metamorpherrat | d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273

General

Target

d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273N.exe
Size

78KB
MD5

1bcb46b33c8090dfe71118c387d072f0
SHA1

9a3d4fc274bc581f266f8aae273251cdf0148075
SHA256

d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273
SHA512

15afddd4461a0d91c4bb22cc9da7f6a3a3eaa62d3779dd7b530668cff1174d21f3927c90a24d9730e0b540357662cbbe968f47c7c49c0746094c109baa3dfe83
SSDEEP

1536:+y5YXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt96l9/ej1Dr:+y5gSyRxvhTzXPvCbW2U+9/W

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273N.exe

Executes dropped EXE 1 IoCs

pid	Process
2808	tmpA057.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpA057.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA057.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4532	d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273N.exe
Token: SeDebugPrivilege	2808	tmpA057.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 4768	4532	d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273N.exe	84
PID 4532 wrote to memory of 4768	4532	d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273N.exe	84
PID 4532 wrote to memory of 4768	4532	d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273N.exe	84
PID 4768 wrote to memory of 1776	4768	vbc.exe	86
PID 4768 wrote to memory of 1776	4768	vbc.exe	86
PID 4768 wrote to memory of 1776	4768	vbc.exe	86
PID 4532 wrote to memory of 2808	4532	d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273N.exe	89
PID 4532 wrote to memory of 2808	4532	d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273N.exe	89
PID 4532 wrote to memory of 2808	4532	d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273N.exe	89

C:\Users\Admin\AppData\Local\Temp\d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273N.exe
"C:\Users\Admin\AppData\Local\Temp\d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6pnk7ydf.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA19F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7ED0C719545E4633B07BBF39222F70CB.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1776
- C:\Users\Admin\AppData\Local\Temp\tmpA057.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA057.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6pnk7ydf.0.vb

Filesize
14KB

MD5
655cc89d69a46480509dd0cd98c81940

SHA1
48065db7b44e55459d899c83888ab030faa6f916

SHA256
a52b803e469ff1def60bf14401fc0a5d8c6bc7abbd0547c5b04843ae7ea425f5

SHA512
25bfb4e1dbff4f869f700e561f2ff1a5244be9ed3307bd868ef0fccce60ee0683f559df7b677b0625cd1fef92c8ff5ef184fc7d59ecbf67619cfa4a2eb60dedb

Download Submit
C:\Users\Admin\AppData\Local\Temp\6pnk7ydf.cmdline

Filesize
266B

MD5
034038c59bba25472b8bb51e6c623827

SHA1
c0aaf8c7b5724d27d0e5ac09a92c3c3a0e5d7f1d

SHA256
a5bd7e53c7527d67b5b7719c6e4055912a1667a9bacb440d3780b93553897b60

SHA512
130c7997bc9d0bd948fb7a51de7db26d1df1767c3237dabc6b1b2168e7e9eb96770cf51e1848e39d519a306632451b5915e6ffa6dcfc8a9497698c81f006ca24

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA19F.tmp

Filesize
1KB

MD5
5f70053b2ce23819c222bc3417e1c282

SHA1
b6f5361fc11b7f81e50887a3c18d2275d302cd80

SHA256
efd9012e45a3e940364ab6875d939c7158e47fe278e674ad9a9382914f8deb30

SHA512
dea9f5f95316deb51e944c09c75b0b13ff7618094b1d2af40b4a7945a6ab13394a55eb9e3586e59a2994e3d50a3271d694744077968bccc7efda1c5d7bd20c97

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA057.tmp.exe

Filesize
78KB

MD5
c2d52e26d14be5d497328e5b8bc51c2a

SHA1
d2d3dfd4540791ffe98695d6501d454c2922ccd0

SHA256
9e44daab380fadc67eba97270ed254dcbced09a76312360db5e5fdcd797e3cd4

SHA512
d1d9c467fd76bd93f1bd043f61ceff52327e706492291e2a49e068d6c4b8b581fa479793ef1ba54778d876e485e1871d3b0e725b2cf7da516f4f392c007ad061

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7ED0C719545E4633B07BBF39222F70CB.TMP

Filesize
660B

MD5
405255f8d33a636ab8a25c9bc6893ea0

SHA1
80d3f25fdbea3bd3e7c1e928ac38a0e7bd05b398

SHA256
8c627909e161a689f8543027179d0f0ef9aa9428bb63e7b01f96f5288795931b

SHA512
ed40b6b24daa733f4c2c0a02e919095c47a745574995aa297c82678969d92f15eda73a94b65a6cecd9931bc83b4a0b64a2380d149a933e1c215e63691ec07523

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2808-23-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/2808-25-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/2808-24-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/2808-27-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/2808-28-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/2808-29-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/4532-2-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/4532-1-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/4532-22-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/4532-0-0x00000000751D2000-0x00000000751D3000-memory.dmp

Filesize
4KB

Download
memory/4768-8-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/4768-18-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads