metamorpherrat | cf8d83152905faf07c13fbe50c86e7bf0a38f461c26194409393bc7a28574cd8

General

Target

cf8d83152905faf07c13fbe50c86e7bf0a38f461c26194409393bc7a28574cd8.exe
Size

78KB
MD5

634ce1212e84df52a4b15a04be713d34
SHA1

f6134013ad864ae9d0b65023f1cc34c28856e3be
SHA256

cf8d83152905faf07c13fbe50c86e7bf0a38f461c26194409393bc7a28574cd8
SHA512

00d8c49d4a01ccd0543fa0df9866e357a1e680a4074c5a028c9c395d0ba400ca029ac420ab4231731b0f73c095a9288c20a16405551f51786fb7878f60911483
SSDEEP

1536:LtHY6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt869/C1HdZ:LtHYnhASyRxvhTzXPvCbW2U869/eZ

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	cf8d83152905faf07c13fbe50c86e7bf0a38f461c26194409393bc7a28574cd8.exe

Executes dropped EXE 1 IoCs

pid	Process
4900	tmp635D.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp635D.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf8d83152905faf07c13fbe50c86e7bf0a38f461c26194409393bc7a28574cd8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp635D.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1104	cf8d83152905faf07c13fbe50c86e7bf0a38f461c26194409393bc7a28574cd8.exe
Token: SeDebugPrivilege	4900	tmp635D.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 1868	1104	cf8d83152905faf07c13fbe50c86e7bf0a38f461c26194409393bc7a28574cd8.exe	82
PID 1104 wrote to memory of 1868	1104	cf8d83152905faf07c13fbe50c86e7bf0a38f461c26194409393bc7a28574cd8.exe	82
PID 1104 wrote to memory of 1868	1104	cf8d83152905faf07c13fbe50c86e7bf0a38f461c26194409393bc7a28574cd8.exe	82
PID 1868 wrote to memory of 3480	1868	vbc.exe	84
PID 1868 wrote to memory of 3480	1868	vbc.exe	84
PID 1868 wrote to memory of 3480	1868	vbc.exe	84
PID 1104 wrote to memory of 4900	1104	cf8d83152905faf07c13fbe50c86e7bf0a38f461c26194409393bc7a28574cd8.exe	85
PID 1104 wrote to memory of 4900	1104	cf8d83152905faf07c13fbe50c86e7bf0a38f461c26194409393bc7a28574cd8.exe	85
PID 1104 wrote to memory of 4900	1104	cf8d83152905faf07c13fbe50c86e7bf0a38f461c26194409393bc7a28574cd8.exe	85

C:\Users\Admin\AppData\Local\Temp\cf8d83152905faf07c13fbe50c86e7bf0a38f461c26194409393bc7a28574cd8.exe
"C:\Users\Admin\AppData\Local\Temp\cf8d83152905faf07c13fbe50c86e7bf0a38f461c26194409393bc7a28574cd8.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5xvmllks.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES65FD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8B615A0748F49EEA34DD4254A8862C.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3480
- C:\Users\Admin\AppData\Local\Temp\tmp635D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp635D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\cf8d83152905faf07c13fbe50c86e7bf0a38f461c26194409393bc7a28574cd8.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5xvmllks.0.vb

Filesize
15KB

MD5
e9c796701159d1b40ff235a17b6d58fd

SHA1
bf14a4d4b7737b7e696663c9e8edf5ae9d63e58f

SHA256
5724943a6338ab4241386593d8fac357bddf28b37b7c5b880acb6ed9a80262fa

SHA512
ca3da3f4a148d6e25ed0b80fff920ad3dfa99cb789da5d9f208a6c0dc01f2d395d12bf9b1019dc922a1e41597a9f8da721072935b236b9a65ed31d0f0b1fd73f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5xvmllks.cmdline

Filesize
266B

MD5
c07235575d26421502a0afb437bcc50b

SHA1
e701eb90a784e9c6ed66ee78e47212ff48ec7226

SHA256
f2a8eadfb09e29321fc8ddc361c28ef8634527ba85ae3e3b123892eaa4c3db5f

SHA512
450d845115ee7a825933c2794fa64b5a8806762acbb9d035b46a1888ff47ed54fe693301531766a64b27d95dae8a9cee65543ee22bebaf81059ac6846e2175cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES65FD.tmp

Filesize
1KB

MD5
0db3126aa675700fdaefa838c1264b61

SHA1
223dba96c9d75a9f7ed0b2f77efe34ced89e6467

SHA256
2aebdbd25959ce872ae7624c8038f70f99c855c5a5903447e98531c0df3467a7

SHA512
ae76d87f2e56e8d6232e6161b6ec3fd44a99a453c1cce6d8fd3850adaaad30e8376ed318713468c4851f46fa2fbfbb1d346721c479c1aadab2196f0e139bd09b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp635D.tmp.exe

Filesize
78KB

MD5
3ce7334a15d60892546d5f7458546efc

SHA1
b03b6ecb8cbec43431c7a49aab5b14b6d6ae049f

SHA256
54a08bbb27ae17446cd94fcf1e2cb8243b47c27c866094f55e50033da43d2fc2

SHA512
fe6579ef8a57baef540d1cb6b2f728a22f7c2d935341e1b52dd0d78da37559b646cd1857d1740b53366db6eedd7fe0f4fe7a078b8f9889f0dc203014b28c9a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8B615A0748F49EEA34DD4254A8862C.TMP

Filesize
660B

MD5
b479de0186bf8d0e2f7548c2670ffc38

SHA1
b67cb2c439219261c62a563937267ea1190b152b

SHA256
4dd690d07a95c7d7d2cd667a1238bd6bad896996ba7ce91eb9a9b93cb485d79a

SHA512
c6de01283dad465ad1159c27784ac47c46719ed60471c74fb23825bb928aadb9a41b684298af88cf9a00f4f65719b5386dca85f511af4b1567d6f430c747f1ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1104-1-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/1104-22-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/1104-0-0x00000000752B2000-0x00000000752B3000-memory.dmp

Filesize
4KB

Download
memory/1104-2-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/1868-18-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/1868-9-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/4900-23-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/4900-24-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/4900-25-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/4900-27-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/4900-28-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/4900-29-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads