpC36F.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC36F.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1812	4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64N.exe
Token: SeDebugPrivilege	3088	tmpC36F.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 2140	1812	4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64N.exe	89
PID 1812 wrote to memory of 2140	1812	4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64N.exe	89
PID 1812 wrote to memory of 2140	1812	4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64N.exe	89
PID 2140 wrote to memory of 2632	2140	vbc.exe	91
PID 2140 wrote to memory of 2632	2140	vbc.exe	91
PID 2140 wrote to memory of 2632	2140	vbc.exe	91
PID 1812 wrote to memory of 3088	1812	4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64N.exe	92
PID 1812 wrote to memory of 3088	1812	4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64N.exe	92
PID 1812 wrote to memory of 3088	1812	4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64N.exe	92

C:\Users\Admin\AppData\Local\Temp\4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64N.exe
"C:\Users\Admin\AppData\Local\Temp\4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nsoee6ru.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC4E6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc381C973C18D842EA902E25D0F871AB84.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2632
- C:\Users\Admin\AppData\Local\Temp\tmpC36F.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpC36F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4484fe759be9307b4c3af22949c9fc079d37b401316682e0e4e2a18f24c98c64N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC4E6.tmp

Filesize
1KB

MD5
f251bfd3602ec39c54ad4568438097ad

SHA1
690bbba255ee791e683818aa3c09a3314e358030

SHA256
c005ca94e518f0f0fe08a5380d3490b53ed0e6c3a535f98ff769f3451dfbb842

SHA512
a777e2720c254fbe91ebf4a305ec1eaff6de5dc280ab6d84c1941d164947544f6d24dd1b53fd3f0882e9935cf36d6e4d070adfbfc1e375594b85ffa1f50426da

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoee6ru.0.vb

Filesize
15KB

MD5
ba32e111c83e24ecbf992e3d9f86eac8

SHA1
f2235018f193dc1534cf871938597c31223d3f26

SHA256
339b94c92496a36dec4b5943514b47a9285d7595329b39b6d025115b5bac83b4

SHA512
7a360a5538d13b17c99880a41891c15e373eadbf9e5301a2c2077f2b7e22fba0ce348df3a3df015b209bb06d1efebdc924607c57e8c401ecf6eb7e5f005481bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoee6ru.cmdline

Filesize
266B

MD5
244fc4ae3fbd27a7311a760b2ac2ef6a

SHA1
7e0fe87cb47e47d84c9a0f1cf479786131def37a

SHA256
daccdc8586f5490435c4214de6d6758c03ace54acd25e616450e3c4b0f7a527c

SHA512
8dffa4969f5f94b88b80b7578cc5109f970e31507e64cd61bf703e52f3e4ca35fb3ec7ab42042c4abb452655b3208b55553660867b5c32dbe31cb04a796c3761

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC36F.tmp.exe

Filesize
78KB

MD5
b818e2a33e108f730a41a5a1541230e9

SHA1
cecdd89d2acddb4a8f55fac6e1ba4808d1c93dca

SHA256
666228b023f27619b4bbed665ac7630b4034b3b29338f9531b02e6e63e155267

SHA512
e6f25c93651ce1c8c61f3841a0fb45521b32770cfc556caba50e7fe89c82cb1362a49c0cc97a822b4f4a75edf7467ee89ab7c541cea8bb2fc0edebeced1c2772

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc381C973C18D842EA902E25D0F871AB84.TMP

Filesize
660B

MD5
f30156fed92ae43c9b8807fed01e586d

SHA1
08d327af2ee9f311bf2c83c5ef3e37e4b7847874

SHA256
abb4d8da660e37d30b305ca2add6116951fd6cddbea92e7e024660b4351c1762

SHA512
cc46faf358ac085f24a4217f2ab5be44f40ffe10c70f140151e3e1541f9fe3969f74438ec5ce2e38f2faa1ee186b71c4bcfa342547760a05240d3acd70ccb65b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1812-2-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/1812-1-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/1812-0-0x0000000074F92000-0x0000000074F93000-memory.dmp

Filesize
4KB

Download
memory/1812-22-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/2140-9-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/2140-18-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/3088-23-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/3088-25-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/3088-24-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/3088-27-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/3088-28-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/3088-29-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads