metamorpherrat | 0ed2d7bb22e3097e9390ad9fa6caf6be4513ac5eeb18c051c36ce92aceb60853

General

Target

0ed2d7bb22e3097e9390ad9fa6caf6be4513ac5eeb18c051c36ce92aceb60853N.exe
Size

78KB
MD5

867f64250d4384051c727c9675e6c510
SHA1

12f0d5a504370abab33f466b13295855125d7cf1
SHA256

0ed2d7bb22e3097e9390ad9fa6caf6be4513ac5eeb18c051c36ce92aceb60853
SHA512

4bfc34868bbfd6e8b248133be44c64da27ffbc2da007db96ead3489d946b28953087adeaaa9d0731ba730cc13c8660e58209354004fff60986f329ce9c938a4a
SSDEEP

1536:595jSQvZv0kH9gDDtWzYCnJPeoYrGQtN6lz9/ha16q:T5jSQl0Y9MDYrm7i9/s

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	0ed2d7bb22e3097e9390ad9fa6caf6be4513ac5eeb18c051c36ce92aceb60853N.exe

Executes dropped EXE 1 IoCs

pid	Process
2172	tmp901A.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmp901A.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0ed2d7bb22e3097e9390ad9fa6caf6be4513ac5eeb18c051c36ce92aceb60853N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp901A.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3516	0ed2d7bb22e3097e9390ad9fa6caf6be4513ac5eeb18c051c36ce92aceb60853N.exe
Token: SeDebugPrivilege	2172	tmp901A.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3516 wrote to memory of 4752	3516	0ed2d7bb22e3097e9390ad9fa6caf6be4513ac5eeb18c051c36ce92aceb60853N.exe	84
PID 3516 wrote to memory of 4752	3516	0ed2d7bb22e3097e9390ad9fa6caf6be4513ac5eeb18c051c36ce92aceb60853N.exe	84
PID 3516 wrote to memory of 4752	3516	0ed2d7bb22e3097e9390ad9fa6caf6be4513ac5eeb18c051c36ce92aceb60853N.exe	84
PID 4752 wrote to memory of 5116	4752	vbc.exe	88
PID 4752 wrote to memory of 5116	4752	vbc.exe	88
PID 4752 wrote to memory of 5116	4752	vbc.exe	88
PID 3516 wrote to memory of 2172	3516	0ed2d7bb22e3097e9390ad9fa6caf6be4513ac5eeb18c051c36ce92aceb60853N.exe	90
PID 3516 wrote to memory of 2172	3516	0ed2d7bb22e3097e9390ad9fa6caf6be4513ac5eeb18c051c36ce92aceb60853N.exe	90
PID 3516 wrote to memory of 2172	3516	0ed2d7bb22e3097e9390ad9fa6caf6be4513ac5eeb18c051c36ce92aceb60853N.exe	90

C:\Users\Admin\AppData\Local\Temp\0ed2d7bb22e3097e9390ad9fa6caf6be4513ac5eeb18c051c36ce92aceb60853N.exe
"C:\Users\Admin\AppData\Local\Temp\0ed2d7bb22e3097e9390ad9fa6caf6be4513ac5eeb18c051c36ce92aceb60853N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q9cxeb91.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9153.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6E0B629BF2EC4F30B1F95E25F195B48A.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5116
- C:\Users\Admin\AppData\Local\Temp\tmp901A.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp901A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0ed2d7bb22e3097e9390ad9fa6caf6be4513ac5eeb18c051c36ce92aceb60853N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9153.tmp

Filesize
1KB

MD5
31a58cd8c1bb874666e9cb85af7659b5

SHA1
6b83e23f1aba4a49debeebb468ab107f46abb617

SHA256
7a3045cd9ac3f707110b7fcf168ef4272d272d6bea887d56a14254fff85a2066

SHA512
930162b992bf997bfa53c6f0e47dc8716d642dfbfc00c9eca671372d702eb1fe909cf2c16e3d197cd0d227349af6bafb18339d1731dff394a5b781c294ceae00

Download Submit
C:\Users\Admin\AppData\Local\Temp\q9cxeb91.0.vb

Filesize
14KB

MD5
b8e2d47e8d706db88163c221a9cec170

SHA1
d5e3e58e3ebad19767fd06cd7539f531805a5c0c

SHA256
6030045183685a1e997cb96542385290a18f5b52f2e4285847680987b60e772b

SHA512
6b3e93551db0203d7ba6d08948a760522667de399d3b7ffa549419bc7e0f1c30ef94338e053746fa16a159fb10a61203329f20c09f61e8940a2698fdb09a0606

Download Submit
C:\Users\Admin\AppData\Local\Temp\q9cxeb91.cmdline

Filesize
266B

MD5
50d247c6c6c064a41d6bf0f665b4b45a

SHA1
4dfaecf104e51567a085a7f65b65cb402d8f8a9d

SHA256
4af9177e89f047b81072d75894d09bd4b53c3739890c0d1e33476b581cc37c2d

SHA512
7fb9aad22eb1454a11baefa92a0aff9e786fab2fef3b6e20639105098a28af854dc4fa5196477da232c918b1d03c6d2b1121a6a12390998abd0b773ebbdebd7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp901A.tmp.exe

Filesize
78KB

MD5
9f583b95323e8275c1159e852bdac0f1

SHA1
e3e3ff67bea2e0c2145d2dd673258bedc78a9e80

SHA256
0f4ad282fdc4ce8550c5d6e257571529372958c6d54da586335eba6278deb743

SHA512
dc404a50eb0ec3016aa9174023047b9c8c1222153f48e5c59817fd25459e9ee74b3a462d97ee354092c3252c73233b41c663d737f52776604b832a4b3df11199

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6E0B629BF2EC4F30B1F95E25F195B48A.TMP

Filesize
660B

MD5
af1f8b64e3a3c34f3713a16b683cbc77

SHA1
38daac14a3b97d631fb54dfc8a64ad3c7c6ad545

SHA256
b3cc8017e1c5ff245a93103fa3205eee15c3e5231d5f2d755887068d8387dc3a

SHA512
38bf4571cbb8ed71af3b4cb3e897023334a99d30f2cfb86815c8a21805fd6b7fa8648ca4a9a09989dd671ffeaf4cb553a400c9549a3f331c017e1af60156f31d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/2172-28-0x0000000075410000-0x00000000759C1000-memory.dmp

Filesize
5.7MB

Download
memory/2172-24-0x0000000075410000-0x00000000759C1000-memory.dmp

Filesize
5.7MB

Download
memory/2172-31-0x0000000075410000-0x00000000759C1000-memory.dmp

Filesize
5.7MB

Download
memory/2172-30-0x0000000075410000-0x00000000759C1000-memory.dmp

Filesize
5.7MB

Download
memory/2172-29-0x0000000075410000-0x00000000759C1000-memory.dmp

Filesize
5.7MB

Download
memory/2172-27-0x0000000075410000-0x00000000759C1000-memory.dmp

Filesize
5.7MB

Download
memory/2172-23-0x0000000075410000-0x00000000759C1000-memory.dmp

Filesize
5.7MB

Download
memory/2172-25-0x0000000075410000-0x00000000759C1000-memory.dmp

Filesize
5.7MB

Download
memory/3516-0-0x0000000075412000-0x0000000075413000-memory.dmp

Filesize
4KB

Download
memory/3516-22-0x0000000075410000-0x00000000759C1000-memory.dmp

Filesize
5.7MB

Download
memory/3516-2-0x0000000075410000-0x00000000759C1000-memory.dmp

Filesize
5.7MB

Download
memory/3516-1-0x0000000075410000-0x00000000759C1000-memory.dmp

Filesize
5.7MB

Download
memory/4752-8-0x0000000075410000-0x00000000759C1000-memory.dmp

Filesize
5.7MB

Download
memory/4752-18-0x0000000075410000-0x00000000759C1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads