metamorpherrat | fc476cb3675fd20ad30db92c1e9401c0a64ada552270e806f9df85069876faba

General

Target

fc476cb3675fd20ad30db92c1e9401c0a64ada552270e806f9df85069876faba.exe
Size

78KB
MD5

6e65dad7ec0f24894c45295ca9d84639
SHA1

e0212066ee7ab4c70ccdf6e3e7fe147d1727f6d3
SHA256

fc476cb3675fd20ad30db92c1e9401c0a64ada552270e806f9df85069876faba
SHA512

e876f82c11b2183bf1ee71b77e1450a1e69ec6989e2fc926e9d0c3526fa7a37c6036389a27fb68424e17751f555542fff4236492bec6e26dae526b94c2b10501
SSDEEP

1536:VHF3M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtz9/l1QXFl:VHF8hASyRxvhTzXPvCbW2Uz9/4Vl

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	fc476cb3675fd20ad30db92c1e9401c0a64ada552270e806f9df85069876faba.exe

Executes dropped EXE 1 IoCs

pid	Process
3260	tmp68CC.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp68CC.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp68CC.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc476cb3675fd20ad30db92c1e9401c0a64ada552270e806f9df85069876faba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4180	fc476cb3675fd20ad30db92c1e9401c0a64ada552270e806f9df85069876faba.exe
Token: SeDebugPrivilege	3260	tmp68CC.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4180 wrote to memory of 1676	4180	fc476cb3675fd20ad30db92c1e9401c0a64ada552270e806f9df85069876faba.exe	84
PID 4180 wrote to memory of 1676	4180	fc476cb3675fd20ad30db92c1e9401c0a64ada552270e806f9df85069876faba.exe	84
PID 4180 wrote to memory of 1676	4180	fc476cb3675fd20ad30db92c1e9401c0a64ada552270e806f9df85069876faba.exe	84
PID 1676 wrote to memory of 4092	1676	vbc.exe	86
PID 1676 wrote to memory of 4092	1676	vbc.exe	86
PID 1676 wrote to memory of 4092	1676	vbc.exe	86
PID 4180 wrote to memory of 3260	4180	fc476cb3675fd20ad30db92c1e9401c0a64ada552270e806f9df85069876faba.exe	87
PID 4180 wrote to memory of 3260	4180	fc476cb3675fd20ad30db92c1e9401c0a64ada552270e806f9df85069876faba.exe	87
PID 4180 wrote to memory of 3260	4180	fc476cb3675fd20ad30db92c1e9401c0a64ada552270e806f9df85069876faba.exe	87

C:\Users\Admin\AppData\Local\Temp\fc476cb3675fd20ad30db92c1e9401c0a64ada552270e806f9df85069876faba.exe
"C:\Users\Admin\AppData\Local\Temp\fc476cb3675fd20ad30db92c1e9401c0a64ada552270e806f9df85069876faba.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4180
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ez8ahlmk.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6B3D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4203667A4E2F4913A8EFB2C9D5F156C7.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4092
- C:\Users\Admin\AppData\Local\Temp\tmp68CC.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp68CC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\fc476cb3675fd20ad30db92c1e9401c0a64ada552270e806f9df85069876faba.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6B3D.tmp

Filesize
1KB

MD5
40fbd326f31e5096cf8c7c5c54d0d709

SHA1
01d02460c6ea1e24b3e248c31877d38ddf82be68

SHA256
9dc3e02f85bfe026ba16eb91593e6fa00f66a433e703d4da35840cb15e1373b3

SHA512
210f9fc1db07d9a87e1918006867b73afa0f176bda65638c1c625acdadd8d43a7b2fafb20300b53329d50e92eab44e5e7dc2c316edb22fd00d3c5de3f0d0a769

Download Submit
C:\Users\Admin\AppData\Local\Temp\ez8ahlmk.0.vb

Filesize
15KB

MD5
6d8dc72571ae10bf9ef8c318e2842445

SHA1
82ea2bd3bbc1a5254ee2bc54c5ef5101a707e209

SHA256
54db2532592ec908d65dafba3e4897b3a4ae7f195cd733a413f0c29095a370dc

SHA512
3d0462484a42e79818bb30bcb33670fa7fb9a531081bc80f81ab5f1f9f15566944fce1f4675d73242f52cce7261c735488a166f90acdf432ccb47bb6f4ba5d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\ez8ahlmk.cmdline

Filesize
266B

MD5
e7ab7309a7faf7380b03fbbadb3cb5dc

SHA1
cb48f75cf984e2e444585ee3cdd8de873a091541

SHA256
a37f2b6866b8aea0d827f1a46211ac92b9dae2cdc5f0893eda3b7bd1b400d720

SHA512
97d20c4245fd19eabb3f8da39551c536add7106edb5d782b09f7af6f23954b3e2b1752390aa73692439e758665fadab16e02bb58f33b059ea2c8e946473eb432

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp68CC.tmp.exe

Filesize
78KB

MD5
c06fc55c6189da09c4a48b267286fdce

SHA1
1d10c0acf0b33d0314d074e2b0601319a15c61bd

SHA256
9c281c04992ede2f8c047870a484f967af8ad4db414047d220f44eba16745d52

SHA512
c2ef9878d2b76d16b530551c2c5469d72b374583f13117ce0b90d5f4108d66f69ed1ebdba4ab8df237f059d13dadaef934085dfb8a95c66fb7d2275d93bd1369

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4203667A4E2F4913A8EFB2C9D5F156C7.TMP

Filesize
660B

MD5
e5c464664c89073f600d73d25ebe44e7

SHA1
f272f44f09a9c903b71fce0c2f7a2c28453574ed

SHA256
f2922e5a86e2b921852a3ce04784429aa52c9730c0130eae82dcb3022cb1c5f0

SHA512
98157dec4d599404e173f874fedc870cac17ff163b30d095b873595b616773abf7b2fbf82932012a273f3310bd76a70f4d2e6c9e7edeab684573237df937d495

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1676-9-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/1676-18-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/3260-23-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/3260-25-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/3260-24-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/3260-27-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/3260-28-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/3260-29-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/4180-0-0x00000000745E2000-0x00000000745E3000-memory.dmp

Filesize
4KB

Download
memory/4180-22-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/4180-2-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/4180-1-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads