metamorpherrat | 29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94

General

Target

29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe
Size

78KB
MD5

2b6d788a913418a66f8ae8deb56a9332
SHA1

433fc427bda528c88641780307764dce8564ecb3
SHA256

29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94
SHA512

cf77d1c36cd7fbe00d33917a0c924bf6b7ba1b604730198b37fffe1e6139cbd8c4946a1124334228d80e1936ac941a370a8d6703058c6899ce97ce5cc13ba740
SSDEEP

1536:ECHF3M7t/vZv0kH9gDDtWzYCnJPeoYrGQt1p9/K1LiQ:ECHF8h/l0Y9MDYrm71p9/1Q

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe

Executes dropped EXE 1 IoCs

pid	Process
4872	tmp79B4.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmp79B4.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp79B4.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3644	29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe
Token: SeDebugPrivilege	4872	tmp79B4.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3644 wrote to memory of 1464	3644	29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe	83
PID 3644 wrote to memory of 1464	3644	29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe	83
PID 3644 wrote to memory of 1464	3644	29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe	83
PID 1464 wrote to memory of 1056	1464	vbc.exe	86
PID 1464 wrote to memory of 1056	1464	vbc.exe	86
PID 1464 wrote to memory of 1056	1464	vbc.exe	86
PID 3644 wrote to memory of 4872	3644	29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe	89
PID 3644 wrote to memory of 4872	3644	29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe	89
PID 3644 wrote to memory of 4872	3644	29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe	89

C:\Users\Admin\AppData\Local\Temp\29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe
"C:\Users\Admin\AppData\Local\Temp\29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3644
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w3cbyzos.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7AFC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc923C69509D4A4D34A674E65432E942BA.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1056
- C:\Users\Admin\AppData\Local\Temp\tmp79B4.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp79B4.tmp.exe" C:\Users\Admin\AppData\Local\Temp\29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7AFC.tmp

Filesize
1KB

MD5
eb8ae20e20234e76165ea15d10629768

SHA1
b3f51ad8dbfaba891cc7d02b80fa55bb8df6ed5e

SHA256
0cd799c0dcb35abf434bb2ae9714b66bc6af321575fe091441f441f07a3b6580

SHA512
338d040e8dc28b7160475e1f769841c382d3008a70142172a0f5ce370530945a27a4677601febe99e40df66aad3fe8bd873f7c8cc85cbee34194322340928471

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp79B4.tmp.exe

Filesize
78KB

MD5
9b278b1910f42207aa7692af044bf72f

SHA1
3825ae05ba75ae3bce6d7d99d2c39e8c36f755a9

SHA256
00354fce48a7eaa9debf2b0f82096fd209de7cbc135cc9acd8065a59dc5d1fb7

SHA512
ea2629fdfab9ad688f1a080befa4fd42d1eb1ff43b7e719597e1ca3ecd419bab4eaf2d17fadfb59885d15e5457aafb008aeac0ffd425ac75b1c91031b292f801

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc923C69509D4A4D34A674E65432E942BA.TMP

Filesize
660B

MD5
8300de003d873d7f79633f20925028fb

SHA1
f41e6f5069fbde633584cdbe991849f894c65ae5

SHA256
3de3605da24876224dde7069d8119af572fbc64687089750017faacda25d5f07

SHA512
cdb9e7b98b3bee23d0c81dbbbdadf5ef2f709801ae8f7bba3d88b9fa710336dbe27d741bb5e76c64820641d76cd1ca838c1614363b97696c9d5b3abfe9a2b853

Download Submit
C:\Users\Admin\AppData\Local\Temp\w3cbyzos.0.vb

Filesize
15KB

MD5
75d528267c5b44248454d85ef62da806

SHA1
2afaa29286c1fbb7b43e83285e3e3e588444033e

SHA256
f56df32264f61a1943f46b2141a8930222451c6db0ae32c262b7b601859b17e7

SHA512
970b35bfb3b7172d4314d4a17b760598a650ba4d894b829645b2e69d97ca0e3038816b98ca5e46b14c6892b43a69cae89c3f6cacf8dcc77c4955d7d9ccbb8758

Download Submit
C:\Users\Admin\AppData\Local\Temp\w3cbyzos.cmdline

Filesize
266B

MD5
94d94c041358fbdbf836ff00178eb8be

SHA1
a21dafa5c171c4fa769ef6253b8c1a43cc7e99af

SHA256
e4b1e58b57fa5f21d8344dbbe1f660443c2f3f17b151e70268bafb159369ce86

SHA512
0e1037930fd23f4e9a6e5ba6c9d1d3104ebc15181d63b223f2768304c0c39eb1610f6a3e754ac4822d70f371f85a503901987c508621ae296ac270ee9b1f9c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/1464-18-0x0000000074EB0000-0x0000000075461000-memory.dmp

Filesize
5.7MB

Download
memory/1464-9-0x0000000074EB0000-0x0000000075461000-memory.dmp

Filesize
5.7MB

Download
memory/3644-2-0x0000000074EB0000-0x0000000075461000-memory.dmp

Filesize
5.7MB

Download
memory/3644-1-0x0000000074EB0000-0x0000000075461000-memory.dmp

Filesize
5.7MB

Download
memory/3644-0-0x0000000074EB2000-0x0000000074EB3000-memory.dmp

Filesize
4KB

Download
memory/3644-22-0x0000000074EB0000-0x0000000075461000-memory.dmp

Filesize
5.7MB

Download
memory/4872-23-0x0000000074EB0000-0x0000000075461000-memory.dmp

Filesize
5.7MB

Download
memory/4872-24-0x0000000074EB0000-0x0000000075461000-memory.dmp

Filesize
5.7MB

Download
memory/4872-26-0x0000000074EB0000-0x0000000075461000-memory.dmp

Filesize
5.7MB

Download
memory/4872-27-0x0000000074EB0000-0x0000000075461000-memory.dmp

Filesize
5.7MB

Download
memory/4872-28-0x0000000074EB0000-0x0000000075461000-memory.dmp

Filesize
5.7MB

Download
memory/4872-29-0x0000000074EB0000-0x0000000075461000-memory.dmp

Filesize
5.7MB

Download
memory/4872-30-0x0000000074EB0000-0x0000000075461000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads