metamorpherrat | 3516451d95efb6d383d8cca064d988d4aa9eba7ac40a9ef253ce1c9950620c97

General

Target

3516451d95efb6d383d8cca064d988d4aa9eba7ac40a9ef253ce1c9950620c97.exe
Size

78KB
MD5

9ae053fcbd77f286ec1c9365cf7cb225
SHA1

db2a974ca8224dab8f08729f76ae2016bd26ad67
SHA256

3516451d95efb6d383d8cca064d988d4aa9eba7ac40a9ef253ce1c9950620c97
SHA512

360d67ce4a7bdb597a9d8a9843714e04251295c91c474b757afa484db815b68ea3fe5b175856849c33190ff2e81078c36e91acce1ac6ebf87484713dfaa26e00
SSDEEP

1536:SCHF3M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtZ9/a1C3R:SCHF8hASyRxvhTzXPvCbW2UZ9/DR

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	3516451d95efb6d383d8cca064d988d4aa9eba7ac40a9ef253ce1c9950620c97.exe

Executes dropped EXE 1 IoCs

pid	Process
2852	tmpF5E9.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpF5E9.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3516451d95efb6d383d8cca064d988d4aa9eba7ac40a9ef253ce1c9950620c97.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpF5E9.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3028	3516451d95efb6d383d8cca064d988d4aa9eba7ac40a9ef253ce1c9950620c97.exe
Token: SeDebugPrivilege	2852	tmpF5E9.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 3908	3028	3516451d95efb6d383d8cca064d988d4aa9eba7ac40a9ef253ce1c9950620c97.exe	83
PID 3028 wrote to memory of 3908	3028	3516451d95efb6d383d8cca064d988d4aa9eba7ac40a9ef253ce1c9950620c97.exe	83
PID 3028 wrote to memory of 3908	3028	3516451d95efb6d383d8cca064d988d4aa9eba7ac40a9ef253ce1c9950620c97.exe	83
PID 3908 wrote to memory of 1948	3908	vbc.exe	85
PID 3908 wrote to memory of 1948	3908	vbc.exe	85
PID 3908 wrote to memory of 1948	3908	vbc.exe	85
PID 3028 wrote to memory of 2852	3028	3516451d95efb6d383d8cca064d988d4aa9eba7ac40a9ef253ce1c9950620c97.exe	86
PID 3028 wrote to memory of 2852	3028	3516451d95efb6d383d8cca064d988d4aa9eba7ac40a9ef253ce1c9950620c97.exe	86
PID 3028 wrote to memory of 2852	3028	3516451d95efb6d383d8cca064d988d4aa9eba7ac40a9ef253ce1c9950620c97.exe	86

C:\Users\Admin\AppData\Local\Temp\3516451d95efb6d383d8cca064d988d4aa9eba7ac40a9ef253ce1c9950620c97.exe
"C:\Users\Admin\AppData\Local\Temp\3516451d95efb6d383d8cca064d988d4aa9eba7ac40a9ef253ce1c9950620c97.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d5mfno0q.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3908
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF80C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2A302E878E0347749E32B9D2FE3A8B27.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1948
- C:\Users\Admin\AppData\Local\Temp\tmpF5E9.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpF5E9.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3516451d95efb6d383d8cca064d988d4aa9eba7ac40a9ef253ce1c9950620c97.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF80C.tmp

Filesize
1KB

MD5
588c71ea3851d22a9e38ae72ec8daa12

SHA1
33f9ea1c66d96f7603d652b69e907c51b7ef9440

SHA256
3efc410acefdc03e9cdb144dc726ac73a025389b7faa76300741ba04418d63d9

SHA512
b9449d4013af858eb718a1423424f007b998d6efa17031de840bf292b73a5c4fa44de5ef0c9e75d3e3eb068f1a64e0c5d7e224b1f81452eb96e25f45a791a096

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5mfno0q.0.vb

Filesize
15KB

MD5
490ef8d553f44cca7fa5241c9fe9fc05

SHA1
db638fa1909803d5695929d8fbcccc534e761de5

SHA256
c1ee8a393f8042d684c670cf97eeb76669b15c967197b31e314c4517e6760664

SHA512
4af1aa5240ecf575f9034e910910d66d777959397f8700923165619bf76c1d8bdc0e11a9ff062f9e445b73d5044246b7b70616d7e77e067779306c91358ec076

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5mfno0q.cmdline

Filesize
266B

MD5
f9a38abfe0062b22e649e22b05d7326f

SHA1
00810c64efea126e03b90e883229b2bf09d2dc46

SHA256
ffa8290bb9dbae681e0f8e75a8f1837c30e57c54811f5e8d3951808bfffac34c

SHA512
f5d53d4e9d2234cc924c3d79bf0840f285c94f8ffa6b7dd7979a28a84f4d7e2cc81e9e3926a3d9a7c7ae9b977f0e4c2608f74ade20653f64012306ec80052466

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF5E9.tmp.exe

Filesize
78KB

MD5
9919de301fbf96549f9c043343ed6822

SHA1
78cfeff6b9343c1b9e2bbc424f46132d2e1710cf

SHA256
e5bb454667208eeae286e3665d230e467bc3aa2323fdd8e1f8095a089a358e47

SHA512
da37f721e32d1c2587d537ead25cf3d564fe238035739aaf586294edd7b0c3061b1d3f18ae59c4c6ab91e0bb68dcc4f3117745fb7cdf483a165f2ae42e49abab

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2A302E878E0347749E32B9D2FE3A8B27.TMP

Filesize
660B

MD5
e756dc9304658fec99c897870bb119ed

SHA1
1d077cdde04b6e949869def9efe111bc33a61d60

SHA256
a04cc662db0315569e71b17dadd21106785c90f5a1b9cd1927c22022d8b66867

SHA512
6f9ee9f983e97ea7db324be1c04edde486a7d0b67499041d62e976755c2dead7fadd4f5233ced6bd2a2fe43f3ad3ebb576e4442be2951682e09e4b64696f7860

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2852-23-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/2852-28-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/2852-27-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/2852-26-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/2852-24-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/3028-22-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/3028-1-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/3028-2-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/3028-0-0x0000000075432000-0x0000000075433000-memory.dmp

Filesize
4KB

Download
memory/3908-9-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/3908-18-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads