metamorpherrat | 0521b6344c04d8c0a3ba1912c4d382bd158cfdda17c5d9f89df79eca24ef1677

General

Target

0521b6344c04d8c0a3ba1912c4d382bd158cfdda17c5d9f89df79eca24ef1677.exe
Size

78KB
MD5

a594e7da4c6fac8895052aeb377aedf5
SHA1

db6c769a57bdfeba85039618219cf2ad01281356
SHA256

0521b6344c04d8c0a3ba1912c4d382bd158cfdda17c5d9f89df79eca24ef1677
SHA512

f74e75a09b5b100d962974fe9d39e5bf1a9b5bd0fd0ba812c8e440e73fa3194d921f4b65b4b9c4f07784758ac5728668d29bf8a419874d774d46922b7fa7d202
SSDEEP

1536:bPy589dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6u9/Z21KEY:bPy58on7N041QqhgW9/Z8Y

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	0521b6344c04d8c0a3ba1912c4d382bd158cfdda17c5d9f89df79eca24ef1677.exe

Deletes itself 1 IoCs

pid	Process
4784	tmp84D0.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4784	tmp84D0.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp84D0.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0521b6344c04d8c0a3ba1912c4d382bd158cfdda17c5d9f89df79eca24ef1677.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp84D0.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	684	0521b6344c04d8c0a3ba1912c4d382bd158cfdda17c5d9f89df79eca24ef1677.exe
Token: SeDebugPrivilege	4784	tmp84D0.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 684 wrote to memory of 1852	684	0521b6344c04d8c0a3ba1912c4d382bd158cfdda17c5d9f89df79eca24ef1677.exe	83
PID 684 wrote to memory of 1852	684	0521b6344c04d8c0a3ba1912c4d382bd158cfdda17c5d9f89df79eca24ef1677.exe	83
PID 684 wrote to memory of 1852	684	0521b6344c04d8c0a3ba1912c4d382bd158cfdda17c5d9f89df79eca24ef1677.exe	83
PID 1852 wrote to memory of 4636	1852	vbc.exe	85
PID 1852 wrote to memory of 4636	1852	vbc.exe	85
PID 1852 wrote to memory of 4636	1852	vbc.exe	85
PID 684 wrote to memory of 4784	684	0521b6344c04d8c0a3ba1912c4d382bd158cfdda17c5d9f89df79eca24ef1677.exe	86
PID 684 wrote to memory of 4784	684	0521b6344c04d8c0a3ba1912c4d382bd158cfdda17c5d9f89df79eca24ef1677.exe	86
PID 684 wrote to memory of 4784	684	0521b6344c04d8c0a3ba1912c4d382bd158cfdda17c5d9f89df79eca24ef1677.exe	86

C:\Users\Admin\AppData\Local\Temp\0521b6344c04d8c0a3ba1912c4d382bd158cfdda17c5d9f89df79eca24ef1677.exe
"C:\Users\Admin\AppData\Local\Temp\0521b6344c04d8c0a3ba1912c4d382bd158cfdda17c5d9f89df79eca24ef1677.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:684
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dlypm79c.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES859B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7363D4240354F749BC379E13735732C.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4636
- C:\Users\Admin\AppData\Local\Temp\tmp84D0.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp84D0.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0521b6344c04d8c0a3ba1912c4d382bd158cfdda17c5d9f89df79eca24ef1677.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES859B.tmp

Filesize
1KB

MD5
8531e77bb36f9a6d8382b93f06a1c74a

SHA1
77f72ce3c01c59c4688a7a6a3ccc177a1f33b9fc

SHA256
07f204216ec0bd9f1291a7ab46e9d615f2d48fa75071e908de7175bc5aa074cc

SHA512
476267b505bda32c833dcee92d01e52231b7796ebd2051b465bb016553eb946ed75a8ebea1eb26e75813fd04479a4abc8afea93574fb59b77161f3bb126795e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\dlypm79c.0.vb

Filesize
14KB

MD5
bf58851f1f1b99db93dbd4e64f26cbbe

SHA1
2bdfbb10aaa5486392d65c17759b3e683630ed53

SHA256
5d532727a7a0eef79c7918cd5157b8774c18be59b91b2dcc2fc1b79e68999db3

SHA512
2e3e97137183f5b99c47c94ee185d7038f9c8ffe7221a2b5ccebf5d7281d368a32fbec265f8c4e9768cac6b1f5a1ab8f2031a705a7ce317e911887103ae431b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\dlypm79c.cmdline

Filesize
266B

MD5
f0bf6e4cec481346426753a0167331b9

SHA1
b9cff89509689198d6e5d6d3d932539654774ddd

SHA256
f24289c7f5b746a20291fe5fc1414d5aae9fcbed1f9aabdd405b94ea44d02ed1

SHA512
4e012eb050a9349841ac688e2c3cee272bf2f7df13c7c22b293705fe80277ee5acc40d894a3a3931cd62999f95bfe929c3380a3a0c52e1784cb8dccca0113f77

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp84D0.tmp.exe

Filesize
78KB

MD5
1ed8378d86c6d8f9f7109fc5204c95f5

SHA1
69e6e0c6f6889649b09d8990272d8e959f94cbb6

SHA256
7605761f695622c9d3b7b993cab27b911ee6839381764798f49ea14267a05f91

SHA512
c9640e9f494917faed6419671e69aec990088d71e95cb47233a12c126c09af9bd960934540d426bf81a729bf7ce3ccc680ed3248021d24a7ff7baf1dac933362

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7363D4240354F749BC379E13735732C.TMP

Filesize
660B

MD5
6114bafdc56734b3da716b8492616a6b

SHA1
1a8971821c30a5b97455c6289dda7701fca93165

SHA256
7d1428a1c6743822ccfb54967536f90878c951abc26cc6b7f2961d8ac7e8b0de

SHA512
2dc21acdd2444f53bd044cc45c3acd7f2c2101d043702ab37aa6c4633f7b931a2966b3c00ef6400006948d85cda96a44364c1a0f4954658d63b2adee7491c380

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/684-1-0x0000000074970000-0x0000000074F21000-memory.dmp

Filesize
5.7MB

Download
memory/684-2-0x0000000074970000-0x0000000074F21000-memory.dmp

Filesize
5.7MB

Download
memory/684-0-0x0000000074972000-0x0000000074973000-memory.dmp

Filesize
4KB

Download
memory/684-22-0x0000000074970000-0x0000000074F21000-memory.dmp

Filesize
5.7MB

Download
memory/1852-8-0x0000000074970000-0x0000000074F21000-memory.dmp

Filesize
5.7MB

Download
memory/1852-18-0x0000000074970000-0x0000000074F21000-memory.dmp

Filesize
5.7MB

Download
memory/4784-23-0x0000000074970000-0x0000000074F21000-memory.dmp

Filesize
5.7MB

Download
memory/4784-24-0x0000000074970000-0x0000000074F21000-memory.dmp

Filesize
5.7MB

Download
memory/4784-25-0x0000000074970000-0x0000000074F21000-memory.dmp

Filesize
5.7MB

Download
memory/4784-27-0x0000000074970000-0x0000000074F21000-memory.dmp

Filesize
5.7MB

Download
memory/4784-28-0x0000000074970000-0x0000000074F21000-memory.dmp

Filesize
5.7MB

Download
memory/4784-29-0x0000000074970000-0x0000000074F21000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads