metamorpherrat | cc98f9bb61336379faf2a42230467da95b0180ad9d2dba1ed6434f6af9628c0d

General

Target

cc98f9bb61336379faf2a42230467da95b0180ad9d2dba1ed6434f6af9628c0d.exe
Size

78KB
MD5

0ee79a1c7c5e844056d74cbf11de954f
SHA1

14fb399eb78717b616510e0f6bd566a4d8aa30f2
SHA256

cc98f9bb61336379faf2a42230467da95b0180ad9d2dba1ed6434f6af9628c0d
SHA512

4355303461ec2000890d8b0c8036a60327657d8f6d84b3749f5309c81c6039ebe044755b23f58b6764eaa8df6ebc90f32b2a45187093a1e4236d7cb90a0287a9
SSDEEP

1536:ac5kdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQt96Y9/d1lh:ac5Tn7N041QqhgH9/L

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	cc98f9bb61336379faf2a42230467da95b0180ad9d2dba1ed6434f6af9628c0d.exe

Executes dropped EXE 1 IoCs

pid	Process
4748	tmp8A6D.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp8A6D.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc98f9bb61336379faf2a42230467da95b0180ad9d2dba1ed6434f6af9628c0d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8A6D.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2796	cc98f9bb61336379faf2a42230467da95b0180ad9d2dba1ed6434f6af9628c0d.exe
Token: SeDebugPrivilege	4748	tmp8A6D.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 2800	2796	cc98f9bb61336379faf2a42230467da95b0180ad9d2dba1ed6434f6af9628c0d.exe	86
PID 2796 wrote to memory of 2800	2796	cc98f9bb61336379faf2a42230467da95b0180ad9d2dba1ed6434f6af9628c0d.exe	86
PID 2796 wrote to memory of 2800	2796	cc98f9bb61336379faf2a42230467da95b0180ad9d2dba1ed6434f6af9628c0d.exe	86
PID 2800 wrote to memory of 2028	2800	vbc.exe	88
PID 2800 wrote to memory of 2028	2800	vbc.exe	88
PID 2800 wrote to memory of 2028	2800	vbc.exe	88
PID 2796 wrote to memory of 4748	2796	cc98f9bb61336379faf2a42230467da95b0180ad9d2dba1ed6434f6af9628c0d.exe	90
PID 2796 wrote to memory of 4748	2796	cc98f9bb61336379faf2a42230467da95b0180ad9d2dba1ed6434f6af9628c0d.exe	90
PID 2796 wrote to memory of 4748	2796	cc98f9bb61336379faf2a42230467da95b0180ad9d2dba1ed6434f6af9628c0d.exe	90

C:\Users\Admin\AppData\Local\Temp\cc98f9bb61336379faf2a42230467da95b0180ad9d2dba1ed6434f6af9628c0d.exe
"C:\Users\Admin\AppData\Local\Temp\cc98f9bb61336379faf2a42230467da95b0180ad9d2dba1ed6434f6af9628c0d.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\islfmygp.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8BC5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9737118B478A47C0ABAE69EE88E8A644.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2028
- C:\Users\Admin\AppData\Local\Temp\tmp8A6D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8A6D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\cc98f9bb61336379faf2a42230467da95b0180ad9d2dba1ed6434f6af9628c0d.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8BC5.tmp

Filesize
1KB

MD5
ae89183bd813799e859f16dc798e9986

SHA1
13dec7edef40c987484f9bb6c8e00424ec01e15f

SHA256
cf2ce19f5c9feccfccfc9824437dec0477015331a1266272d8e174d454d3b506

SHA512
8d51386ffbeb8db6dc2a05c285ae3e1c4abb2d3d2651fe5984a7d02d3d2f8183e47a411886ef5189d422bced42daf890e7ed6a3e4af63c1ce5c5638e776a23e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\islfmygp.0.vb

Filesize
14KB

MD5
876caacd812b5bbe3b085fbf1723b32a

SHA1
d062ae54fe449f82b4ffc4ce1c5a9d68b7fce600

SHA256
0e6dd2734a3cde5235e6887f4eee346d33f6499211baa73a8c8d36c4b631ab9d

SHA512
66118df8339626e46f9ef17014858cc209b268a2108cae3c48dd4d6ffc0166810d35ce469bd25c4d82075c8de7cc8b7d83c62c03289cb6183c71b206a4a2c1f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\islfmygp.cmdline

Filesize
266B

MD5
ba6594272d28e8c2ad92ce9a3aef55ea

SHA1
ca7945419e0b1605f90aa7027f1fd7e5808a1dd6

SHA256
cf720fe271a608973d96a3ea3091e07e6c71dfc6ff3edecbdd7407b392e815f8

SHA512
8cce83250a230657fa464177f9fc8e75c6fb4d18043951994e91dbb0af34c046cb58e5313f860eca992d78d0467917c408a56a0efc8ad0120838340120011733

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8A6D.tmp.exe

Filesize
78KB

MD5
5dc54135439696f146c7cb5f36bf70cf

SHA1
4f904a430b537a3ae012cb999098d6559ccff9e7

SHA256
3214b64679c738b6beb067b8acd563dfc166b45ff53039722c347b20ac6b5807

SHA512
5b2c094c3bb2daddcec1c7d1a68a2799f3e7effc48eccb2fc5bd04ffa17317ea3f743e74a21aa3b55ab6d8180288230da0d440bab42839dab46d7e30297b5894

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9737118B478A47C0ABAE69EE88E8A644.TMP

Filesize
660B

MD5
0bc7614a8cdf9f594291d11bd17273be

SHA1
d6f89fb1e4c787b220d9ae6e3bb42c92ba7de33b

SHA256
892868e3870b67469385c17972a4ccd3676fd4b551bfc4ae620101d787d69f91

SHA512
ef7505b402fb8dcffa8412a765b2e2e0e5ccb8d4364b67446ed5ee4ecf2ce6b1845cd27bb79f97d452d9f4f96d775d34d6a034f51d46b08b1e1df5e5a3876f18

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2796-22-0x0000000074620000-0x0000000074BD1000-memory.dmp

Filesize
5.7MB

Download
memory/2796-2-0x0000000074620000-0x0000000074BD1000-memory.dmp

Filesize
5.7MB

Download
memory/2796-1-0x0000000074620000-0x0000000074BD1000-memory.dmp

Filesize
5.7MB

Download
memory/2796-0-0x0000000074622000-0x0000000074623000-memory.dmp

Filesize
4KB

Download
memory/2800-9-0x0000000074620000-0x0000000074BD1000-memory.dmp

Filesize
5.7MB

Download
memory/2800-18-0x0000000074620000-0x0000000074BD1000-memory.dmp

Filesize
5.7MB

Download
memory/4748-23-0x0000000074620000-0x0000000074BD1000-memory.dmp

Filesize
5.7MB

Download
memory/4748-24-0x0000000074620000-0x0000000074BD1000-memory.dmp

Filesize
5.7MB

Download
memory/4748-26-0x0000000074620000-0x0000000074BD1000-memory.dmp

Filesize
5.7MB

Download
memory/4748-27-0x0000000074620000-0x0000000074BD1000-memory.dmp

Filesize
5.7MB

Download
memory/4748-28-0x0000000074620000-0x0000000074BD1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads