metamorpherrat | 88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201

General

Target

88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe
Size

78KB
MD5

54238da5a72ed01d7db296cf40b3340e
SHA1

fc6b5244a5d5dcdde315e875a85a905aacf07d32
SHA256

88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201
SHA512

243750bc65586b57dc0c5fba7111f407f0ecbad4192539f6b800e1f396f9eacde398a9c5c2aa73ba1291cfb604de74deb4e16405eeedacb88be613d490cb3dbd
SSDEEP

1536:aCHF3M7t/vZv0kH9gDDtWzYCnJPeoYrGQtG9/cc1o3x:aCHF8h/l0Y9MDYrm7G9/sx

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe

Deletes itself 1 IoCs

pid	Process
2508	tmpACCA.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2508	tmpACCA.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmpACCA.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpACCA.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4676	88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe
Token: SeDebugPrivilege	2508	tmpACCA.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 1772	4676	88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe	82
PID 4676 wrote to memory of 1772	4676	88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe	82
PID 4676 wrote to memory of 1772	4676	88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe	82
PID 1772 wrote to memory of 2232	1772	vbc.exe	84
PID 1772 wrote to memory of 2232	1772	vbc.exe	84
PID 1772 wrote to memory of 2232	1772	vbc.exe	84
PID 4676 wrote to memory of 2508	4676	88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe	85
PID 4676 wrote to memory of 2508	4676	88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe	85
PID 4676 wrote to memory of 2508	4676	88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe	85

C:\Users\Admin\AppData\Local\Temp\88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe
"C:\Users\Admin\AppData\Local\Temp\88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\paoajzqi.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1772
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESADD4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc920DB339EAF2479E84CFB13F9032C03B.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2232
- C:\Users\Admin\AppData\Local\Temp\tmpACCA.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpACCA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESADD4.tmp

Filesize
1KB

MD5
31ef733812be8584c9787b6e92b6cd60

SHA1
c0fd1d6331d8cfebe68bc8e9e2c95d7b443c785f

SHA256
8ef510734c8891ce3c2a71135e168ed2369207326cf70e2a5c7b14ffea3257f4

SHA512
db92463411afa92d8b56cca3ec847d08f32d0900590782bf6adff191c724170caf55307651ab27e1181bb0ea48b23847120790e349705be7e39563acd27d4091

Download Submit
C:\Users\Admin\AppData\Local\Temp\paoajzqi.0.vb

Filesize
15KB

MD5
3f02234f2a1a52064c3549367b306f3b

SHA1
0c8a29ca215d7bf3b2b580f0bfaff4622025bacb

SHA256
087ebb1fd76f44d97d83a61beaf037d907f40d4604e90008d1e4f484d2cd11ef

SHA512
ed16141d63649de66f34d89b5b96132ff80269d79e79bd95f5bda957f11771d208691822336798a43188921cf5536893fe2102446cba03b420440958e0ade7b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\paoajzqi.cmdline

Filesize
266B

MD5
2698e537ce41d6201846e8de2f80e67a

SHA1
4e109fd6db774c63df0731d854cbab23ae08bb42

SHA256
ce3a33dc82210c6902ebe4d30f8dff8981ecd2c783f6822f7af44d5164227939

SHA512
25fd06d0001e6bcd6e5ac4e52bd2ff5ef1fafb9ccd26f2b823cadd4512a1bb34f0f4d7994061bc7f7b6496c100529ad1d7f98dc79fe3add3cb835168ca9236ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpACCA.tmp.exe

Filesize
78KB

MD5
aadf802b3c6642b4510beff4a2372d18

SHA1
84262f47c2e3f0d9a076b7fd44cfa0fbc6e4fc21

SHA256
2a322dcd9ce598aace8436ffa33c0e449a829041d5dbc15951d24001b4287f70

SHA512
947b7720eb99828fce67124aee5f42652d98a661a8c8791d3f4e1f9a3b017b3337e8015931f9409a17b7a0e5b9f4c3f20eab656e20ce078a37c3c7efd2e4ce05

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc920DB339EAF2479E84CFB13F9032C03B.TMP

Filesize
660B

MD5
d4484bd8f9383b1afbec4fd376f73159

SHA1
4865d91b64e17b7e167af05d40d7fb668b057585

SHA256
28a8621da9939f6ad437e776f220b229abd93a57c6d04be5c05ee35c6f96c914

SHA512
b001840ab6b60026e2d25e5351cb7f0a3c64003386fe04e014b807e1b4dc8d9986e2226992ab154b7abaf1c072c5a6cf1279f1360468ad9de115187888e64bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/1772-8-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/1772-18-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/2508-23-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/2508-24-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/2508-26-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/2508-27-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/2508-28-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/2508-29-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/2508-30-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/4676-0-0x0000000075182000-0x0000000075183000-memory.dmp

Filesize
4KB

Download
memory/4676-2-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/4676-1-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/4676-22-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads