metamorpherrat | 949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf

General

Target

949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf.exe
Size

80KB
MD5

3d4c15603fa3ee5580c67f36d0b91e72
SHA1

e1129bccd3d702cdfde214deb60b7f89fe1f128b
SHA256

949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf
SHA512

27af519090d60f4b25aa6171884b4c1c27e6d8c63cfd472d0185b758a7e8fd770051c3724671fc9b9fae5d8a176d8a932ef79a36ff0faaf320e932099c46895b
SSDEEP

1536:9HFo6rdELT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtLg39/CF1Y:9HFo8dSE2EwR4uY41HyvYLg39/Cz8

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf.exe

Executes dropped EXE 1 IoCs

pid	Process
244	tmpC7C4.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmpC7C4.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC7C4.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1576	949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf.exe
Token: SeDebugPrivilege	244	tmpC7C4.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 4836	1576	949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf.exe	83
PID 1576 wrote to memory of 4836	1576	949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf.exe	83
PID 1576 wrote to memory of 4836	1576	949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf.exe	83
PID 4836 wrote to memory of 5016	4836	vbc.exe	85
PID 4836 wrote to memory of 5016	4836	vbc.exe	85
PID 4836 wrote to memory of 5016	4836	vbc.exe	85
PID 1576 wrote to memory of 244	1576	949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf.exe	86
PID 1576 wrote to memory of 244	1576	949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf.exe	86
PID 1576 wrote to memory of 244	1576	949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf.exe	86

C:\Users\Admin\AppData\Local\Temp\949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf.exe
"C:\Users\Admin\AppData\Local\Temp\949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nhvufobd.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCA26.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCBF121E71F045D584489670A81B3CAD.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5016
- C:\Users\Admin\AppData\Local\Temp\tmpC7C4.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpC7C4.tmp.exe" C:\Users\Admin\AppData\Local\Temp\949bbfac40a875004af7d71f7264cdcb4d56fd9a538f3e1f1456f2c7cd29dfdf.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESCA26.tmp

Filesize
1KB

MD5
3ffe0361541c9fef47554893c3abb329

SHA1
bfa316e2be18e66f3bde4cb5aea88fe64849016a

SHA256
6ace4148897f64700fedc27b9625520820aee5cacad6540260ed7778e6f6632f

SHA512
1d832c12a2eab41e7f469ba7d0cdd9c69679a03f8d886ba5fc785985dd2b944f8460c986a2b0a6f64b9d028894e517b1c4d44b5052238ba582bc635f1a1d8561

Download Submit
C:\Users\Admin\AppData\Local\Temp\nhvufobd.0.vb

Filesize
15KB

MD5
272fae8c0386eaccf4023bade5b8ad78

SHA1
97bc9b42b96a13d678e9cac21a4f6b9cacff81f1

SHA256
3a72b7589895595de20cf1f14e5d10c2d90ef43e50736b2adc78fd8e49f12a01

SHA512
0bb431331811f292c42b49f710eb1214febf25d61efdf5b821bd12dd2bd942c709ab7ca3e9a7a194ef8070d784646d9c87a4f4a72d10dc0b0fb111596341bd4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nhvufobd.cmdline

Filesize
266B

MD5
c722fb0187643acc4fb1a5f8b3ea90c9

SHA1
70aaa7b6b121e76e5c31331669ba44ac95e24755

SHA256
2ace711478088a82c454de886e1ec58a2e209cc0912efd3cd327c1dbf1dee26f

SHA512
128ab42e913bc86f93dc743f1cd1ddf60317f57329d8a71633424e37107edcc9afa5416f450bddfdcaf0deeb22ba6e12a685851e9b673f875a2c4432f40e8b32

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC7C4.tmp.exe

Filesize
78KB

MD5
01bfc2e73fe9cc7ef28952ab60e8a7d4

SHA1
949f792d9cc26111ec9cc135148e80ca3e5888ce

SHA256
a047e65b5eea74dfe4f83e493c555251fb271861e01d1592a0709c36554e9f03

SHA512
4e94679d81ffb3511ba5c5da133f4e4e2c1ac91c17746644619dc7b75a44db201d0b65b36a5e6fe1c0285f77b09513614fad3971371136730a8fb8586bc03dc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCBF121E71F045D584489670A81B3CAD.TMP

Filesize
660B

MD5
ef57215a13896b65959f202a3c49562f

SHA1
11059349692501b9e7b608b217eb31e35220ff16

SHA256
ec658fce83106236473235509f70c2f2a94b54ddfcbf7fccf711e17f83b22894

SHA512
45ff27d44fc48bbb6fb04b5228fa149cac9d1a2248dda1fd5ef70098dca8a6ee824adee640d2ad6018b0a45bdb8c5d725431a055d4e01b2ba5f3a4ec88f9ef40

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/244-24-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/244-28-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/244-27-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/244-26-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/244-23-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/1576-22-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/1576-1-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/1576-2-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/1576-0-0x0000000074AB2000-0x0000000074AB3000-memory.dmp

Filesize
4KB

Download
memory/4836-9-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/4836-18-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads