metamorpherrat | 4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275

General

Target

4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe
Size

78KB
MD5

7fcb227cf50a8a6d141a28f5baf6857b
SHA1

bbaeca896472b6a7d1e67a545e9b537ff522fd97
SHA256

4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275
SHA512

70301203754303b20ae3765be57c98cae6c15389e566ed6187df71bb3ce600ea74cb6d015dfbba57caa6e21c2b7a6e2704e42a120fab06ab6cbcdbae90a51328
SSDEEP

1536:iV58MLT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQti6N9/u1L08:iV586E2EwR4uY41HyvYl9/f8

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe

Deletes itself 1 IoCs

pid	Process
864	tmpB67F.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
864	tmpB67F.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmpB67F.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB67F.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3316	4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe
Token: SeDebugPrivilege	864	tmpB67F.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3316 wrote to memory of 3360	3316	4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe	82
PID 3316 wrote to memory of 3360	3316	4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe	82
PID 3316 wrote to memory of 3360	3316	4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe	82
PID 3360 wrote to memory of 3588	3360	vbc.exe	84
PID 3360 wrote to memory of 3588	3360	vbc.exe	84
PID 3360 wrote to memory of 3588	3360	vbc.exe	84
PID 3316 wrote to memory of 864	3316	4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe	85
PID 3316 wrote to memory of 864	3316	4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe	85
PID 3316 wrote to memory of 864	3316	4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe	85

C:\Users\Admin\AppData\Local\Temp\4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe
"C:\Users\Admin\AppData\Local\Temp\4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3316
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g2biqdhw.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3360
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB7A7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc506ADEEF1841434CA22AFBFCAC8D391.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3588
- C:\Users\Admin\AppData\Local\Temp\tmpB67F.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB67F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4284e008cefe03ca70bb547b4c52592b3970996308a6462500c8fbaffe378275.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB7A7.tmp

Filesize
1KB

MD5
e377acca1cba5ce99ffd540c69e43192

SHA1
562db61cc5e51d5c0ff40c19a1fb595c427a8219

SHA256
56d7bf1fff4fb29396fe16a5dbd81b91dd0b69db8e1e9918f6aa0d7470b664c1

SHA512
83017d0e4765e788623645b2be6065362cd42b0935f685ed0674cf65afb05634f20764d8fcdecb99fb03730838ad1f621a4b530bd4f8b35eb0d0135033232945

Download Submit
C:\Users\Admin\AppData\Local\Temp\g2biqdhw.0.vb

Filesize
14KB

MD5
e251d47729728262ee210117448af94e

SHA1
09076ef7484bfa52d89dd60f77a7aeaf94caa2f8

SHA256
11b86006593b78ed10dc3036b7853df033ba6ca5396a67da2f8eff26fe9b0b34

SHA512
71a77c54dc1f0cd5db3f673204457b42bf94938666c29c65d39a65a9494985cf7fd7e20152abc15b9693429cde2aadf04fa700156a064766356d8fd65f255016

Download Submit
C:\Users\Admin\AppData\Local\Temp\g2biqdhw.cmdline

Filesize
266B

MD5
5c9ad735ad64dfa7efaf8f2c636f0b34

SHA1
46084520e49e7a77202d02c47730bc9607600c3c

SHA256
2609f454bae10036bd4ebcf294288413791a1c486d5258090b468270a8a6ef5f

SHA512
1b49b9fd4c140cbfb1fb05aed97b92dae1ba7a04caddee2457b16360912ea050600ad1a66aeea02b1e6a5647f6c817539c398ae4735e67d4777d66450c36fe90

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB67F.tmp.exe

Filesize
78KB

MD5
3476abd8519d8ef34ece99d17c904593

SHA1
d31118a8e40a71c1fe789fadae23f0579311932a

SHA256
5702a1919af5e3043c0035ee77c80094c5a3e7ebefe23b48cf250aabd0a61d3b

SHA512
3429e97d7cf7f489aa32cbaf653975e0545bf828983c1f0a78b67ce14b22f8631f15425a9db00c9253d09ea73302416b28894a09f77ee5eca88f57001c38927a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc506ADEEF1841434CA22AFBFCAC8D391.TMP

Filesize
660B

MD5
c3a06e8c680c0f97787c79cf23b52c2c

SHA1
27fadefd8709306dea72ffa12634a23be5a015e3

SHA256
15fc9d183d0ccf7f4719f12de3aa4efe57760fa48294a55f9ae5b39a71f8ddf1

SHA512
80e787ee8edc057e659588bedff4094c6dcf71c11d30a4831dd2ed7c4d6985c407f3d38be1ed1f56f1b5a4cd63a2e41d208ad9d9926548bfd592d090fe1f510d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/864-24-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/864-29-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/864-28-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/864-27-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/864-25-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/3316-0-0x00000000749B2000-0x00000000749B3000-memory.dmp

Filesize
4KB

Download
memory/3316-23-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/3316-1-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/3316-2-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/3316-3-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/3360-19-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/3360-9-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads