metamorpherrat | 19c46dcda296f9a78d886c536b0d6604f0ccb259ad620dc79d85c8ddc0720399

General

Target

19c46dcda296f9a78d886c536b0d6604f0ccb259ad620dc79d85c8ddc0720399N.exe
Size

78KB
MD5

1d43c6117a4a3c1ce57e284755e05470
SHA1

f42fdd400ea16703788f856c581f935924ff9be4
SHA256

19c46dcda296f9a78d886c536b0d6604f0ccb259ad620dc79d85c8ddc0720399
SHA512

2741c5fd9a98e9e1e71c866fa75e4e5024385ed0e41c34ad0e9b5341eda839935e42219900522a80a9eef649789f9e9f510917821b7bbf2181d95e9d7a4ba567
SSDEEP

1536:SCHF3M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtZ9/a1C3:SCHF8hASyRxvhTzXPvCbW2UZ9/D

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	19c46dcda296f9a78d886c536b0d6604f0ccb259ad620dc79d85c8ddc0720399N.exe

Deletes itself 1 IoCs

pid	Process
4200	tmpC15C.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4200	tmpC15C.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpC15C.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	19c46dcda296f9a78d886c536b0d6604f0ccb259ad620dc79d85c8ddc0720399N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC15C.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4452	19c46dcda296f9a78d886c536b0d6604f0ccb259ad620dc79d85c8ddc0720399N.exe
Token: SeDebugPrivilege	4200	tmpC15C.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4452 wrote to memory of 2328	4452	19c46dcda296f9a78d886c536b0d6604f0ccb259ad620dc79d85c8ddc0720399N.exe	84
PID 4452 wrote to memory of 2328	4452	19c46dcda296f9a78d886c536b0d6604f0ccb259ad620dc79d85c8ddc0720399N.exe	84
PID 4452 wrote to memory of 2328	4452	19c46dcda296f9a78d886c536b0d6604f0ccb259ad620dc79d85c8ddc0720399N.exe	84
PID 2328 wrote to memory of 2472	2328	vbc.exe	86
PID 2328 wrote to memory of 2472	2328	vbc.exe	86
PID 2328 wrote to memory of 2472	2328	vbc.exe	86
PID 4452 wrote to memory of 4200	4452	19c46dcda296f9a78d886c536b0d6604f0ccb259ad620dc79d85c8ddc0720399N.exe	87
PID 4452 wrote to memory of 4200	4452	19c46dcda296f9a78d886c536b0d6604f0ccb259ad620dc79d85c8ddc0720399N.exe	87
PID 4452 wrote to memory of 4200	4452	19c46dcda296f9a78d886c536b0d6604f0ccb259ad620dc79d85c8ddc0720399N.exe	87

C:\Users\Admin\AppData\Local\Temp\19c46dcda296f9a78d886c536b0d6604f0ccb259ad620dc79d85c8ddc0720399N.exe
"C:\Users\Admin\AppData\Local\Temp\19c46dcda296f9a78d886c536b0d6604f0ccb259ad620dc79d85c8ddc0720399N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cqxacyid.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC38E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE07F70603924454AB678D9E89A7DF2D9.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2472
- C:\Users\Admin\AppData\Local\Temp\tmpC15C.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpC15C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\19c46dcda296f9a78d886c536b0d6604f0ccb259ad620dc79d85c8ddc0720399N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC38E.tmp

Filesize
1KB

MD5
2db0cfafd3e2947f7aee3f8322f40f8a

SHA1
7a4751a8c323ca8f66a54e1aa3007b2280e00f26

SHA256
ee991ae90f3fa796d56cd4a959fc1d878515a6c39e02efb7df83e4929b23c428

SHA512
45855d9f6a489176779dd5cfa9931ff1931b357fd8e3be29ba45a1fcf75e0a8a044e7e5401133b79f001bafbd630022a76ea0ae0a76e0d37b2f8036e7d6d04eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\cqxacyid.0.vb

Filesize
15KB

MD5
55385f93a8d50b4d11dde66bc912233a

SHA1
b0846a180de77a41797ad82faf7f0ac435210632

SHA256
57686e028c47557405df335569371225dbe4210489fcae4f6e2e129b4505d7eb

SHA512
d5d0ea8d903646aecb953410448ec29497763a9be62a5fa9dbf8fe8cac2c35c6f9208a2b462fec0cc6f1729c2172294fd92e594b46c6390541d908ac2a8cf83a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cqxacyid.cmdline

Filesize
266B

MD5
9e44b4ca5e4dc024d3b31785836fae9f

SHA1
d8338c03aa1d6edd1b41a50ddb72e574fc192c5f

SHA256
b6ba720633e68d70f2dcbe5ec8f7ac4daf4f01a882e581e437c63b6a808d3c98

SHA512
70df795b2293a0b74f8eaba46067f8ce7d6124fe57180648f07bb556552c81983aa77c753a5fb178ac4b8a2bf39b0509e6949545fcacbefba76930a9fc455d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC15C.tmp.exe

Filesize
78KB

MD5
03895c0816a2e83269fb6a7575adc6ea

SHA1
a042ff5a3266e10c2784f5d0b3f45af5e88ea262

SHA256
047e6643fce66a78aced1496fc814b8f1478ff3cb6921730400f229dd3e2b81c

SHA512
976cb2a0e237ab8e90553df6a1915065ee378eec94cf85da55eb4a2976c8d5e5657b8ef8bdc6e9f7e1e9c7c734e0f21dc3b935bb2acb898a08266f0ade846b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE07F70603924454AB678D9E89A7DF2D9.TMP

Filesize
660B

MD5
a218dc90c4a6b7f7d779bcf5624dbff7

SHA1
1e2ec8ebdba5b1944002399e82f97c6cd932179a

SHA256
3d94346ab0f91cee1f9065445e3a170d43904d6abc4f8a9120dffe67824eeec8

SHA512
e0b653ba50efb4c485409f8ce7259056d48fb1070742a64f2ede93a42b8d601573d100348caccbd9e3ed5552e3bd7bb783bdff7711deee4cc7e3f9be6a5408da

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2328-8-0x0000000074760000-0x0000000074D11000-memory.dmp

Filesize
5.7MB

Download
memory/2328-18-0x0000000074760000-0x0000000074D11000-memory.dmp

Filesize
5.7MB

Download
memory/4200-23-0x0000000074760000-0x0000000074D11000-memory.dmp

Filesize
5.7MB

Download
memory/4200-24-0x0000000074760000-0x0000000074D11000-memory.dmp

Filesize
5.7MB

Download
memory/4200-26-0x0000000074760000-0x0000000074D11000-memory.dmp

Filesize
5.7MB

Download
memory/4200-27-0x0000000074760000-0x0000000074D11000-memory.dmp

Filesize
5.7MB

Download
memory/4200-28-0x0000000074760000-0x0000000074D11000-memory.dmp

Filesize
5.7MB

Download
memory/4452-0-0x0000000074762000-0x0000000074763000-memory.dmp

Filesize
4KB

Download
memory/4452-2-0x0000000074760000-0x0000000074D11000-memory.dmp

Filesize
5.7MB

Download
memory/4452-1-0x0000000074760000-0x0000000074D11000-memory.dmp

Filesize
5.7MB

Download
memory/4452-22-0x0000000074760000-0x0000000074D11000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads