metamorpherrat | 9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713

General

Target

9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe
Size

78KB
MD5

b8f29f75ed83d16e2ef8ef1931a23b6b
SHA1

b44f07f8a645e8a5581db4ae95c3f52a9dd78502
SHA256

9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713
SHA512

7e373e9465cc012236c71e1888d751e046ebc2badeb4919b118b0531790a79eeaa628ccaeab6ed7aef9f8103ef36ad0a5c711f2b0ac1b42cdb8974e56b8c951c
SSDEEP

1536:6tHY6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtl69/v1U3:6tHY53Ln7N041Qqhgl69/M

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe

Executes dropped EXE 1 IoCs

Processes:

tmpAD38.tmp.exe

pid process

212 tmpAD38.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

pid	process
212	tmpAD38.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpAD38.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpAD38.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cvtres.exetmpAD38.tmp.exe9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exevbc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpAD38.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exetmpAD38.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1744	9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe
Token: SeDebugPrivilege	212	tmpAD38.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exevbc.exe

description	pid	process	target process
PID 1744 wrote to memory of 2656	1744	9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe	vbc.exe
PID 1744 wrote to memory of 2656	1744	9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe	vbc.exe
PID 1744 wrote to memory of 2656	1744	9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe	vbc.exe
PID 2656 wrote to memory of 2952	2656	vbc.exe	cvtres.exe
PID 2656 wrote to memory of 2952	2656	vbc.exe	cvtres.exe
PID 2656 wrote to memory of 2952	2656	vbc.exe	cvtres.exe
PID 1744 wrote to memory of 212	1744	9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe	tmpAD38.tmp.exe
PID 1744 wrote to memory of 212	1744	9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe	tmpAD38.tmp.exe
PID 1744 wrote to memory of 212	1744	9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe	tmpAD38.tmp.exe

C:\Users\Admin\AppData\Local\Temp\9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe
"C:\Users\Admin\AppData\Local\Temp\9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d1nilcrl.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAEDD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7BB6394E664B4DEA89CABCD1CB84B6EC.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2952
- C:\Users\Admin\AppData\Local\Temp\tmpAD38.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpAD38.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESAEDD.tmp

Filesize
1KB

MD5
4671807bde8645ad4920214cf1af7b55

SHA1
0b23d0f29a27d59484849643ad3e5fa293dfedbd

SHA256
7586b06fa2f4da3e3964461783656f1c447b035a2fe588cbe5eab2beb67331d9

SHA512
3a41074881888172a2c4abb8cda1085fd538b7cf1044f7bea5eb775cb62e3cdbfca3d580f5f4fbd84f255994897f9a651526142edf205894c7c6d7d087e80650

Download Submit
C:\Users\Admin\AppData\Local\Temp\d1nilcrl.0.vb

Filesize
15KB

MD5
3ec36822b50fc4d1606045e4e00a511c

SHA1
71a9762edc772852c1d8e6deaa9432e67b576de1

SHA256
a5ed12c5f52c4470186c6086b49b909e4de5ffa201c94cb338ca7d3f1244a457

SHA512
9088aca1006f5ed788093e081b2700482d6c6dcd30fefdd3b2460c7570a4482fd1bac51ddc5e82d3649f57db1d4512a96a7fc02f7dbd8bdb71087b0da6588b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d1nilcrl.cmdline

Filesize
266B

MD5
321f282acb4f9c4f7e7497f392201f2d

SHA1
3abe4926f727a43914f4b692943b199bfdecf197

SHA256
6bdafb9ee5c9eee9a55fd0c2ef1dfee028bfe3c12141b67d678b3d86f2dcc5c2

SHA512
52d85aa707c186041a85c1bddb0ed8fdf3dcaa462a9af2529db2dc26b65b933edd9af3edbf6866e216d7e6b96f9eeccde2865c2fb12f06c08aa8021e450ecf93

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAD38.tmp.exe

Filesize
78KB

MD5
19a02c8375fb7eb3732b26710f8a7a76

SHA1
b3c077eb13421cfa298ac354cf5ed956b7130bc8

SHA256
d283c626bf0f9239439beb0fc2328f2b6cf4d3a14b9fd6d78070e41c5d9fe2d8

SHA512
cfb81a93a10ff4878cca4e0abbe51e883194d3dcf6d745ea460cc38967823d827b85254eb3b58e497750143e5f5c5831bbcdf808a2f531c3f29b4976bacdc9b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7BB6394E664B4DEA89CABCD1CB84B6EC.TMP

Filesize
660B

MD5
c3474e2b9d53470a25ddaa4aac2c437b

SHA1
ce3e7c0e40fe999c44c11797ce9015b2f5ab8c6f

SHA256
8d260cd83ec4b65b0f81804b2a713900b643a3f05bd4bf3017c8ab47b5cfcfe1

SHA512
3363e50559d3ccd73ac6a7649a218beaaaeb7f10b1ac8100d0eb9d85be446b068e6471cf6073794ace3b4a936a0f052df60cb98e3a70b66f45f755442d10138f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/212-25-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/212-23-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/212-24-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/212-27-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/212-28-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/212-29-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/1744-0-0x0000000074F42000-0x0000000074F43000-memory.dmp

Filesize
4KB

Download
memory/1744-22-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/1744-1-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/1744-2-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/2656-18-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/2656-9-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads