metamorpherrat | 3e0e1c24486a231a0e054d2a59f513fa515797392121607e12ff6071f7b49d7d

General

Target

3e0e1c24486a231a0e054d2a59f513fa515797392121607e12ff6071f7b49d7dN.exe
Size

78KB
MD5

ab4cf914ea8d225af41a0dedf5dd61b0
SHA1

8cf9f7b40c6ec183e626d220bfd73e5e05a56d1f
SHA256

3e0e1c24486a231a0e054d2a59f513fa515797392121607e12ff6071f7b49d7d
SHA512

0bebf4f2862c087749678adfe1827f9458db864d9b0b175c1968ea61806e54312e142ca668a6f8904bd2d20d769a842792aafebe53e310613a90385b0aa098c8
SSDEEP

1536:VHFo6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtx9/O1+a:VHFonhASyRxvhTzXPvCbW2Ux9/q

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	3e0e1c24486a231a0e054d2a59f513fa515797392121607e12ff6071f7b49d7dN.exe

Executes dropped EXE 1 IoCs

pid	Process
916	tmpB035.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpB035.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3e0e1c24486a231a0e054d2a59f513fa515797392121607e12ff6071f7b49d7dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB035.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3460	3e0e1c24486a231a0e054d2a59f513fa515797392121607e12ff6071f7b49d7dN.exe
Token: SeDebugPrivilege	916	tmpB035.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3460 wrote to memory of 2368	3460	3e0e1c24486a231a0e054d2a59f513fa515797392121607e12ff6071f7b49d7dN.exe	83
PID 3460 wrote to memory of 2368	3460	3e0e1c24486a231a0e054d2a59f513fa515797392121607e12ff6071f7b49d7dN.exe	83
PID 3460 wrote to memory of 2368	3460	3e0e1c24486a231a0e054d2a59f513fa515797392121607e12ff6071f7b49d7dN.exe	83
PID 2368 wrote to memory of 2492	2368	vbc.exe	85
PID 2368 wrote to memory of 2492	2368	vbc.exe	85
PID 2368 wrote to memory of 2492	2368	vbc.exe	85
PID 3460 wrote to memory of 916	3460	3e0e1c24486a231a0e054d2a59f513fa515797392121607e12ff6071f7b49d7dN.exe	86
PID 3460 wrote to memory of 916	3460	3e0e1c24486a231a0e054d2a59f513fa515797392121607e12ff6071f7b49d7dN.exe	86
PID 3460 wrote to memory of 916	3460	3e0e1c24486a231a0e054d2a59f513fa515797392121607e12ff6071f7b49d7dN.exe	86

C:\Users\Admin\AppData\Local\Temp\3e0e1c24486a231a0e054d2a59f513fa515797392121607e12ff6071f7b49d7dN.exe
"C:\Users\Admin\AppData\Local\Temp\3e0e1c24486a231a0e054d2a59f513fa515797392121607e12ff6071f7b49d7dN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sqqc0bmk.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB12F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB475BAA9DF3B4F0497B1F3FD4460E6.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2492
- C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3e0e1c24486a231a0e054d2a59f513fa515797392121607e12ff6071f7b49d7dN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB12F.tmp

Filesize
1KB

MD5
042eff666780d6c452f40bbb67cb53d3

SHA1
c380862ea4f7cc0714ce9232ee42c09b4ed69895

SHA256
f0607de14833ac1bcacab7547feca39a086624bec9394584b7bed928d8ab75d8

SHA512
d5077fb28c0e9a1929085e3a92ea13bdc8c50f47b55a92fafef16592e35a949df98782f67451973dd8f2413fcc53d052ad19ebc87d87b901ca311c06684394bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqqc0bmk.0.vb

Filesize
15KB

MD5
e47adc6a273644802340c05df06d6198

SHA1
7682137a353a3d09684cfdef0066fc69de634c49

SHA256
9a5a168d56495de01c7767f04ec38accc4fac5909a38b6fdecb688831327c0af

SHA512
bd707c69aa1911f2aaad506b9f4122cb315854d211b964be1f8efe6beda326b1966157cd921cd805c39e95dbb4d27796f10d382fa2171575d96bdf026f15f848

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqqc0bmk.cmdline

Filesize
266B

MD5
ec92ccac3598b8c8a94abdc31113286a

SHA1
e27b191befa5e1b16b78c0d08d19aa568b8693b1

SHA256
2ef051f7a71e2eddee3056c82697f781bddacbbe6ba64faef00d12d84208b0a9

SHA512
06769dc978292ef0c3cb15678555e2eae7b79ddd75aa2cec5c1117874c4d0de46bdf997669611b01a0b6096825ada2e71c52cab023922bbdf10fc6e70f28b8fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe

Filesize
78KB

MD5
c2d0123755902a07f89906ae2352b536

SHA1
9e89bf7175b14aafa24fec1ed8bd5e6ecb874828

SHA256
04ab616d0eb97f2a573dd35b84b87af3ad4e0fd624ec56dff1d8fd2ec94cb832

SHA512
74bcb1a1c21360f99cf6d114a7e264343a578fb678ee09f5c92c0498bb1b0006767a50a8fa43945a1c701dac892b0a092e6bf2afb07fe10f571dd0bd52a007c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB475BAA9DF3B4F0497B1F3FD4460E6.TMP

Filesize
660B

MD5
31786bb106ce27678c8cf47292f6e23e

SHA1
8a1a798561a172f4a31c2a05ebb53f971ae0ddca

SHA256
e6e7babc0014aae8eeacf913253a4700ba363a2ea37926169bea56a923c80ac0

SHA512
7a20a8b02d9d51e1442da55877bd67a79201ff4bc4efed796512f45463fc26f67cbfc7dba662609c98f382a359ca6ba6e373f3b64d37b34c4d79f7924c34c726

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/916-23-0x0000000075550000-0x0000000075B01000-memory.dmp

Filesize
5.7MB

Download
memory/916-28-0x0000000075550000-0x0000000075B01000-memory.dmp

Filesize
5.7MB

Download
memory/916-27-0x0000000075550000-0x0000000075B01000-memory.dmp

Filesize
5.7MB

Download
memory/916-26-0x0000000075550000-0x0000000075B01000-memory.dmp

Filesize
5.7MB

Download
memory/916-24-0x0000000075550000-0x0000000075B01000-memory.dmp

Filesize
5.7MB

Download
memory/2368-9-0x0000000075550000-0x0000000075B01000-memory.dmp

Filesize
5.7MB

Download
memory/2368-18-0x0000000075550000-0x0000000075B01000-memory.dmp

Filesize
5.7MB

Download
memory/3460-22-0x0000000075550000-0x0000000075B01000-memory.dmp

Filesize
5.7MB

Download
memory/3460-0-0x0000000075552000-0x0000000075553000-memory.dmp

Filesize
4KB

Download
memory/3460-2-0x0000000075550000-0x0000000075B01000-memory.dmp

Filesize
5.7MB

Download
memory/3460-1-0x0000000075550000-0x0000000075B01000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads