metamorpherrat | 0e37449360bc5dae5e6fb901a872617b5e21ad7aaea47c543cdd9faad9379818

General

Target

0e37449360bc5dae5e6fb901a872617b5e21ad7aaea47c543cdd9faad9379818N.exe
Size

78KB
MD5

1ccc2cc7986db7173e3fabe61288cc20
SHA1

e1f263785dbf584aebf11dcdba860971f9a33af3
SHA256

0e37449360bc5dae5e6fb901a872617b5e21ad7aaea47c543cdd9faad9379818
SHA512

b4f6f9064dcaaa5fc67e392685246769f7569bcd45e08e780e14c5cd830835cecb5b55de8a8c5fad5b8bacd4fd6070f7cacf4c2cc928baf20a56aad1a924a743
SSDEEP

1536:cWV58DXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtC6aP9/Ct1IU:cWV58zSyRxvhTzXPvCbW2UiP9/e

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0e37449360bc5dae5e6fb901a872617b5e21ad7aaea47c543cdd9faad9379818N.exe

Deletes itself 1 IoCs

pid	Process
2840	tmpA22B.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2840	tmpA22B.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpA22B.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA22B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e37449360bc5dae5e6fb901a872617b5e21ad7aaea47c543cdd9faad9379818N.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1492	0e37449360bc5dae5e6fb901a872617b5e21ad7aaea47c543cdd9faad9379818N.exe
Token: SeDebugPrivilege	2840	tmpA22B.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 4572	1492	0e37449360bc5dae5e6fb901a872617b5e21ad7aaea47c543cdd9faad9379818N.exe	82
PID 1492 wrote to memory of 4572	1492	0e37449360bc5dae5e6fb901a872617b5e21ad7aaea47c543cdd9faad9379818N.exe	82
PID 1492 wrote to memory of 4572	1492	0e37449360bc5dae5e6fb901a872617b5e21ad7aaea47c543cdd9faad9379818N.exe	82
PID 4572 wrote to memory of 2916	4572	vbc.exe	84
PID 4572 wrote to memory of 2916	4572	vbc.exe	84
PID 4572 wrote to memory of 2916	4572	vbc.exe	84
PID 1492 wrote to memory of 2840	1492	0e37449360bc5dae5e6fb901a872617b5e21ad7aaea47c543cdd9faad9379818N.exe	85
PID 1492 wrote to memory of 2840	1492	0e37449360bc5dae5e6fb901a872617b5e21ad7aaea47c543cdd9faad9379818N.exe	85
PID 1492 wrote to memory of 2840	1492	0e37449360bc5dae5e6fb901a872617b5e21ad7aaea47c543cdd9faad9379818N.exe	85

C:\Users\Admin\AppData\Local\Temp\0e37449360bc5dae5e6fb901a872617b5e21ad7aaea47c543cdd9faad9379818N.exe
"C:\Users\Admin\AppData\Local\Temp\0e37449360bc5dae5e6fb901a872617b5e21ad7aaea47c543cdd9faad9379818N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kkhhiybk.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA50A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6D7AC27EB3884281B3F3C2DD5253683A.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2916
- C:\Users\Admin\AppData\Local\Temp\tmpA22B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA22B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0e37449360bc5dae5e6fb901a872617b5e21ad7aaea47c543cdd9faad9379818N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA50A.tmp

Filesize
1KB

MD5
214eba7417b6d91847e2da44044e6cac

SHA1
2395640add28eb19326125b5008fcede80456ae7

SHA256
eeba5abd366b49018ec8c6b3637415a9052b3260e53c32e49fc6f278088f7a9c

SHA512
af40f9632d4560a303603b2a09d9eee84e116e3351832108c5d51640fce73871e6a5876b1339f4bb4ed80f086b3f588e6d1c761e404ffdeef014c8e303a8209e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkhhiybk.0.vb

Filesize
14KB

MD5
8af751d0ed7c701c9d188d23e5f4fe05

SHA1
f66b671d65c010bc8e17b1ddafecf47319574b41

SHA256
426da3f465ba8b54c811470b88f03e8bd93b9a5f3670fbf91a5cd873610b3509

SHA512
832e0bf6818a0524a135aa2e190306d3009570e13630f2766f7734b77d45a4aec60ffe9fdfb62926894b11fbcf45ee748a0591f93e713bff93feed5f4c555631

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkhhiybk.cmdline

Filesize
266B

MD5
03490f3a8d62ed9d1980439fa5d80405

SHA1
6af7e07bcb00351f596e0a616f594a078455cb05

SHA256
e92e7baee4509800320b40acce2a7427f5ae5a2b1a1e7115ed0d3002f0628a3f

SHA512
ac8b9630bbe87fb8a24c1651fc664c9e9910da673e44cd8893e9f831a964801e25af5e86e37d3f83c7ade30431d03e7db0cffe36834aefc5cc3b692820d1fda1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA22B.tmp.exe

Filesize
78KB

MD5
26b9a0671f08b41fc0f4fcb095aa8b57

SHA1
a22b1f86174d908c4c556d78a3be78283236122d

SHA256
88a0e9a24afec756a2c8a895bea0f448ed3260f8c7f130b623f3999afb61d11b

SHA512
3ff036c5a0bc7d5c81d4930a7c6dbf0c5e3a6795a0c9792174fa9a0ad3f483d456e7c62835bd40852be94249d143b0a397db301ca4cde02a693516d15cf58d62

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6D7AC27EB3884281B3F3C2DD5253683A.TMP

Filesize
660B

MD5
ded4e930995e6a7fa1d5376523a700eb

SHA1
27f05666e64dfdfea6abeb8c8e2362c531762354

SHA256
ff51387b071f5ed5ca7d2c2be7d5e8c826d02e45392529f401f053a1ab5e9811

SHA512
786a84a756d53ca4dd4fce4c06c6d270b00804e61f508c61ad97933316a44534516bf2fc1af3a6e9abb7287e2d47f1b899dc2f74671003c6db2e3e1cdcaa0ca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1492-1-0x0000000074EE0000-0x0000000075491000-memory.dmp

Filesize
5.7MB

Download
memory/1492-2-0x0000000074EE0000-0x0000000075491000-memory.dmp

Filesize
5.7MB

Download
memory/1492-0-0x0000000074EE2000-0x0000000074EE3000-memory.dmp

Filesize
4KB

Download
memory/1492-22-0x0000000074EE0000-0x0000000075491000-memory.dmp

Filesize
5.7MB

Download
memory/2840-23-0x0000000074EE0000-0x0000000075491000-memory.dmp

Filesize
5.7MB

Download
memory/2840-25-0x0000000074EE0000-0x0000000075491000-memory.dmp

Filesize
5.7MB

Download
memory/2840-26-0x0000000074EE0000-0x0000000075491000-memory.dmp

Filesize
5.7MB

Download
memory/2840-27-0x0000000074EE0000-0x0000000075491000-memory.dmp

Filesize
5.7MB

Download
memory/4572-18-0x0000000074EE0000-0x0000000075491000-memory.dmp

Filesize
5.7MB

Download
memory/4572-8-0x0000000074EE0000-0x0000000075491000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads