metamorpherrat | 5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530d

General

Target

5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe
Size

78KB
MD5

f3f5a2d7317fe6bbfc8e956b8f05f720
SHA1

5335b48c16b8a577344e8c11c82a7847a1dcd8ad
SHA256

5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530d
SHA512

da53f307a6a1b92ce96ee594c3fd8f7380dbcc0543e5a08c87877a05680946d8835a45f346fa4e1223e28eeac21bc13bc75f43cd4b461f237c252caa30392e54
SSDEEP

1536:MHFo6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtRJ9/f1jT:MHFonhASyRxvhTzXPvCbW2URJ9/d

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe

Deletes itself 1 IoCs

pid	Process
4212	tmpA335.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4212	tmpA335.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpA335.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA335.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3600	5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe
Token: SeDebugPrivilege	4212	tmpA335.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3600 wrote to memory of 1100	3600	5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe	85
PID 3600 wrote to memory of 1100	3600	5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe	85
PID 3600 wrote to memory of 1100	3600	5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe	85
PID 1100 wrote to memory of 228	1100	vbc.exe	87
PID 1100 wrote to memory of 228	1100	vbc.exe	87
PID 1100 wrote to memory of 228	1100	vbc.exe	87
PID 3600 wrote to memory of 4212	3600	5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe	89
PID 3600 wrote to memory of 4212	3600	5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe	89
PID 3600 wrote to memory of 4212	3600	5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe	89

C:\Users\Admin\AppData\Local\Temp\5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe
"C:\Users\Admin\AppData\Local\Temp\5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3600
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ehgogi6h.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA596.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc50B84AF97A4C3C9EC86E115E5BF4F5.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:228
- C:\Users\Admin\AppData\Local\Temp\tmpA335.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA335.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA596.tmp

Filesize
1KB

MD5
efc3f15e84541a00465313bb57b68270

SHA1
7ff928dd192046f3e65fa410a79f175603f43ea7

SHA256
93097f22c736695933652a5fa64aca4921568e5879725be87231ee2c1df4d80d

SHA512
5795fbc233c9d5981b5d2e7aab76fd34442ee3eec4094379ccfcddb1573c87f4b680bd6d79c7c98b4a14301803f79354e52a076524bde5db35213a8839bf7506

Download Submit
C:\Users\Admin\AppData\Local\Temp\ehgogi6h.0.vb

Filesize
15KB

MD5
162f74758670b65dbc0d419b01ab078f

SHA1
4ad252fe2d4f575f703a7c5670474648a586300d

SHA256
18c984575a4a581955cba85e5351a64283e7dbd3b02628c195c675d25467b638

SHA512
02e986b1b43166398c1fe42c1c2c9062294785b0e7bb8e7a17e3fa0281273df66ec1afcdc883746a426fa2b721baf30e0f64fd4c79da23132473efb1fdc967ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\ehgogi6h.cmdline

Filesize
266B

MD5
01558bc62c63242a6661b44b7813985d

SHA1
24ea7eab557691dedfcb6a51cb17f39a8f76b88d

SHA256
117d49e47ad475ca0add2f082b899af1b3d688af1c969594ebfe8cce43e96425

SHA512
394e5ec9cf00971f29dde548f3a1e8167b24330cfe86d1e9f8122c67fdc5d01401ef8ed25e8f8848fd466defe2f977a2b4419ba784530dd1e711a4937a0f18db

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA335.tmp.exe

Filesize
78KB

MD5
d79406ef03f110f019b286e354d82f67

SHA1
9f2b660dcd34cce7d0c63c87d8912a0c0c8aa3bd

SHA256
53eb93b83b06510ce861966047204e9a66c64a634d83df8c046bdc6ab91175d4

SHA512
b08bdb6eecb0f74d15afbb04f3c53de04b234af945dcba71f37ce36535c8a9d51fa4d2e92076fda30ff730f052e94c710c1719f4e8001821c20cea2d8f9a3b26

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc50B84AF97A4C3C9EC86E115E5BF4F5.TMP

Filesize
660B

MD5
56dc57a2daa7ed585c60f7e9f5501951

SHA1
b6ea53163ab4ac7b54985153debac8b7ba1955ca

SHA256
1da41e59fb9c7c5fa25de3ed4b002bfa3c51537b8ff34e9db9f3f69a4eef9658

SHA512
e47a8924ef4132cdca8362273c6745e9307dd5d1eda6b3ddef2cc3a58ea0b11be9650176b3072ccebb55ae4b65a370da4ad378280c4b71226d5a906a90c84374

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1100-18-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/1100-9-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/3600-2-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/3600-1-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/3600-0-0x0000000074B92000-0x0000000074B93000-memory.dmp

Filesize
4KB

Download
memory/3600-23-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/4212-22-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/4212-24-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/4212-26-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/4212-27-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/4212-28-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads