metamorpherrat | 30049b078e062b1968c8a613b0f9187552950b231131bb763ffd6bc7348517c8

General

Target

30049b078e062b1968c8a613b0f9187552950b231131bb763ffd6bc7348517c8N.exe
Size

78KB
MD5

a48ccd22dd6942fc13e3dcf775542cb0
SHA1

f5e8deeb44d2f03b026344f55dee40458227fca9
SHA256

30049b078e062b1968c8a613b0f9187552950b231131bb763ffd6bc7348517c8
SHA512

c62a77b7408f643533c3173132d2f0981fef80ccf572a2434f7cbfc826d6ca5a51d55f14fa5c7c33f75514b4767f727cb8bab98787a617e38063dfcfc0cbe769
SSDEEP

1536:UPy5jS6vZv0kH9gDDtWzYCnJPeoYrGQt96g9/qT1y+:UPy5jS6l0Y9MDYrm7f9/qX

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	30049b078e062b1968c8a613b0f9187552950b231131bb763ffd6bc7348517c8N.exe

Deletes itself 1 IoCs

pid	Process
216	tmpA75C.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
216	tmpA75C.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmpA75C.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA75C.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30049b078e062b1968c8a613b0f9187552950b231131bb763ffd6bc7348517c8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3564	30049b078e062b1968c8a613b0f9187552950b231131bb763ffd6bc7348517c8N.exe
Token: SeDebugPrivilege	216	tmpA75C.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3564 wrote to memory of 4656	3564	30049b078e062b1968c8a613b0f9187552950b231131bb763ffd6bc7348517c8N.exe	82
PID 3564 wrote to memory of 4656	3564	30049b078e062b1968c8a613b0f9187552950b231131bb763ffd6bc7348517c8N.exe	82
PID 3564 wrote to memory of 4656	3564	30049b078e062b1968c8a613b0f9187552950b231131bb763ffd6bc7348517c8N.exe	82
PID 4656 wrote to memory of 400	4656	vbc.exe	84
PID 4656 wrote to memory of 400	4656	vbc.exe	84
PID 4656 wrote to memory of 400	4656	vbc.exe	84
PID 3564 wrote to memory of 216	3564	30049b078e062b1968c8a613b0f9187552950b231131bb763ffd6bc7348517c8N.exe	85
PID 3564 wrote to memory of 216	3564	30049b078e062b1968c8a613b0f9187552950b231131bb763ffd6bc7348517c8N.exe	85
PID 3564 wrote to memory of 216	3564	30049b078e062b1968c8a613b0f9187552950b231131bb763ffd6bc7348517c8N.exe	85

C:\Users\Admin\AppData\Local\Temp\30049b078e062b1968c8a613b0f9187552950b231131bb763ffd6bc7348517c8N.exe
"C:\Users\Admin\AppData\Local\Temp\30049b078e062b1968c8a613b0f9187552950b231131bb763ffd6bc7348517c8N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3564
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q370n3vb.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4656
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA8E2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFB1CE1313F34D47A7F87C2034CD57E6.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:400
- C:\Users\Admin\AppData\Local\Temp\tmpA75C.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA75C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\30049b078e062b1968c8a613b0f9187552950b231131bb763ffd6bc7348517c8N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA8E2.tmp

Filesize
1KB

MD5
edaa4ebc5eb9dc27842fa86c45ce937b

SHA1
137795d01f89379c94d5e6817fd3e03d1b1451e7

SHA256
424d1947f164c9b1d24450ad1e9134a2c75452937b90b13a399a3a1b30600c92

SHA512
aa5cb271ed6b83f2b03febe38b89c3c98e27b3fb095ee188bc2b571f0f6318c8b3b4b3c85e23f026cbf1399df1f38e0b70f28a6d85e83eec570178b617d53c5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\q370n3vb.0.vb

Filesize
14KB

MD5
a2286457803fabefa3883f9a5dfef79d

SHA1
28ed95728ecfef640a733402b02b90101e73f2ef

SHA256
dbb3d7c054f3e5b1faa6c2215cce2df4d3a6f18596fd0c73d8f04c5e93f75c32

SHA512
b82c18f52fdfb21a20c130c9466f43432b24893e68bc435c284328b1c78a447cbdbdc2f1f4a8a5c577bdc7d2185ecb8b480733a9f37b0accee28edf291436b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\q370n3vb.cmdline

Filesize
266B

MD5
6f48fa1a2a9b688acf9289aef70ce835

SHA1
6108969c3cba510a7299b6690ebd895cd9e5ed22

SHA256
525307c06df8f3d088bba9f5a87b61c7a5158ba1a8627194ddb1dfe6b9c1eaf1

SHA512
63d37e6186d086e422d4642e0ff038d267f000f88cdad22a87874c94dad4afe98043379c94760e31d1a31a86e2cc33abdba15ff342848d0a3832efd632fd249b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA75C.tmp.exe

Filesize
78KB

MD5
5faf6a14ca6538abbb2e5382a30dcbb2

SHA1
a7da612fa9b58668278d8384879faaf782e6166d

SHA256
48e6ca55fe93595d394b8826655906dde8f18a40831b2a422aba4028ca9cb9e2

SHA512
bf310bfbc301d8d1804758b083214f2ffaad961a337d367414dda323455a63409d4e515098783c875932fa4327fe649c45c9f4f47af1ddc0b44c03e4706c1228

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFB1CE1313F34D47A7F87C2034CD57E6.TMP

Filesize
660B

MD5
185383e69906899a31e7976053622060

SHA1
eaae74973e0d7ad844d4889f7af2d060f801670f

SHA256
20a515a64262cc029c66233b19de144eca78323e72354f4eeef62bb9c8e061d9

SHA512
7dac9b6743a481eb860617f1104552a0c148a6f7abfbb10e316bfc12d828f22a7250185eaaf0b27eaa08228fa6acdb8b0b901c608bc3d2bcab23594076b2754f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/216-24-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/216-29-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/216-28-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/216-27-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/216-25-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/216-23-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/3564-22-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/3564-0-0x00000000753F2000-0x00000000753F3000-memory.dmp

Filesize
4KB

Download
memory/3564-2-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/3564-1-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/4656-18-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/4656-8-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads