metamorpherrat | 4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919

General

Target

4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe
Size

78KB
MD5

3682d0e08952bd54fa17a1fca835727e
SHA1

e3ea814f3be54232c1ca53ebca6a710de7b4708d
SHA256

4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919
SHA512

b22f55673c20afa9a52dee71469cea1d63b33627475fb18b9dca6dfb600810cec5a6bc9d6d9d45d71a4a688750732d4d1de0fd5eb69441c5f3d9e63c8a6b475a
SSDEEP

1536:tc58pXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt96R9/41Shz:tc58ZSyRxvhTzXPvCbW2Ui9/jz

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe

Executes dropped EXE 1 IoCs

pid	Process
1372	tmp6BAA.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp6BAA.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6BAA.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4468	4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe
Token: SeDebugPrivilege	1372	tmp6BAA.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 448	4468	4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe	82
PID 4468 wrote to memory of 448	4468	4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe	82
PID 4468 wrote to memory of 448	4468	4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe	82
PID 448 wrote to memory of 5048	448	vbc.exe	84
PID 448 wrote to memory of 5048	448	vbc.exe	84
PID 448 wrote to memory of 5048	448	vbc.exe	84
PID 4468 wrote to memory of 1372	4468	4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe	85
PID 4468 wrote to memory of 1372	4468	4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe	85
PID 4468 wrote to memory of 1372	4468	4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe	85

C:\Users\Admin\AppData\Local\Temp\4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe
"C:\Users\Admin\AppData\Local\Temp\4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4v1raagl.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:448
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6C95.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc305BCEB395344767B2C9E429FA2C61AF.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5048
- C:\Users\Admin\AppData\Local\Temp\tmp6BAA.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp6BAA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4b36950ef3ea99e4d25421c16f2860c1ea8fb898e74a378aa67dbb25120d1919.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4v1raagl.0.vb

Filesize
14KB

MD5
f144a44497a35fd686253e0c50c65c7d

SHA1
a0db8f6a344dd4ea193dd902a545a86b152d3ce8

SHA256
74110d5725ac20025704629b69eb1f3986ae78545c94a8290212d9a31c23d56f

SHA512
dd307eee44db9ffd9d80b9304883b99ffdfc592af91c6894d1886ca8debe6d7d33af1bb850a32e9656cbc1f47b20f6446816b360a8b309f8506c1441e8909f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\4v1raagl.cmdline

Filesize
266B

MD5
475cfef277317aa373043f7596e20ebc

SHA1
a322d328e9ad1152a0e4b4fa16475f00a166e2ea

SHA256
9ea881df75e867033959424726c28e0b5f2411e0e8438c891acdcc7f4c2c5aaf

SHA512
30113f6e446922d76c16b16cf00150d33b943c7cdecb092237ddf58888f7b62e665fed0aea732a257a1f809ad0d42026ae2a9a199d2a743f809b7976e59e4321

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6C95.tmp

Filesize
1KB

MD5
61c051fa926d4c654f07572fb0587201

SHA1
16e6e0096b7d7543c35605b2b0bb1d13b812fbd3

SHA256
563848623d89604c3d39d4ec122786be2f1b0770781406cf32c2a814e1233172

SHA512
bf9da4e196953905347b07e28dda99f2b0bfa3790d9dae6e30f7cefc8dbe68c2648b633dacfa4c113d0f6e803f055fdd07ce4eb0eb377517e05df655d94f9761

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6BAA.tmp.exe

Filesize
78KB

MD5
23b0e6f0b8bd3c7ca918e06399f0879c

SHA1
cd058eceaad273f229af009032d7f73a31efbdff

SHA256
456c19bf50a7593ebf34c68ffa1a830f17ee475bfc41896c67b071114558d7fe

SHA512
a96e0d75415b04efd2a3733e6b5b4169b65ea2c393fbcf75a6661351c84d24451ce205a1e0783fa2d86ed2f8f937231d642392cf32bb6fe53222adba6fee3469

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc305BCEB395344767B2C9E429FA2C61AF.TMP

Filesize
660B

MD5
7f95c37fe5f6fbf9cc16e75fb9ddb27a

SHA1
63ac3644c89f20a03237a833ba08092f3b0212b2

SHA256
7fb8e6da1fe4255e9e557a939dd73f175e1ba24f079d97c32e351faec6a9da98

SHA512
51bd008c2522d05ee13ea7707791acfb7d595ad858c2b7b825d81d3c61a01942e745fc1d7b4b6e8eb644af7f4f524fa233da027f83adffa5825347d7b2bd7c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/448-8-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/448-18-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/1372-23-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/1372-24-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/1372-26-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/1372-27-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/1372-28-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/4468-0-0x0000000074E82000-0x0000000074E83000-memory.dmp

Filesize
4KB

Download
memory/4468-2-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/4468-1-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/4468-22-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads