metamorpherrat | 4f06b467b92d6b47dfe52c5e3ba448f7141da2f1397ec5f5ea90e0705c341250

General

Target

4f06b467b92d6b47dfe52c5e3ba448f7141da2f1397ec5f5ea90e0705c341250.exe
Size

78KB
MD5

6faa53cffe376dd59aa789bf390aef6e
SHA1

e444c3f9ee254a47510ea87e2c1024c29795261c
SHA256

4f06b467b92d6b47dfe52c5e3ba448f7141da2f1397ec5f5ea90e0705c341250
SHA512

8c1a03b2c9508738da5df7e2bdaa3f2d892269bd4dd843452db2d166ec24d863e182ce6e85dfb1eed8cf994e48b938642d7665feb1c447637fbacfafafcf52d0
SSDEEP

1536:Jy58MLT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtt6F9/M1Ym:Jy586E2EwR4uY41HyvYu9/e

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	4f06b467b92d6b47dfe52c5e3ba448f7141da2f1397ec5f5ea90e0705c341250.exe

Executes dropped EXE 1 IoCs

pid	Process
4564	tmpA2B8.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmpA2B8.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA2B8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4f06b467b92d6b47dfe52c5e3ba448f7141da2f1397ec5f5ea90e0705c341250.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3720	4f06b467b92d6b47dfe52c5e3ba448f7141da2f1397ec5f5ea90e0705c341250.exe
Token: SeDebugPrivilege	4564	tmpA2B8.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3720 wrote to memory of 4804	3720	4f06b467b92d6b47dfe52c5e3ba448f7141da2f1397ec5f5ea90e0705c341250.exe	82
PID 3720 wrote to memory of 4804	3720	4f06b467b92d6b47dfe52c5e3ba448f7141da2f1397ec5f5ea90e0705c341250.exe	82
PID 3720 wrote to memory of 4804	3720	4f06b467b92d6b47dfe52c5e3ba448f7141da2f1397ec5f5ea90e0705c341250.exe	82
PID 4804 wrote to memory of 852	4804	vbc.exe	84
PID 4804 wrote to memory of 852	4804	vbc.exe	84
PID 4804 wrote to memory of 852	4804	vbc.exe	84
PID 3720 wrote to memory of 4564	3720	4f06b467b92d6b47dfe52c5e3ba448f7141da2f1397ec5f5ea90e0705c341250.exe	85
PID 3720 wrote to memory of 4564	3720	4f06b467b92d6b47dfe52c5e3ba448f7141da2f1397ec5f5ea90e0705c341250.exe	85
PID 3720 wrote to memory of 4564	3720	4f06b467b92d6b47dfe52c5e3ba448f7141da2f1397ec5f5ea90e0705c341250.exe	85

C:\Users\Admin\AppData\Local\Temp\4f06b467b92d6b47dfe52c5e3ba448f7141da2f1397ec5f5ea90e0705c341250.exe
"C:\Users\Admin\AppData\Local\Temp\4f06b467b92d6b47dfe52c5e3ba448f7141da2f1397ec5f5ea90e0705c341250.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5o5yf8oj.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4804
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA690.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8A354EE722ED4C33B0A27BE8B4ACC04D.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:852
- C:\Users\Admin\AppData\Local\Temp\tmpA2B8.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA2B8.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4f06b467b92d6b47dfe52c5e3ba448f7141da2f1397ec5f5ea90e0705c341250.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5o5yf8oj.0.vb

Filesize
14KB

MD5
6228125d449a85f5934c190362d4c187

SHA1
963f739b6bfe6047283203563709cbe234457e83

SHA256
c6655ed8cd8f27738c3e18e00b119353992ce8e5ad64de810189ec50dbb7b18d

SHA512
0c997cf341607099c76bfda867f482ea57ac864942395cc09e2f962a2ab540e9894e4e800aaa1751d2114ca0b8222f490709f538ce7238c4c47d537827194930

Download Submit
C:\Users\Admin\AppData\Local\Temp\5o5yf8oj.cmdline

Filesize
266B

MD5
f551e82d72173608611a3c560f244cac

SHA1
d826e9de1d0854f23616281c9c1f40518686dddd

SHA256
feef6b24fcd4d18503a21c67e62f9af8a2af5b6e578d2f98bceec8f63359940e

SHA512
8007dc38db8d65c678eed65274ba2e9d0aeaabd2eb7ca759562dd6df588c198d0a7308516043b1b344fc7e5d5ec6acb424bd85208b90c26107764f5fb9b10a3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA690.tmp

Filesize
1KB

MD5
795114d8f4d33daf8b24756dbd3f5b34

SHA1
cc27dcaf0924e8aca9d50eff509aaa9647def95b

SHA256
bab7a39df00085b57f438f254e84d58fd5e89f0507739f87521a5dca37c4a292

SHA512
ff1c09a7fea83a5b06e0e874370ace7264813324d8205dc7faf6cfbc118e7bae8dc19fc3e84bf936629e7cff20e6effca707f47377e6af09d16321eb199e59dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA2B8.tmp.exe

Filesize
78KB

MD5
816a08b17f1ad34bc761b1d260c439c0

SHA1
32ec52f0a5df93d80b3846375ec6ae9a35ffda10

SHA256
2643157e4b1993e7254ec45a27384148b3f6724d197ebddcd5c7fb42e3006328

SHA512
ebe4e25341a0d0fde6b3de36db0a1b49c559f21b94c85f3c606e03768a16c4f2404ccd38f02d12c68ad962d338e0c96a369adf2bd5ffc47439591d3c3fb25a7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8A354EE722ED4C33B0A27BE8B4ACC04D.TMP

Filesize
660B

MD5
d091dc3c8f4c932333430da0cb3121b2

SHA1
148df67018848b436583ce435e3e03915c38bfd8

SHA256
f7901af18901ba4d6759777030b57a28c84f0098887dd5cb35a0c880606d522b

SHA512
58ed6d788d64c053d7cabe8ff6aa40db89d481bff930f3e9db1277271849b625c59e6f835ced582918a8afd9c628cae332bd060fa0a65d2c363731634b5a6a01

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/3720-23-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/3720-2-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/3720-1-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/3720-0-0x0000000074B92000-0x0000000074B93000-memory.dmp

Filesize
4KB

Download
memory/4564-22-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/4564-24-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/4564-25-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/4564-27-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/4564-28-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/4564-29-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/4804-9-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/4804-18-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads