metamorpherrat | 98724722ff6b8af816319e305401aea6f9ec8cf6ce332bb0a0e34734bca0f8c5

General

Target

98724722ff6b8af816319e305401aea6f9ec8cf6ce332bb0a0e34734bca0f8c5N.exe
Size

78KB
MD5

82c8c5720f1c5886ae255297d5d65450
SHA1

170fe35f4931919dcc1f38fbb30561cf8d723fee
SHA256

98724722ff6b8af816319e305401aea6f9ec8cf6ce332bb0a0e34734bca0f8c5
SHA512

eda89ef3e98f38bc1527d89c1c752fd9d742e59a06006e3c28e11461a88b461049f0b4ea6d8d9080aaee61cc6bdd212f6fcbc640c2b1d0aa93f5a2f00a37cbfe
SSDEEP

1536:me5jJLT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQti6x9/F1sp:me5jhE2EwR4uY41HyvYJ9/4

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	98724722ff6b8af816319e305401aea6f9ec8cf6ce332bb0a0e34734bca0f8c5N.exe

Deletes itself 1 IoCs

pid	Process
4912	tmpCD43.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4912	tmpCD43.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmpCD43.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	98724722ff6b8af816319e305401aea6f9ec8cf6ce332bb0a0e34734bca0f8c5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpCD43.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	844	98724722ff6b8af816319e305401aea6f9ec8cf6ce332bb0a0e34734bca0f8c5N.exe
Token: SeDebugPrivilege	4912	tmpCD43.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 844 wrote to memory of 1224	844	98724722ff6b8af816319e305401aea6f9ec8cf6ce332bb0a0e34734bca0f8c5N.exe	85
PID 844 wrote to memory of 1224	844	98724722ff6b8af816319e305401aea6f9ec8cf6ce332bb0a0e34734bca0f8c5N.exe	85
PID 844 wrote to memory of 1224	844	98724722ff6b8af816319e305401aea6f9ec8cf6ce332bb0a0e34734bca0f8c5N.exe	85
PID 1224 wrote to memory of 3940	1224	vbc.exe	87
PID 1224 wrote to memory of 3940	1224	vbc.exe	87
PID 1224 wrote to memory of 3940	1224	vbc.exe	87
PID 844 wrote to memory of 4912	844	98724722ff6b8af816319e305401aea6f9ec8cf6ce332bb0a0e34734bca0f8c5N.exe	88
PID 844 wrote to memory of 4912	844	98724722ff6b8af816319e305401aea6f9ec8cf6ce332bb0a0e34734bca0f8c5N.exe	88
PID 844 wrote to memory of 4912	844	98724722ff6b8af816319e305401aea6f9ec8cf6ce332bb0a0e34734bca0f8c5N.exe	88

C:\Users\Admin\AppData\Local\Temp\98724722ff6b8af816319e305401aea6f9ec8cf6ce332bb0a0e34734bca0f8c5N.exe
"C:\Users\Admin\AppData\Local\Temp\98724722ff6b8af816319e305401aea6f9ec8cf6ce332bb0a0e34734bca0f8c5N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:844
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gkjhpntz.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCEC9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5B6C76C0CFFD47598F6E416867BDBD8B.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3940
- C:\Users\Admin\AppData\Local\Temp\tmpCD43.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpCD43.tmp.exe" C:\Users\Admin\AppData\Local\Temp\98724722ff6b8af816319e305401aea6f9ec8cf6ce332bb0a0e34734bca0f8c5N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESCEC9.tmp

Filesize
1KB

MD5
07fb2ecc10c78e9eac01723b22e4aed8

SHA1
bc75196cf7d08629d87ef4c9bc0eb046233a01d1

SHA256
86e4f3b7fc37d69c0183f1f5d3ef884464968f3f22b8e5c24cc98ae641aeda8e

SHA512
e7f7ec9b9397d0ef332584c1cdc9c7b185ad71718ca03299366d7cce3007305f9df936ebfd6791e3039dd131ce225f4302e84c2359388918f1e9ccfb0e1e1479

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkjhpntz.0.vb

Filesize
14KB

MD5
63bbd7af9e5678152f4628f30c05a956

SHA1
59b07bec0187750288fe337c3e067f1fcdc58f00

SHA256
eed7174d468371e8fe2e72c79b118d2300fd5cb903af74c44a8b7bab53df69e4

SHA512
b0421a385bdd3c949293ba2226606351eb8bbf90cd33c153a6226592ec5b6a264d6c93378c8cea6ff2ce52d84469c1f8685d5ddac3a18516bce5134d82a216fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkjhpntz.cmdline

Filesize
266B

MD5
339b7547c5759108c5018126a7a463a9

SHA1
7b60799222fc3ffdc3bb48f37a5be83240f2978b

SHA256
09e6c2865f131465fd09a53bec4ecd9906a0e86ae0eedf594e1f12c5e84a713c

SHA512
ac13b45241f92582f81e53070852dbacc938675c271ea5c71a9b1d31dfc1e23489463491504c871a2309ca670435a330bc540f05f362e6bc62188fab1b22b762

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCD43.tmp.exe

Filesize
78KB

MD5
c37c8497a3780db8f7b62e30c9e1ab85

SHA1
8e6f7f8cfa5399efadb49fb7e812bfcb5ff9dba2

SHA256
ece5cc315ca791622de68a37d3a7b80ed8f6837ffee09a445ec3308466617926

SHA512
2f0a945d89fc6ce42ae77ec74be04e1b7f1540d4092a0bd7f2bd5208860856a2157c4ffe7d46b597c6510b5103e45830bdc5c1826a878673de7057719b2802ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5B6C76C0CFFD47598F6E416867BDBD8B.TMP

Filesize
660B

MD5
edc67276b859d37e637f4122e65d4f72

SHA1
82e37d90d8d8aaba79a91a137c2ab6d5be0e0a55

SHA256
b4395212da178ba8e4b08769f800cfc648058074fb8292bf1c4fe6568864ea7e

SHA512
7d03e853d939e07853f64833e71ff62d8b44cdc449f8c2cef21122a5543c2c046cde245fc2890cebb573310e7952e7b41a1eb858e3b04c35b22378d1823966a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/844-1-0x0000000074740000-0x0000000074CF1000-memory.dmp

Filesize
5.7MB

Download
memory/844-2-0x0000000074740000-0x0000000074CF1000-memory.dmp

Filesize
5.7MB

Download
memory/844-0-0x0000000074742000-0x0000000074743000-memory.dmp

Filesize
4KB

Download
memory/844-22-0x0000000074740000-0x0000000074CF1000-memory.dmp

Filesize
5.7MB

Download
memory/1224-8-0x0000000074740000-0x0000000074CF1000-memory.dmp

Filesize
5.7MB

Download
memory/1224-18-0x0000000074740000-0x0000000074CF1000-memory.dmp

Filesize
5.7MB

Download
memory/4912-24-0x0000000074740000-0x0000000074CF1000-memory.dmp

Filesize
5.7MB

Download
memory/4912-23-0x0000000074740000-0x0000000074CF1000-memory.dmp

Filesize
5.7MB

Download
memory/4912-26-0x0000000074740000-0x0000000074CF1000-memory.dmp

Filesize
5.7MB

Download
memory/4912-27-0x0000000074740000-0x0000000074CF1000-memory.dmp

Filesize
5.7MB

Download
memory/4912-28-0x0000000074740000-0x0000000074CF1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads