metamorpherrat | 76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137

General

Target

76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137N.exe
Size

78KB
MD5

4bace1dc2a9db3db9638238233a29b60
SHA1

d4c157c6542dcb06b43f897a6926341772176165
SHA256

76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137
SHA512

e330d7485d5a028fb69fc5b76a47c3cdfef660cf9edac4191e07d35da5aca3b10f7bd822606e22bb0d17ad4883784bf11555ff9d63d02d13d32b99baa4ebcdb7
SSDEEP

1536:HPy58MLT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtP6R9/U1wA:HPy586E2EwR4uY41HyvYg9/Y

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137N.exe

Executes dropped EXE 1 IoCs

pid	Process
1188	tmp8E75.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmp8E75.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8E75.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4144	76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137N.exe
Token: SeDebugPrivilege	1188	tmp8E75.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4144 wrote to memory of 2204	4144	76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137N.exe	84
PID 4144 wrote to memory of 2204	4144	76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137N.exe	84
PID 4144 wrote to memory of 2204	4144	76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137N.exe	84
PID 2204 wrote to memory of 1980	2204	vbc.exe	87
PID 2204 wrote to memory of 1980	2204	vbc.exe	87
PID 2204 wrote to memory of 1980	2204	vbc.exe	87
PID 4144 wrote to memory of 1188	4144	76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137N.exe	89
PID 4144 wrote to memory of 1188	4144	76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137N.exe	89
PID 4144 wrote to memory of 1188	4144	76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137N.exe	89

C:\Users\Admin\AppData\Local\Temp\76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137N.exe
"C:\Users\Admin\AppData\Local\Temp\76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4144
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dsjg7icm.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8FDC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCB368E6883F74E64ABF86C67F3976CC6.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1980
- C:\Users\Admin\AppData\Local\Temp\tmp8E75.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8E75.tmp.exe" C:\Users\Admin\AppData\Local\Temp\76446404eb3d02828f0fcb358747b161b7ced794206bd82cae2afb840bfa5137N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8FDC.tmp

Filesize
1KB

MD5
6299e2b6a1ef57833911b97d5789819c

SHA1
10afa304230c3536faf4e639d3250304058a65dc

SHA256
da0c3b7b1a79ecb4555fddbc1638664dccd66dbb2cfde89935c83f1d154c3726

SHA512
97c3776f65d2a5e76d934a889ad7f756889fe02577cd3db1be6780c6a52dac1ac9d665d34f6cdba7bf2138242bacb0567b0807c6f5623c2781698e11c78f1765

Download Submit
C:\Users\Admin\AppData\Local\Temp\dsjg7icm.0.vb

Filesize
14KB

MD5
ee55ea1efbfa3dd90dc3c01f4e501dcf

SHA1
03e0caf3d157f604db59ed6a97545aa7386f1e6b

SHA256
c8243e094be7cccf4b80c241bfacb147519333fea40122d315f627a47ff8e13b

SHA512
2a9cfd10f2bf01a0dab28cd76255bdc054db9eb753217bcb34f27052fef2dd55cea532bcf95d93a6dfd9f3b5c8521d2bf26e013fe3b33b4c852deec7a32d65ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\dsjg7icm.cmdline

Filesize
266B

MD5
7dfac119922323be15d7a6821c3ac599

SHA1
5533e61c482ef230858ec14d6aebe712d50afd97

SHA256
ba63ab4233a8897745665e8f968b110b9c8adf248edf4e5d6094a7b19d879ec7

SHA512
50916694a756e9f71f327da6bcab467394a39e6a4ff4865d09c37d20b4b2b08c1c9da6a597608ee5c355495db2ca5cd2e757d11fe93a5c7e82b4c5fe5439a2ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8E75.tmp.exe

Filesize
78KB

MD5
c5a61193fd8748013104c29ab636196c

SHA1
6690aa391bc9124a498a01a7d7ad544e93c912ab

SHA256
2001a01148a3601bed5152ed8ea6c5ffd9fda87eb85a1d06ce1396e3d9ec566c

SHA512
5bf1b4e5b1c909b163682e275ce1763252c5dd8d543bf55c03e1304517c85c83f299760cbf5b9272919246a51ffe7491db1368259b7998b714ddfabf3b4e59bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCB368E6883F74E64ABF86C67F3976CC6.TMP

Filesize
660B

MD5
9451ab3c6975d6ab152135151a50387b

SHA1
17a3931ee5ce42e6528bd283deb994ae50bab9cc

SHA256
827b8e624fe5d17dbc65e4f363c0653a802cba9e3bb656ed1c0a127ff51996ee

SHA512
2f6b87329089bbca4f5bdc9565f32ec33f65192617894c537cd56ec3f69c69cccbcb788286e84e2b83fa0b9c05f7c4d8d5643ebced2a568a98d445af8dc79b05

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/1188-22-0x0000000074D10000-0x00000000752C1000-memory.dmp

Filesize
5.7MB

Download
memory/1188-24-0x0000000074D10000-0x00000000752C1000-memory.dmp

Filesize
5.7MB

Download
memory/1188-26-0x0000000074D10000-0x00000000752C1000-memory.dmp

Filesize
5.7MB

Download
memory/1188-27-0x0000000074D10000-0x00000000752C1000-memory.dmp

Filesize
5.7MB

Download
memory/1188-28-0x0000000074D10000-0x00000000752C1000-memory.dmp

Filesize
5.7MB

Download
memory/2204-9-0x0000000074D10000-0x00000000752C1000-memory.dmp

Filesize
5.7MB

Download
memory/2204-18-0x0000000074D10000-0x00000000752C1000-memory.dmp

Filesize
5.7MB

Download
memory/4144-2-0x0000000074D10000-0x00000000752C1000-memory.dmp

Filesize
5.7MB

Download
memory/4144-1-0x0000000074D10000-0x00000000752C1000-memory.dmp

Filesize
5.7MB

Download
memory/4144-0-0x0000000074D12000-0x0000000074D13000-memory.dmp

Filesize
4KB

Download
memory/4144-23-0x0000000074D10000-0x00000000752C1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads