metamorpherrat | 89ce79c4ddb6d9f7177bddd4888d8b65c380a66f8dc1ce7805cf6c23aa1855da

General

Target

89ce79c4ddb6d9f7177bddd4888d8b65c380a66f8dc1ce7805cf6c23aa1855da.exe
Size

78KB
MD5

fe728f00f45d82a7f0d5494a3e34699b
SHA1

44eb0c478edb1c0f1faacea0843f0481ba3a39cf
SHA256

89ce79c4ddb6d9f7177bddd4888d8b65c380a66f8dc1ce7805cf6c23aa1855da
SHA512

031d752ab87c8910c9064cb950f114fb253099e514a1d18b165f5d59e2bf8a39f798a1e1399bd086a68b1751c742510cdd0f4c7841ae67c644da16697277e008
SSDEEP

1536:nRWtHF3rdELT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtLM9/R45:nRWtHFbdSE2EwR4uY41HyvYLM9/up

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	89ce79c4ddb6d9f7177bddd4888d8b65c380a66f8dc1ce7805cf6c23aa1855da.exe

Executes dropped EXE 1 IoCs

pid	Process
1996	tmp926C.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmp926C.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp926C.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	89ce79c4ddb6d9f7177bddd4888d8b65c380a66f8dc1ce7805cf6c23aa1855da.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1324	89ce79c4ddb6d9f7177bddd4888d8b65c380a66f8dc1ce7805cf6c23aa1855da.exe
Token: SeDebugPrivilege	1996	tmp926C.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1324 wrote to memory of 3596	1324	89ce79c4ddb6d9f7177bddd4888d8b65c380a66f8dc1ce7805cf6c23aa1855da.exe	83
PID 1324 wrote to memory of 3596	1324	89ce79c4ddb6d9f7177bddd4888d8b65c380a66f8dc1ce7805cf6c23aa1855da.exe	83
PID 1324 wrote to memory of 3596	1324	89ce79c4ddb6d9f7177bddd4888d8b65c380a66f8dc1ce7805cf6c23aa1855da.exe	83
PID 3596 wrote to memory of 4848	3596	vbc.exe	85
PID 3596 wrote to memory of 4848	3596	vbc.exe	85
PID 3596 wrote to memory of 4848	3596	vbc.exe	85
PID 1324 wrote to memory of 1996	1324	89ce79c4ddb6d9f7177bddd4888d8b65c380a66f8dc1ce7805cf6c23aa1855da.exe	86
PID 1324 wrote to memory of 1996	1324	89ce79c4ddb6d9f7177bddd4888d8b65c380a66f8dc1ce7805cf6c23aa1855da.exe	86
PID 1324 wrote to memory of 1996	1324	89ce79c4ddb6d9f7177bddd4888d8b65c380a66f8dc1ce7805cf6c23aa1855da.exe	86

C:\Users\Admin\AppData\Local\Temp\89ce79c4ddb6d9f7177bddd4888d8b65c380a66f8dc1ce7805cf6c23aa1855da.exe
"C:\Users\Admin\AppData\Local\Temp\89ce79c4ddb6d9f7177bddd4888d8b65c380a66f8dc1ce7805cf6c23aa1855da.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kdvowfft.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3596
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9337.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2CAAA2A57BE14C40B987A144503B52E4.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4848
- C:\Users\Admin\AppData\Local\Temp\tmp926C.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp926C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\89ce79c4ddb6d9f7177bddd4888d8b65c380a66f8dc1ce7805cf6c23aa1855da.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9337.tmp

Filesize
1KB

MD5
8d415384324a2003a0f7bd39bd9625e6

SHA1
fb61e3df5ed2c1edf030b67190cc629f4b481859

SHA256
6ac6b18367c1959a6b970616f1afc4b10e114c769d2179d13b3acdff74551104

SHA512
f6f0e28faeef35f434b76ed11ae49063959dcbf455c17ba65c50d3fbb64bcc1802b3e15710fa86305a244c91cddcd43d02dd2abeed2ca9fc72a46bf177324c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdvowfft.0.vb

Filesize
15KB

MD5
7c330942865539eb7807c5b17fd78003

SHA1
04f22eedb8a4fa545625a518d065aef12cf4fae8

SHA256
7e3d41569909be1f3210af0565db083118c05aee006e442ea4e91c7f4b47f701

SHA512
ac908c7d28fedac72793f48e852da3bd09dea117efa5a8756b8ecdb8a7aa84aeb2cf3c6312f5ffb959076c8b36c8213439eb5a1ba256dea15a98211b02d82296

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdvowfft.cmdline

Filesize
266B

MD5
8e8a1f80be29392fa59a87813e87e002

SHA1
fda21b0cf40d326361c08f83a09a6374152c4fdb

SHA256
e6557efe28e48dabdb9fe0786ff5b59a8c72b1d14263c8690549882275cb6c2a

SHA512
1a8a084bedc477e9bee7f05e74e5e9dd9e0acb24845301cf33d86da4076f23770c3cddcd2d33143a194a3928e4ab431e7ecc6073d55141afd6b618d8f59cb7f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp926C.tmp.exe

Filesize
78KB

MD5
ca76085a94fd846fcaf4c1493907bf1d

SHA1
002e41ae87ff7595c4866dbc9680c1a6d9f72c42

SHA256
3ad9bbad3b6686ae5d19a80ddbfde55774b0813b1647e7efc4b1bd89cb9c7032

SHA512
6f337bd70911baf354c8de7accedc5c189771d94e0a1c44b41ae94e4323e6f9556a8392c71e4c81e0dca210801c2e437286c6ba1d12926e892c886ce713b2b1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2CAAA2A57BE14C40B987A144503B52E4.TMP

Filesize
660B

MD5
d0aeae7d0905adf07d57d68290108405

SHA1
54813bc885c050dfc0e54f57754eeb7ce1f33c12

SHA256
32d2d82c80bf4e940a6bcc793e4ecdcae1702fafe6e0d57657fe18e1c7135005

SHA512
dc4eabf357162ddb825199c2e0ef3ea7f75ba115319bcc35cbbd819693be79867e676c9385ccf6e8dcbe5d937970d2fb1792f682f658e84425cdb7f2478585fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/1324-1-0x0000000074AF0000-0x00000000750A1000-memory.dmp

Filesize
5.7MB

Download
memory/1324-2-0x0000000074AF0000-0x00000000750A1000-memory.dmp

Filesize
5.7MB

Download
memory/1324-0-0x0000000074AF2000-0x0000000074AF3000-memory.dmp

Filesize
4KB

Download
memory/1324-22-0x0000000074AF0000-0x00000000750A1000-memory.dmp

Filesize
5.7MB

Download
memory/1996-23-0x0000000074AF0000-0x00000000750A1000-memory.dmp

Filesize
5.7MB

Download
memory/1996-24-0x0000000074AF0000-0x00000000750A1000-memory.dmp

Filesize
5.7MB

Download
memory/1996-26-0x0000000074AF0000-0x00000000750A1000-memory.dmp

Filesize
5.7MB

Download
memory/1996-27-0x0000000074AF0000-0x00000000750A1000-memory.dmp

Filesize
5.7MB

Download
memory/1996-28-0x0000000074AF0000-0x00000000750A1000-memory.dmp

Filesize
5.7MB

Download
memory/3596-18-0x0000000074AF0000-0x00000000750A1000-memory.dmp

Filesize
5.7MB

Download
memory/3596-8-0x0000000074AF0000-0x00000000750A1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads