metamorpherrat | 37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317

General

Target

37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317.exe
Size

78KB
MD5

94aa56de2a40839fcd86450b31deafac
SHA1

b761513b32928cb7fdcf7877d9add4642ded0a49
SHA256

37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317
SHA512

cc89b81449272c58982291e3c13a278b4178d7db441dd38e8ca030b2a282150c73e0d71c4928e1e0ee8fb22203d1dbd2be012a6abf640e8fe8e6c0ddd0f4a705
SSDEEP

1536:C4V5jULT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtt6Vs9/e1Wpb:C4V5jiE2EwR4uY41HyvY+s9/Bb

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317.exe

Deletes itself 1 IoCs

pid	Process
2256	tmpAF4B.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2256	tmpAF4B.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmpAF4B.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpAF4B.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1732	37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317.exe
Token: SeDebugPrivilege	2256	tmpAF4B.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2124	1732	37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317.exe	81
PID 1732 wrote to memory of 2124	1732	37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317.exe	81
PID 1732 wrote to memory of 2124	1732	37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317.exe	81
PID 2124 wrote to memory of 1528	2124	vbc.exe	83
PID 2124 wrote to memory of 1528	2124	vbc.exe	83
PID 2124 wrote to memory of 1528	2124	vbc.exe	83
PID 1732 wrote to memory of 2256	1732	37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317.exe	84
PID 1732 wrote to memory of 2256	1732	37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317.exe	84
PID 1732 wrote to memory of 2256	1732	37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317.exe	84

C:\Users\Admin\AppData\Local\Temp\37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317.exe
"C:\Users\Admin\AppData\Local\Temp\37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iez0al5s.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB083.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8D536ED73E784ED59F202C8569D8F7DF.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1528
- C:\Users\Admin\AppData\Local\Temp\tmpAF4B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpAF4B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\37d858dec41f772cb738ea43d2757f32331084e8e76c46c4eb475a1b23254317.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB083.tmp

Filesize
1KB

MD5
3604613930ae9c91b216e518b0d9f6c6

SHA1
fdda367c2dcefd655209627205102b1a0f36e4dc

SHA256
daaeecf83e52e6bf466555a17077270450a575d072b19c87bf9f48d434db85ea

SHA512
7d735055e4d77fdc110462aa9e8661a9e4ef48b8cc389f1018d3ce2648ce93e1abdd6383f9b59cffde16ebd796778a0407c0cd3f02d484848c8175e7aaed2b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\iez0al5s.0.vb

Filesize
14KB

MD5
1651a7b5a5c6caaf69f7baacdce5f394

SHA1
9e5e5df6830b868b37cfc8c494eab8e4af32af23

SHA256
8ee00aa4ffd815a29244f925a8255b3fd7b555ce57d3a0080299b33789f32366

SHA512
08e1af3236891815c7773fcbd9f0bf4a458f335f3b822e2184c9a172552f5a8a221e5424df85120dfe6d77839a4a2e3eac83a116762454e80fd0aba01c086d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\iez0al5s.cmdline

Filesize
266B

MD5
7bfd778c6da3a8cd7f51e1df7c46ca5c

SHA1
c5ae77afb995c41f9f612499ff7e0d0987339bec

SHA256
fc9b50fb54b05bbb090de95019fd6aa1a152b38bca9737ff4800380b62bfcb63

SHA512
5c0c2e1fb73feec674339a56f861205183e4c2d1287a1b5cb82436c4dbd0a4b7cfc602ac8fff9ec689406e31c51a44fc102bc8bbcfb07b551001df8e6b697f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAF4B.tmp.exe

Filesize
78KB

MD5
72d86eb6f1dc06e6614d16c9141891a1

SHA1
0d62286fdae29c0a4b61c1fd5006612132b74b94

SHA256
edcf1dd677be26fe47488c94c33007a0ce0b1a1870da6683bf2c50235cb5cbca

SHA512
7b214dbd173a86a30b810bdb4098b4e1f4be2bee6716acb9c00c7dd030ca827430048d55aa4f9301710106e671eb578e23c651e89be96d0f12373d3929cead46

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8D536ED73E784ED59F202C8569D8F7DF.TMP

Filesize
660B

MD5
000eb497abf05cf2e83c7fdc9c2ff8b2

SHA1
b9fc00e7b942c19d32d635502a14acb470522611

SHA256
1cdd9e94f734bb2defa365a2148bc1749d37311255834071c1b5bb429243f6b3

SHA512
1b1d2f5b355685738ef2d8245b9ce6783a54206efd47e1467fe2b04adbd8a77a5eee8fe4434010df9ee95efabb00b524894df06f67231ede7f435a56a7b34b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/1732-22-0x00000000751A0000-0x0000000075751000-memory.dmp

Filesize
5.7MB

Download
memory/1732-2-0x00000000751A0000-0x0000000075751000-memory.dmp

Filesize
5.7MB

Download
memory/1732-0-0x00000000751A2000-0x00000000751A3000-memory.dmp

Filesize
4KB

Download
memory/1732-1-0x00000000751A0000-0x0000000075751000-memory.dmp

Filesize
5.7MB

Download
memory/2124-18-0x00000000751A0000-0x0000000075751000-memory.dmp

Filesize
5.7MB

Download
memory/2124-9-0x00000000751A0000-0x0000000075751000-memory.dmp

Filesize
5.7MB

Download
memory/2256-24-0x00000000751A0000-0x0000000075751000-memory.dmp

Filesize
5.7MB

Download
memory/2256-23-0x00000000751A0000-0x0000000075751000-memory.dmp

Filesize
5.7MB

Download
memory/2256-26-0x00000000751A0000-0x0000000075751000-memory.dmp

Filesize
5.7MB

Download
memory/2256-27-0x00000000751A0000-0x0000000075751000-memory.dmp

Filesize
5.7MB

Download
memory/2256-28-0x00000000751A0000-0x0000000075751000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads