metamorpherrat | 0521b6344c04d8c0a3ba1912c4d382bd158cfdda17c5d9f89df79eca24ef1677

General

Target

0521b6344c04d8c0a3ba1912c4d382bd158cfdda17c5d9f89df79eca24ef1677.exe
Size

78KB
MD5

a594e7da4c6fac8895052aeb377aedf5
SHA1

db6c769a57bdfeba85039618219cf2ad01281356
SHA256

0521b6344c04d8c0a3ba1912c4d382bd158cfdda17c5d9f89df79eca24ef1677
SHA512

f74e75a09b5b100d962974fe9d39e5bf1a9b5bd0fd0ba812c8e440e73fa3194d921f4b65b4b9c4f07784758ac5728668d29bf8a419874d774d46922b7fa7d202
SSDEEP

1536:bPy589dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6u9/Z21KEY:bPy58on7N041QqhgW9/Z8Y

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	0521b6344c04d8c0a3ba1912c4d382bd158cfdda17c5d9f89df79eca24ef1677.exe

Deletes itself 1 IoCs

pid	Process
4548	tmp9A9A.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4548	tmp9A9A.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp9A9A.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0521b6344c04d8c0a3ba1912c4d382bd158cfdda17c5d9f89df79eca24ef1677.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9A9A.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3180	0521b6344c04d8c0a3ba1912c4d382bd158cfdda17c5d9f89df79eca24ef1677.exe
Token: SeDebugPrivilege	4548	tmp9A9A.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3180 wrote to memory of 1376	3180	0521b6344c04d8c0a3ba1912c4d382bd158cfdda17c5d9f89df79eca24ef1677.exe	82
PID 3180 wrote to memory of 1376	3180	0521b6344c04d8c0a3ba1912c4d382bd158cfdda17c5d9f89df79eca24ef1677.exe	82
PID 3180 wrote to memory of 1376	3180	0521b6344c04d8c0a3ba1912c4d382bd158cfdda17c5d9f89df79eca24ef1677.exe	82
PID 1376 wrote to memory of 1160	1376	vbc.exe	84
PID 1376 wrote to memory of 1160	1376	vbc.exe	84
PID 1376 wrote to memory of 1160	1376	vbc.exe	84
PID 3180 wrote to memory of 4548	3180	0521b6344c04d8c0a3ba1912c4d382bd158cfdda17c5d9f89df79eca24ef1677.exe	85
PID 3180 wrote to memory of 4548	3180	0521b6344c04d8c0a3ba1912c4d382bd158cfdda17c5d9f89df79eca24ef1677.exe	85
PID 3180 wrote to memory of 4548	3180	0521b6344c04d8c0a3ba1912c4d382bd158cfdda17c5d9f89df79eca24ef1677.exe	85

C:\Users\Admin\AppData\Local\Temp\0521b6344c04d8c0a3ba1912c4d382bd158cfdda17c5d9f89df79eca24ef1677.exe
"C:\Users\Admin\AppData\Local\Temp\0521b6344c04d8c0a3ba1912c4d382bd158cfdda17c5d9f89df79eca24ef1677.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3180
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\txxcplvt.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9B65.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc67C294A7615D4C9D9EBAF43F218D8AB.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1160
- C:\Users\Admin\AppData\Local\Temp\tmp9A9A.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9A9A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0521b6344c04d8c0a3ba1912c4d382bd158cfdda17c5d9f89df79eca24ef1677.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9B65.tmp

Filesize
1KB

MD5
757dd93cfbf5e6f9a5a78c1ae2b4161f

SHA1
949c6830d5c5312c7f5d8c1b7f40b9739270cdde

SHA256
f4af3aa55e7c98072df121111a92f897ee87720b7ba50338812d7c422003832a

SHA512
e7291901233cf773ed589a3f15b8c5d80dc4c156408ea129eaad8a369cd4e9442d5b664f6d166d621d057a7315918a8018792b8a1c7fac2a7251758a3bdc5a52

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9A9A.tmp.exe

Filesize
78KB

MD5
389a4d062ba6a73d40ba62e31b4d9bd4

SHA1
ee5ac948968e70010df533c951ea6219ab2ae2e6

SHA256
8ed99db9acb3dc52a8dd8609803fb5729fa594ba26352fd065d605d503ca6491

SHA512
fc276c31e6afb10d8fe400c320af6a4f9e8ed1773d6c38e46319da7a1a66f2224465dea127abd9276b9637c93a3b1a89f5a87b367919e15dd17a4a6032cfc304

Download Submit
C:\Users\Admin\AppData\Local\Temp\txxcplvt.0.vb

Filesize
14KB

MD5
5d9a7dc1062ba9b01000a0c9190bae68

SHA1
0128d78a23aba1f83bf890109844c1f827b7a272

SHA256
4d55ff0454a34f8a46b28ec182e70c8078e3320af06d0baddefae44eb0eaec4e

SHA512
0a703eefcfe91bc18413c2514a1fe877f1f2e9a50ee05700d9f321dbcc887205e591009f8419ce1ff2a7218ab96b1c5d7a0f80bb1938d99ffeabae1012258ccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\txxcplvt.cmdline

Filesize
266B

MD5
df00218682e7f8b4ee46f97b8d57891f

SHA1
eb803c0f4a05adb20f96fe37dc40365a759783ca

SHA256
67e858b973a67d460708e5a01133e1d461e383204a15c693521e36121ebd98d1

SHA512
f5de2e7926ac09c964c50cbddf79767189963c0f727bb3cbd665d8768151ed0c1d58c14bf558ae88fdeaa9f7c741f867dcf9db02a6040d47e48ead72ee421479

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc67C294A7615D4C9D9EBAF43F218D8AB.TMP

Filesize
660B

MD5
c0dc8a76a6b8151727fd299fb8fcaf60

SHA1
eb4828088205baaf92cfc000534f045b0c7b5cfe

SHA256
a01e63f95fcd953b8de23d44899af867ac98f7cb8dca8f069823512d70d19036

SHA512
7c6532389098fb3686ad1444a2119fe9338c364d587077ede0d8a5cda5216f4c4d3e47d620609b22e847206313356db4258c7ef1a9d7622939ed85f7b1d91946

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/1376-8-0x0000000074CD0000-0x0000000075281000-memory.dmp

Filesize
5.7MB

Download
memory/1376-18-0x0000000074CD0000-0x0000000075281000-memory.dmp

Filesize
5.7MB

Download
memory/3180-0-0x0000000074CD2000-0x0000000074CD3000-memory.dmp

Filesize
4KB

Download
memory/3180-2-0x0000000074CD0000-0x0000000075281000-memory.dmp

Filesize
5.7MB

Download
memory/3180-1-0x0000000074CD0000-0x0000000075281000-memory.dmp

Filesize
5.7MB

Download
memory/3180-22-0x0000000074CD0000-0x0000000075281000-memory.dmp

Filesize
5.7MB

Download
memory/4548-23-0x0000000074CD0000-0x0000000075281000-memory.dmp

Filesize
5.7MB

Download
memory/4548-25-0x0000000074CD0000-0x0000000075281000-memory.dmp

Filesize
5.7MB

Download
memory/4548-26-0x0000000074CD0000-0x0000000075281000-memory.dmp

Filesize
5.7MB

Download
memory/4548-27-0x0000000074CD0000-0x0000000075281000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads