metamorpherrat | 4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275

General

Target

4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe
Size

78KB
MD5

7fcb227cf50a8a6d141a28f5baf6857b
SHA1

bbaeca896472b6a7d1e67a545e9b537ff522fd97
SHA256

4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275
SHA512

70301203754303b20ae3765be57c98cae6c15389e566ed6187df71bb3ce600ea74cb6d015dfbba57caa6e21c2b7a6e2704e42a120fab06ab6cbcdbae90a51328
SSDEEP

1536:iV58MLT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQti6N9/u1L08:iV586E2EwR4uY41HyvYl9/f8

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe

Deletes itself 1 IoCs

pid	Process
1932	tmp7FDE.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
1932	tmp7FDE.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmp7FDE.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7FDE.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4308	4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe
Token: SeDebugPrivilege	1932	tmp7FDE.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4308 wrote to memory of 3796	4308	4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe	83
PID 4308 wrote to memory of 3796	4308	4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe	83
PID 4308 wrote to memory of 3796	4308	4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe	83
PID 3796 wrote to memory of 3656	3796	vbc.exe	85
PID 3796 wrote to memory of 3656	3796	vbc.exe	85
PID 3796 wrote to memory of 3656	3796	vbc.exe	85
PID 4308 wrote to memory of 1932	4308	4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe	86
PID 4308 wrote to memory of 1932	4308	4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe	86
PID 4308 wrote to memory of 1932	4308	4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe	86

C:\Users\Admin\AppData\Local\Temp\4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe
"C:\Users\Admin\AppData\Local\Temp\4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dojlgp2x.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3796
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES80C9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc81828B6A1CAB4AD5B29836EF3BEFE957.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3656
- C:\Users\Admin\AppData\Local\Temp\tmp7FDE.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7FDE.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES80C9.tmp

Filesize
1KB

MD5
942f56ec095ad4b7fb611e6d7cb67a74

SHA1
77925770e9a5c421eae904c52485173a5834dfb7

SHA256
6c28f80434adb832b54857a2db98afb40d9f830ff35b97756236ae55681aef1a

SHA512
2e94e7014f2b9729b2069e2f4b05a081743e50d17de7c7e90ac5007a4e62fcdfc19cea780eb273e1f77729a7fd4cb4103dcd20f71393a07ab11f15bafe8b27c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\dojlgp2x.0.vb

Filesize
14KB

MD5
eefbbcbc31e3c1fec27010acf858a271

SHA1
ab700d21fd068778b77368f84e971e066413668f

SHA256
df3f01f37474c31169bc896add8694f92202408b30a0fc1b1ad4752583c12a99

SHA512
68bbb0f8b3a314343f681c4bb1af2b1df26996dbaac68b1f419db42f8fb92e1509c0cb2b007befee807fdfdb385e27fb8c661857ab4f9f109f7c699f9bc51eae

Download Submit
C:\Users\Admin\AppData\Local\Temp\dojlgp2x.cmdline

Filesize
266B

MD5
9e2b511035321cef65d1c251877f74f9

SHA1
6608b15c6053734040fc2ea2ac592fb7ef9c8687

SHA256
0810ebf6e6f9fdbd87423b515db279c5bde993dc34d7dbff3bec0721bac628f6

SHA512
ce2dc941c1fb139a32fdb207de0d79e883f3b5a5f35ea8fadf0cc644761345db85c4ea42bef51fae7d9fce5ec2a26af44aa3f8e8e9bd86dc64aad4265afc21e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7FDE.tmp.exe

Filesize
78KB

MD5
94e9cff0750017ea9e7f4474474d2144

SHA1
a0ecd2041a06a99a7ea5bedc2536d6a367bb6f35

SHA256
7994a61eae58ca08903d196fe2f40a36df886dc07e27b9591fb3170123c43191

SHA512
e060d86aa2467786ab8de80fdf82e7873887b94333fdc497109aa04791ec54a6c6c2cc2f25348c112098a687a9efab9539cc79e71032e12a2aa0f628d6d0273d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc81828B6A1CAB4AD5B29836EF3BEFE957.TMP

Filesize
660B

MD5
81d26f25839a50eaef36a365ade2c760

SHA1
0cebdf0ac7a22201dd1b4bc7144829838dbabf90

SHA256
8fd0a26d9d0d248a470fe87adda2f1b710e2eed75acb25db5ae03ad6d2fa96a4

SHA512
23fe5d9693f4d7a1fc8d501709bd1af82dbec6b915843916d220fd9ccd33725f54e8bfb2fdd1102732d93972269d7ecd96bfbe1147dc64e6d948df14d42bb4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/1932-23-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/1932-24-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/1932-25-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/1932-27-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/1932-28-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/1932-29-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/3796-8-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/3796-18-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/4308-2-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/4308-1-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/4308-22-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/4308-0-0x00000000750D2000-0x00000000750D3000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads