metamorpherrat | f29362b80f3718cb8ed2f91da9abe1485f72cf92b0da328e99ccfa3f4a613753

General

Target

f29362b80f3718cb8ed2f91da9abe1485f72cf92b0da328e99ccfa3f4a613753N.exe
Size

78KB
MD5

e55af3ec5a0c6ef23e025e6fbc913c60
SHA1

a2cce3af7848c2f8b6934f5f438a82246476628b
SHA256

f29362b80f3718cb8ed2f91da9abe1485f72cf92b0da328e99ccfa3f4a613753
SHA512

58f15db702173f77775d9499256994d5fbfa5d0fc1dc7c0285bbfe39b014b70c0a3346e02c9739f3dd09432791e7e31576e973d89662e439d955580d660b016e
SSDEEP

1536:ze5YXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQty6+9/D+1dz:ze5gSyRxvhTzXPvCbW2Um9/2

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	f29362b80f3718cb8ed2f91da9abe1485f72cf92b0da328e99ccfa3f4a613753N.exe

Deletes itself 1 IoCs

pid	Process
5004	tmpB15E.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
5004	tmpB15E.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpB15E.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f29362b80f3718cb8ed2f91da9abe1485f72cf92b0da328e99ccfa3f4a613753N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB15E.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3976	f29362b80f3718cb8ed2f91da9abe1485f72cf92b0da328e99ccfa3f4a613753N.exe
Token: SeDebugPrivilege	5004	tmpB15E.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3976 wrote to memory of 2756	3976	f29362b80f3718cb8ed2f91da9abe1485f72cf92b0da328e99ccfa3f4a613753N.exe	83
PID 3976 wrote to memory of 2756	3976	f29362b80f3718cb8ed2f91da9abe1485f72cf92b0da328e99ccfa3f4a613753N.exe	83
PID 3976 wrote to memory of 2756	3976	f29362b80f3718cb8ed2f91da9abe1485f72cf92b0da328e99ccfa3f4a613753N.exe	83
PID 2756 wrote to memory of 8	2756	vbc.exe	85
PID 2756 wrote to memory of 8	2756	vbc.exe	85
PID 2756 wrote to memory of 8	2756	vbc.exe	85
PID 3976 wrote to memory of 5004	3976	f29362b80f3718cb8ed2f91da9abe1485f72cf92b0da328e99ccfa3f4a613753N.exe	86
PID 3976 wrote to memory of 5004	3976	f29362b80f3718cb8ed2f91da9abe1485f72cf92b0da328e99ccfa3f4a613753N.exe	86
PID 3976 wrote to memory of 5004	3976	f29362b80f3718cb8ed2f91da9abe1485f72cf92b0da328e99ccfa3f4a613753N.exe	86

C:\Users\Admin\AppData\Local\Temp\f29362b80f3718cb8ed2f91da9abe1485f72cf92b0da328e99ccfa3f4a613753N.exe
"C:\Users\Admin\AppData\Local\Temp\f29362b80f3718cb8ed2f91da9abe1485f72cf92b0da328e99ccfa3f4a613753N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3976
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fvid4nry.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB287.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc96403003AD41168368C6E083208473.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8
- C:\Users\Admin\AppData\Local\Temp\tmpB15E.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB15E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f29362b80f3718cb8ed2f91da9abe1485f72cf92b0da328e99ccfa3f4a613753N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB287.tmp

Filesize
1KB

MD5
925089c7f7e75c7d5b50e3de1a861f05

SHA1
a108c2c75b855d95d1c8e02749f7498abbf7b0fe

SHA256
bbfff9faa85bcf1a8814ff6812dac5fcc9e17510369de68f1e61c8c3a0423181

SHA512
171d3161c9ec530368a801d2ffe8a5db9d6d1dc801f2b74a8c2b8a21d7ab97867cf6bcbc849a2e345079082aaf656991ae367f8d21184b92300e176103afaadb

Download Submit
C:\Users\Admin\AppData\Local\Temp\fvid4nry.0.vb

Filesize
14KB

MD5
c3c9e3b35cb177dcff697ebe81c9f767

SHA1
f792ee354cd00e9916ad4c8156e6cf42ce443812

SHA256
82f57dd333eb941ef6b6247936c7a215bde161356c9c5faf274466ef47c293c8

SHA512
f5507671f15fe8753e598a65a1d87321d0278813b06909f8573b516b902c96c1832d851096f6d014227412b8279a2c53ce9cffc9c70931e2bf76f4af89a780b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\fvid4nry.cmdline

Filesize
266B

MD5
f63b3ac5934d53f8babc03a8e137fe13

SHA1
000f4c4f15b7dec250fb572ea15684ea48e3b625

SHA256
d35216e13b4f69a4a569dd5915331d0d9aff91190f13c6ca71a9bd893b55a89b

SHA512
8afaa19cf8e6b4720156d4c6a60154044eec868163a5eca02dfd0c4bc94d11363a7e82abb75f5b9dd528a0fb8d56fd68291be19fb5aef1f00e7b4d50a7de3a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB15E.tmp.exe

Filesize
78KB

MD5
d2c870dbced7e9bb06e91fcd404d5d02

SHA1
6e2ac40da3a53d42a1702181675f5cf3000b760e

SHA256
47381247edb2d477e4299239bf72308e0951eb77f97ff48034185b918a02e4fa

SHA512
8d865e46f7a3e597ba61d0c078ee4fb4bc9c7df04b86e84379a718ba099ec43c482b035afe7f3780c8de89964b7eb220a264797d2a97740bab9e3441f5671c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc96403003AD41168368C6E083208473.TMP

Filesize
660B

MD5
8ae1cba1f8576d39feac83f574e03911

SHA1
578f240d640f0bd4db55c762c6ab1c1b16419a95

SHA256
5935993e10eac0a8ce4d93c71cf81be820456b79804e4d19395b98cec2ea82c7

SHA512
5b11858e9df72e6e6f42d16b1e3d5c7e62d7af175e24d1be7ccbad87fa9ee86a120588ec02cc97e34dfa67bed940cad190f44fe494b8fa98ca1abac5391f4f49

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2756-8-0x0000000075550000-0x0000000075B01000-memory.dmp

Filesize
5.7MB

Download
memory/2756-18-0x0000000075550000-0x0000000075B01000-memory.dmp

Filesize
5.7MB

Download
memory/3976-0-0x0000000075552000-0x0000000075553000-memory.dmp

Filesize
4KB

Download
memory/3976-2-0x0000000075550000-0x0000000075B01000-memory.dmp

Filesize
5.7MB

Download
memory/3976-1-0x0000000075550000-0x0000000075B01000-memory.dmp

Filesize
5.7MB

Download
memory/3976-22-0x0000000075550000-0x0000000075B01000-memory.dmp

Filesize
5.7MB

Download
memory/5004-23-0x0000000075550000-0x0000000075B01000-memory.dmp

Filesize
5.7MB

Download
memory/5004-24-0x0000000075550000-0x0000000075B01000-memory.dmp

Filesize
5.7MB

Download
memory/5004-26-0x0000000075550000-0x0000000075B01000-memory.dmp

Filesize
5.7MB

Download
memory/5004-27-0x0000000075550000-0x0000000075B01000-memory.dmp

Filesize
5.7MB

Download
memory/5004-28-0x0000000075550000-0x0000000075B01000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads