metamorpherrat | 118dc523a13ae39a8853bf17d541b732c88e657e426f6cef01c1ea1c16d746ed

General

Target

118dc523a13ae39a8853bf17d541b732c88e657e426f6cef01c1ea1c16d746ed.exe
Size

78KB
MD5

a7c8face9dd0f643f2a50817cf867af1
SHA1

e4c18b8f6e7f56f84438a24ea800e23fb8d3ff71
SHA256

118dc523a13ae39a8853bf17d541b732c88e657e426f6cef01c1ea1c16d746ed
SHA512

c417c726eca081a4d321ff6c2c64c608ecadab7f1b5893a48ac601c24a0af578a2bb6f3a5439ea75bda1caed9d0c61da0d8ff203bc84908119773e4a0d7d9e56
SSDEEP

1536:T4tHY6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtM9/g1iy2:T4tHY53Ln7N041QqhgM9/A2

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	118dc523a13ae39a8853bf17d541b732c88e657e426f6cef01c1ea1c16d746ed.exe

Deletes itself 1 IoCs

pid	Process
3340	tmpC0FE.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3340	tmpC0FE.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpC0FE.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	118dc523a13ae39a8853bf17d541b732c88e657e426f6cef01c1ea1c16d746ed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC0FE.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2516	118dc523a13ae39a8853bf17d541b732c88e657e426f6cef01c1ea1c16d746ed.exe
Token: SeDebugPrivilege	3340	tmpC0FE.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 1688	2516	118dc523a13ae39a8853bf17d541b732c88e657e426f6cef01c1ea1c16d746ed.exe	82
PID 2516 wrote to memory of 1688	2516	118dc523a13ae39a8853bf17d541b732c88e657e426f6cef01c1ea1c16d746ed.exe	82
PID 2516 wrote to memory of 1688	2516	118dc523a13ae39a8853bf17d541b732c88e657e426f6cef01c1ea1c16d746ed.exe	82
PID 1688 wrote to memory of 3928	1688	vbc.exe	84
PID 1688 wrote to memory of 3928	1688	vbc.exe	84
PID 1688 wrote to memory of 3928	1688	vbc.exe	84
PID 2516 wrote to memory of 3340	2516	118dc523a13ae39a8853bf17d541b732c88e657e426f6cef01c1ea1c16d746ed.exe	85
PID 2516 wrote to memory of 3340	2516	118dc523a13ae39a8853bf17d541b732c88e657e426f6cef01c1ea1c16d746ed.exe	85
PID 2516 wrote to memory of 3340	2516	118dc523a13ae39a8853bf17d541b732c88e657e426f6cef01c1ea1c16d746ed.exe	85

C:\Users\Admin\AppData\Local\Temp\118dc523a13ae39a8853bf17d541b732c88e657e426f6cef01c1ea1c16d746ed.exe
"C:\Users\Admin\AppData\Local\Temp\118dc523a13ae39a8853bf17d541b732c88e657e426f6cef01c1ea1c16d746ed.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z58z7yan.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC294.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE5C003AAD3DD4162B5BA414B1AB85B8.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3928
- C:\Users\Admin\AppData\Local\Temp\tmpC0FE.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpC0FE.tmp.exe" C:\Users\Admin\AppData\Local\Temp\118dc523a13ae39a8853bf17d541b732c88e657e426f6cef01c1ea1c16d746ed.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC294.tmp

Filesize
1KB

MD5
7d4552fecab7774aa741eccb84e3e8c1

SHA1
147b38d147d93de11fdb2c496822f0e39f0c9f93

SHA256
7d25459f01e67397f9e0b9b582a49a19a1d19430f6cdf945d0a306e2581227fb

SHA512
18a570346201176b8d5d205144a8b150ac2173f5e56cda4ccfe28d7c4f4e37f2aeccc0295d3dd4721a835bc9dfb9acbceeca13151079b1242a7e8c9fe78f5d1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC0FE.tmp.exe

Filesize
78KB

MD5
566446aa62546b4f6d0cc97eeb234c96

SHA1
11bbc012f13791a83fdc4fe0a7f022e2c0257790

SHA256
11754ce0444bdb69ece5d5fdcc50cad1b5a3b1748837fc2a257a9b6e18b4d863

SHA512
dca14fec6a1af80e44c91ec3572ba4d4a52f53f976ddb68cd12fe224ed0bc3da504aacc8b77da10211ead28f7c51973ad2b42d144481b823d16343d6afecf084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE5C003AAD3DD4162B5BA414B1AB85B8.TMP

Filesize
660B

MD5
9037411a994fa48a7bcfa3457042c2bc

SHA1
db8ef59266768e03ac9abd4383d2399fed771d01

SHA256
a0bbce1b80f550ddb037af9141c1dc81e21a2b75ba113bc6ea9714c11f92d571

SHA512
8e8253509e358f1b5c058b74ab3e72a84284cd531ed314bd1f7819a66a3868884a4c7f871a27fbd1f3fa49140fc2029f0765514b7c382f43fbc6c1d345b131a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\z58z7yan.0.vb

Filesize
15KB

MD5
980cbd675eb5b36d28ac6e7ff58c7443

SHA1
125cb021a47be78f3a725d58b9848911f81e696b

SHA256
faac1765f44d8d0fae7b5b47cd35a61bd46e2b615655984dbdd1759fdb35c277

SHA512
8efce271e515e2015708e4248a98d6422099d8e643890d3df4bd3b170da5cdd174782686eb64cbd88f048841ca494a01ae9044213d95dedd37785221c610c3fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\z58z7yan.cmdline

Filesize
266B

MD5
640cd606542874bc6e4b7ee3f413457c

SHA1
a9cbc601845773121981c9e1e4b4333595b63064

SHA256
763edfd81c64564561670fb6c2c35efa067fe7b0d9f012c1366be352330d8c27

SHA512
6577d2bd00b5b1c4982a3ffed7b8c44b360517207a9ea2a0d3e07fe3dad758250a33e7be6186b379b1a4bce5f1948c945de3b1bc9836940e366d4b4f1ed70a08

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/1688-9-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/1688-18-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/2516-0-0x0000000074732000-0x0000000074733000-memory.dmp

Filesize
4KB

Download
memory/2516-2-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/2516-1-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/2516-22-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/3340-23-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/3340-25-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/3340-26-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/3340-27-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads