metamorpherrat | e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166

General

Target

e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exe
Size

78KB
MD5

d4b315d9874a3aa8f9fd98b14eca2206
SHA1

431ff598d7882074480500320b252c2d1b3824f5
SHA256

e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166
SHA512

53a86e36d3a7be8b79377b3b6fde04edd4d437c41a97107ca68bbd3fa59ef51f62b96b4d126fbb8de5d087ccb339acb1e14c787418a8bcb006731de354212841
SSDEEP

1536:FuHY6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQte6Q9/51gTt:FuHYnhASyRxvhTzXPvCbW2Ue6Q9/Gt

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exe

Executes dropped EXE 1 IoCs

Processes:

tmp8944.tmp.exe

pid process

2208 tmp8944.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

pid	process
2208	tmp8944.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp8944.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp8944.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exevbc.execvtres.exetmp8944.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8944.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exetmp8944.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2280	e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exe
Token: SeDebugPrivilege	2208	tmp8944.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exevbc.exe

description	pid	process	target process
PID 2280 wrote to memory of 932	2280	e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exe	vbc.exe
PID 2280 wrote to memory of 932	2280	e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exe	vbc.exe
PID 2280 wrote to memory of 932	2280	e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exe	vbc.exe
PID 932 wrote to memory of 2640	932	vbc.exe	cvtres.exe
PID 932 wrote to memory of 2640	932	vbc.exe	cvtres.exe
PID 932 wrote to memory of 2640	932	vbc.exe	cvtres.exe
PID 2280 wrote to memory of 2208	2280	e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exe	tmp8944.tmp.exe
PID 2280 wrote to memory of 2208	2280	e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exe	tmp8944.tmp.exe
PID 2280 wrote to memory of 2208	2280	e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exe	tmp8944.tmp.exe

C:\Users\Admin\AppData\Local\Temp\e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exe
"C:\Users\Admin\AppData\Local\Temp\e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zaufkzah.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:932
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8CA0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1625347087A7493EAB14D64B46AA6AE5.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2640
- C:\Users\Admin\AppData\Local\Temp\tmp8944.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8944.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e06388b5872b21ec2caf79262d73366f575dd46f7971ed0218df491e58c92166.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8CA0.tmp

Filesize
1KB

MD5
3a2590b60c0674e1b6bed8504b6bcc16

SHA1
383ac45595a95c27816f3fcf2c2e5591ae7fc560

SHA256
b92f72276933497d0fe85f34627718364319abfff3323d28091596c30068cfcd

SHA512
091cf812a0ca47d9cec7eeb6e6c5d1c15569f20158be4471045898564d45b61452c22c3b3931f5b917bc01ebba089b99b55a0f24d4506af9949311f76a044b15

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8944.tmp.exe

Filesize
78KB

MD5
d4432d312da02710a83f914f11a3f11c

SHA1
7e93831bbde791d69c073f1f0de2a918ed05782f

SHA256
4ae11f3a48d5afaa3d89f2f083854f14893d9f59807301a7599717219d73297e

SHA512
0a8244b770d7530f9f8a37d3e74459838732a16bce12e5f10268af7c4af7d8c8592f80b21488c81ffb93f1c88e9a04bf4d7f03ddae9a45e01ddeccb9995edc47

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1625347087A7493EAB14D64B46AA6AE5.TMP

Filesize
660B

MD5
53d998327a266001ee5b1bc9e37bcc7f

SHA1
f231b916d139e4c90dc7126715a18e34c0c17118

SHA256
9c3787bf33f712389e480c4ae4ab4a6e430efff0778e5a82d87c51246cec3d98

SHA512
1a320796745097896db6f171a79d3666ac8b96073caa44d0f464d1bafffea45a4d8cf806eac90818d97a22e6ae1b679275c51e35fa9c744a30cad71c13375267

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zaufkzah.0.vb

Filesize
15KB

MD5
7400ac877f4698fdffded8902dd3cede

SHA1
bdc798d41993d3c352440cf3b64fdac1459510ff

SHA256
db561b469a6d7488c1c7d7e6858b67101aecc837ec391835b246afdd8da1a6b7

SHA512
eb6c59af9e0570312b7806932d9c8de8e5c14d1902f0220cbc12026cd0b4ead3ab25fdd7a83965188ad65a2a340619a401bbaf56eb0abdda2199d7883b8e5e16

Download Submit
C:\Users\Admin\AppData\Local\Temp\zaufkzah.cmdline

Filesize
266B

MD5
96850a0b7ac8b7d697efee1351fefacf

SHA1
dea1e3d07952ec94e6ecab6ea1eeb33cfd9e5b58

SHA256
3f2f2f2597559bc6fb1454266ce2ea5de43cb6c2f5c2d3d8a062ab2432e33ab7

SHA512
61981cc61705795194e5e854d8797e436da5cbb0e49b41d5339d0834f17cc5efa79a649bf3c19f9a79b246cff5d80c055c9b7068d88e6671ba27a9b962171640

Download Submit
memory/932-18-0x00000000755A0000-0x0000000075B51000-memory.dmp

Filesize
5.7MB

Download
memory/932-9-0x00000000755A0000-0x0000000075B51000-memory.dmp

Filesize
5.7MB

Download
memory/2208-25-0x00000000755A0000-0x0000000075B51000-memory.dmp

Filesize
5.7MB

Download
memory/2208-23-0x00000000755A0000-0x0000000075B51000-memory.dmp

Filesize
5.7MB

Download
memory/2208-24-0x00000000755A0000-0x0000000075B51000-memory.dmp

Filesize
5.7MB

Download
memory/2208-27-0x00000000755A0000-0x0000000075B51000-memory.dmp

Filesize
5.7MB

Download
memory/2208-28-0x00000000755A0000-0x0000000075B51000-memory.dmp

Filesize
5.7MB

Download
memory/2208-29-0x00000000755A0000-0x0000000075B51000-memory.dmp

Filesize
5.7MB

Download
memory/2280-2-0x00000000755A0000-0x0000000075B51000-memory.dmp

Filesize
5.7MB

Download
memory/2280-1-0x00000000755A0000-0x0000000075B51000-memory.dmp

Filesize
5.7MB

Download
memory/2280-22-0x00000000755A0000-0x0000000075B51000-memory.dmp

Filesize
5.7MB

Download
memory/2280-0-0x00000000755A2000-0x00000000755A3000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads