metamorpherrat | c34326fc248570b6d8339177e518669132547198ac2e9cf7056b46845ddd247d

General

Target

c34326fc248570b6d8339177e518669132547198ac2e9cf7056b46845ddd247dN.exe
Size

78KB
MD5

ee9a0126b812ef31dda0d48125dd8980
SHA1

b740ceaffd43330544e45c0c9242239133d07eb8
SHA256

c34326fc248570b6d8339177e518669132547198ac2e9cf7056b46845ddd247d
SHA512

1a2e6031e6aa306b1822e71c0b94f857786ffc569b7244a24376b440306a3209b219a9f122a03dcc7ad55c978539dad76e38fff74641a277c84351d78ef3018a
SSDEEP

1536:ECHF3M7t/vZv0kH9gDDtWzYCnJPeoYrGQt1p9/K1Li:ECHF8h/l0Y9MDYrm71p9/1

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	c34326fc248570b6d8339177e518669132547198ac2e9cf7056b46845ddd247dN.exe

Deletes itself 1 IoCs

pid	Process
1248	tmp91A1.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
1248	tmp91A1.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmp91A1.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c34326fc248570b6d8339177e518669132547198ac2e9cf7056b46845ddd247dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp91A1.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4476	c34326fc248570b6d8339177e518669132547198ac2e9cf7056b46845ddd247dN.exe
Token: SeDebugPrivilege	1248	tmp91A1.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4476 wrote to memory of 3240	4476	c34326fc248570b6d8339177e518669132547198ac2e9cf7056b46845ddd247dN.exe	85
PID 4476 wrote to memory of 3240	4476	c34326fc248570b6d8339177e518669132547198ac2e9cf7056b46845ddd247dN.exe	85
PID 4476 wrote to memory of 3240	4476	c34326fc248570b6d8339177e518669132547198ac2e9cf7056b46845ddd247dN.exe	85
PID 3240 wrote to memory of 3152	3240	vbc.exe	87
PID 3240 wrote to memory of 3152	3240	vbc.exe	87
PID 3240 wrote to memory of 3152	3240	vbc.exe	87
PID 4476 wrote to memory of 1248	4476	c34326fc248570b6d8339177e518669132547198ac2e9cf7056b46845ddd247dN.exe	89
PID 4476 wrote to memory of 1248	4476	c34326fc248570b6d8339177e518669132547198ac2e9cf7056b46845ddd247dN.exe	89
PID 4476 wrote to memory of 1248	4476	c34326fc248570b6d8339177e518669132547198ac2e9cf7056b46845ddd247dN.exe	89

C:\Users\Admin\AppData\Local\Temp\c34326fc248570b6d8339177e518669132547198ac2e9cf7056b46845ddd247dN.exe
"C:\Users\Admin\AppData\Local\Temp\c34326fc248570b6d8339177e518669132547198ac2e9cf7056b46845ddd247dN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4476
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\geq9_l7d.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3240
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES92BA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc579C2A28DEC3453D831D8310EF5F712D.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3152
- C:\Users\Admin\AppData\Local\Temp\tmp91A1.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp91A1.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c34326fc248570b6d8339177e518669132547198ac2e9cf7056b46845ddd247dN.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES92BA.tmp

Filesize
1KB

MD5
dd1231449795845ae6559034dae85a3d

SHA1
4437a83bf09973c49a9f0d53718764e73b1e87b9

SHA256
89c4966e9d2c325ec3a6304bf972531a4661edac21cca45c1a3df17e4d90ad7f

SHA512
4d9b9c4df737fbeb57fcddb527e3035095a0a6143bc2e584d94003eeb7d590a54858f0648fbaca2edc84c6c48f235dc1bb6d465d87ef2949e49abce8a7ef4bad

Download Submit
C:\Users\Admin\AppData\Local\Temp\geq9_l7d.0.vb

Filesize
15KB

MD5
a75026f4519889d324a2e867ca7ea03e

SHA1
2ebbba0629bb97bafbe3cb8845273e3054e7c1ef

SHA256
49d225ef17d46ce6f94e45bf08d913ac17de499e2a9919a10537f9a9f47374ec

SHA512
faf2cd944561f761dee48a521f1a9b243c01ecd64a2d5526207eb53a3275159750eec78969cc92a1e73dfd39caa65563deeab207eac67e9720f84393b9654e43

Download Submit
C:\Users\Admin\AppData\Local\Temp\geq9_l7d.cmdline

Filesize
266B

MD5
d642e619a567142b1f1cec28bf87de02

SHA1
bea38d9b06cefab6fb6ed31a6b091bb1d5dbefd6

SHA256
74634a2e8eba608a2cad1deac66e6dfa33629d9f7e635ea4242553abd6c22187

SHA512
c05d8234580a6e6a9040917fa6e059e1c73d3dd70ae9d634607fda2810c2ba7e75a19b210bd38460eb6a657963adb7303791485da8adc77eb1a50d17e70b74ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp91A1.tmp.exe

Filesize
78KB

MD5
3e51b385a2d8b88543b75c5b52018097

SHA1
214fd7eece72255c756e14149443b8055545edd3

SHA256
b7876012bcab6739aba2c18d08021d48fe737b787f1bab6e7802c248ecc00d6e

SHA512
e0219982df6c9077c8f55b52eba3fdc79315272684c2d928839923eb82a50fb72bf05b98b6f35db00a2a87dafd755d3daf08f580609ea20299ddfa230591f721

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc579C2A28DEC3453D831D8310EF5F712D.TMP

Filesize
660B

MD5
c4609ef4e02e841d98dc1075e95a761c

SHA1
2e085f30bd21f45017592e892d50ddcbc943a663

SHA256
ffa45b04e46c38dc076880c6f92bd646f29677dafbdc35ef2feaa3f3298e2589

SHA512
cd5afd51b20649620d207b740d2fd4e92607b0fdd88eddb8033144d5f4e79d4d6561fb653859b49ce86289d4deedfa128df582ece8ef3faaaab2f7d54a468034

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/1248-25-0x0000000075270000-0x0000000075821000-memory.dmp

Filesize
5.7MB

Download
memory/1248-29-0x0000000075270000-0x0000000075821000-memory.dmp

Filesize
5.7MB

Download
memory/1248-28-0x0000000075270000-0x0000000075821000-memory.dmp

Filesize
5.7MB

Download
memory/1248-27-0x0000000075270000-0x0000000075821000-memory.dmp

Filesize
5.7MB

Download
memory/1248-26-0x0000000075270000-0x0000000075821000-memory.dmp

Filesize
5.7MB

Download
memory/1248-22-0x0000000075270000-0x0000000075821000-memory.dmp

Filesize
5.7MB

Download
memory/3240-9-0x0000000075270000-0x0000000075821000-memory.dmp

Filesize
5.7MB

Download
memory/3240-18-0x0000000075270000-0x0000000075821000-memory.dmp

Filesize
5.7MB

Download
memory/4476-23-0x0000000075270000-0x0000000075821000-memory.dmp

Filesize
5.7MB

Download
memory/4476-0-0x0000000075272000-0x0000000075273000-memory.dmp

Filesize
4KB

Download
memory/4476-2-0x0000000075270000-0x0000000075821000-memory.dmp

Filesize
5.7MB

Download
memory/4476-1-0x0000000075270000-0x0000000075821000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads