metamorpherrat | 687031d795f2536a6928d2d1b8c2dc58002e403044491a7e2c354923709e734d

General

Target

687031d795f2536a6928d2d1b8c2dc58002e403044491a7e2c354923709e734d.exe
Size

78KB
MD5

c8d8866289e5ab803a53d2b2c527938d
SHA1

d4571d31eb108430336eeb565f16e56d57a31d18
SHA256

687031d795f2536a6928d2d1b8c2dc58002e403044491a7e2c354923709e734d
SHA512

a739d2997c455a06a88243f15a24d257b9ed1c75eeb66b2de69149839c1335b73335942b056ef69ef2b4e695b78f9fe102715454a43358825d64c12c0d577298
SSDEEP

1536:cWV58DXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtC6aP9/Ct1IUg:cWV58zSyRxvhTzXPvCbW2UiP9/eg

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	687031d795f2536a6928d2d1b8c2dc58002e403044491a7e2c354923709e734d.exe

Executes dropped EXE 1 IoCs

pid	Process
3604	tmp7937.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp7937.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7937.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	687031d795f2536a6928d2d1b8c2dc58002e403044491a7e2c354923709e734d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3564	687031d795f2536a6928d2d1b8c2dc58002e403044491a7e2c354923709e734d.exe
Token: SeDebugPrivilege	3604	tmp7937.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3564 wrote to memory of 960	3564	687031d795f2536a6928d2d1b8c2dc58002e403044491a7e2c354923709e734d.exe	83
PID 3564 wrote to memory of 960	3564	687031d795f2536a6928d2d1b8c2dc58002e403044491a7e2c354923709e734d.exe	83
PID 3564 wrote to memory of 960	3564	687031d795f2536a6928d2d1b8c2dc58002e403044491a7e2c354923709e734d.exe	83
PID 960 wrote to memory of 548	960	vbc.exe	85
PID 960 wrote to memory of 548	960	vbc.exe	85
PID 960 wrote to memory of 548	960	vbc.exe	85
PID 3564 wrote to memory of 3604	3564	687031d795f2536a6928d2d1b8c2dc58002e403044491a7e2c354923709e734d.exe	86
PID 3564 wrote to memory of 3604	3564	687031d795f2536a6928d2d1b8c2dc58002e403044491a7e2c354923709e734d.exe	86
PID 3564 wrote to memory of 3604	3564	687031d795f2536a6928d2d1b8c2dc58002e403044491a7e2c354923709e734d.exe	86

C:\Users\Admin\AppData\Local\Temp\687031d795f2536a6928d2d1b8c2dc58002e403044491a7e2c354923709e734d.exe
"C:\Users\Admin\AppData\Local\Temp\687031d795f2536a6928d2d1b8c2dc58002e403044491a7e2c354923709e734d.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3564
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2rfvjzvn.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:960
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7A50.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc348425B31D9D43C9BC8E7EF8149D216.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:548
- C:\Users\Admin\AppData\Local\Temp\tmp7937.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7937.tmp.exe" C:\Users\Admin\AppData\Local\Temp\687031d795f2536a6928d2d1b8c2dc58002e403044491a7e2c354923709e734d.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2rfvjzvn.0.vb

Filesize
14KB

MD5
0c469ed690bc5c22b8ca999e72af9404

SHA1
7edb5e17d1a305e09ff88cf5bcd0ee190133e865

SHA256
6e659018b90cffa768344341ad80ccc2b5466d8e98b3a44ca671dc4cf24211ec

SHA512
d71460cda23b5adb6994d56502ce33332605adcb1c8013ee79ac3a5e4e63c03b77677fccea05c2ed40827e61303d05a5d108c2758d4d007d5f0f6b607d86eeca

Download Submit
C:\Users\Admin\AppData\Local\Temp\2rfvjzvn.cmdline

Filesize
266B

MD5
f6691811991ecf10e34e5cea5775509c

SHA1
e974c58b75cfc321266ffa2a434859ce67156b99

SHA256
6616ffceafd439e438d1fe25b7e3468d319e7ee71432877273345ee46e912d17

SHA512
c4784591b8291ec0f61eb3446c832a3146c996d7f485a2f56848348e55e90bff27f6432159b6cfb1759a0045d8205141b4a769f4b35e47cb76623f466fe8e841

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7A50.tmp

Filesize
1KB

MD5
7b0044fac513166055591599e25a08ea

SHA1
7b9688a29acbce3624b5e9c1d763bac879698173

SHA256
7bcf22a3ff762b36ee908767ac03eb47f638fd0c5a8322a620e4a9bb6ead8aea

SHA512
53902b5c9d894a43bcf31deb8b01fc4a50e61bb98e1a23bb9d83deca48ffa46880084a5537f5fe0ff249936356809c01a8055a59259be16655ffc6988c847cc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7937.tmp.exe

Filesize
78KB

MD5
dbe79656d7b7d6958df6c0e66f1987d0

SHA1
d62cbab7292b11a0c3e39613a0de66c071332644

SHA256
609ba6246d5150514b3ca1af7d407b6c522594ba06c73af0a754859680dbd81d

SHA512
ca7a9e423dd978b45f6d54bf5783c763d5cc02ceb2ed3dcd59e164f0f7cbb9773aa8bec0d498a127eed02bb971bf342e7785c82fd2ce279ed6001c6ec93edf88

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc348425B31D9D43C9BC8E7EF8149D216.TMP

Filesize
660B

MD5
c187a36602c2a503c0b1d47d69203227

SHA1
5cd08172115df44c891a41e7ed3cd2a5f1743663

SHA256
7488e0cd46e459e32a5e14ec20a642cc877dbb5d9b24dbac6a550523d8bce66b

SHA512
94cbbfe77fd4e7fd9bd084c6dff30c5f88c7faf5b677b0c528e438614cbdd5f48c66eb8aba35cee47eba9fc8596ae12e03096ca8f3b57f92a31e5b026cb2b353

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/960-8-0x0000000074F30000-0x00000000754E1000-memory.dmp

Filesize
5.7MB

Download
memory/960-18-0x0000000074F30000-0x00000000754E1000-memory.dmp

Filesize
5.7MB

Download
memory/3564-0-0x0000000074F32000-0x0000000074F33000-memory.dmp

Filesize
4KB

Download
memory/3564-2-0x0000000074F30000-0x00000000754E1000-memory.dmp

Filesize
5.7MB

Download
memory/3564-1-0x0000000074F30000-0x00000000754E1000-memory.dmp

Filesize
5.7MB

Download
memory/3564-22-0x0000000074F30000-0x00000000754E1000-memory.dmp

Filesize
5.7MB

Download
memory/3604-23-0x0000000074F30000-0x00000000754E1000-memory.dmp

Filesize
5.7MB

Download
memory/3604-25-0x0000000074F30000-0x00000000754E1000-memory.dmp

Filesize
5.7MB

Download
memory/3604-24-0x0000000074F30000-0x00000000754E1000-memory.dmp

Filesize
5.7MB

Download
memory/3604-27-0x0000000074F30000-0x00000000754E1000-memory.dmp

Filesize
5.7MB

Download
memory/3604-28-0x0000000074F30000-0x00000000754E1000-memory.dmp

Filesize
5.7MB

Download
memory/3604-29-0x0000000074F30000-0x00000000754E1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads