metamorpherrat | f58a32c0ecaef1da5124d6bf7376d20531ce665d715358813bf9d0313f5a0a43

General

Target

f58a32c0ecaef1da5124d6bf7376d20531ce665d715358813bf9d0313f5a0a43N.exe
Size

78KB
MD5

de2c534c212f2f0d897605365fe4b100
SHA1

d06c70ae00ebe4199de36be32bcc0ff8604518c3
SHA256

f58a32c0ecaef1da5124d6bf7376d20531ce665d715358813bf9d0313f5a0a43
SHA512

b956bc4a78f6a9c6b4dffa30b94512398ede2057366813780aa2644c4bb19325c5dea77f629f0de2f7fd253c22b553238e0ff99d9c86d12f8dd62cbe9e48737b
SSDEEP

1536:xy5jqXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt9659/r1PG:xy5jSSyRxvhTzXPvCbW2UC9/s

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	f58a32c0ecaef1da5124d6bf7376d20531ce665d715358813bf9d0313f5a0a43N.exe

Deletes itself 1 IoCs

pid	Process
1844	tmp95F6.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
1844	tmp95F6.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp95F6.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f58a32c0ecaef1da5124d6bf7376d20531ce665d715358813bf9d0313f5a0a43N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp95F6.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4024	f58a32c0ecaef1da5124d6bf7376d20531ce665d715358813bf9d0313f5a0a43N.exe
Token: SeDebugPrivilege	1844	tmp95F6.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4024 wrote to memory of 2704	4024	f58a32c0ecaef1da5124d6bf7376d20531ce665d715358813bf9d0313f5a0a43N.exe	83
PID 4024 wrote to memory of 2704	4024	f58a32c0ecaef1da5124d6bf7376d20531ce665d715358813bf9d0313f5a0a43N.exe	83
PID 4024 wrote to memory of 2704	4024	f58a32c0ecaef1da5124d6bf7376d20531ce665d715358813bf9d0313f5a0a43N.exe	83
PID 2704 wrote to memory of 444	2704	vbc.exe	85
PID 2704 wrote to memory of 444	2704	vbc.exe	85
PID 2704 wrote to memory of 444	2704	vbc.exe	85
PID 4024 wrote to memory of 1844	4024	f58a32c0ecaef1da5124d6bf7376d20531ce665d715358813bf9d0313f5a0a43N.exe	86
PID 4024 wrote to memory of 1844	4024	f58a32c0ecaef1da5124d6bf7376d20531ce665d715358813bf9d0313f5a0a43N.exe	86
PID 4024 wrote to memory of 1844	4024	f58a32c0ecaef1da5124d6bf7376d20531ce665d715358813bf9d0313f5a0a43N.exe	86

C:\Users\Admin\AppData\Local\Temp\f58a32c0ecaef1da5124d6bf7376d20531ce665d715358813bf9d0313f5a0a43N.exe
"C:\Users\Admin\AppData\Local\Temp\f58a32c0ecaef1da5124d6bf7376d20531ce665d715358813bf9d0313f5a0a43N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4024
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nuht9ug3.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES97AC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc998691CD3313484394E9A395D4C35CDE.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:444
- C:\Users\Admin\AppData\Local\Temp\tmp95F6.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp95F6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f58a32c0ecaef1da5124d6bf7376d20531ce665d715358813bf9d0313f5a0a43N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES97AC.tmp

Filesize
1KB

MD5
23aa1b9dc0bc528fcd57b8249a4e4e8f

SHA1
516e1f0688cacbab0f753c6a9f5bc99a4d85d388

SHA256
7c2b908274c9376b1cc83cd3266408977bec32cd98e9c59b478294673d992e00

SHA512
0ac7997eb0369c6dd0c2cc3da3871ff52834f1b6a965381ed7fa74709798ad72bea46405759f569ff324ee31685199e8dc1552da7cf5c9ebf30f82de22104161

Download Submit
C:\Users\Admin\AppData\Local\Temp\nuht9ug3.0.vb

Filesize
14KB

MD5
63e2de5f6919496d58642cac5f7b08f1

SHA1
b20e9e614f86a3de103ddceb0dc53754c0bcfad6

SHA256
ef2245375e483325abcc2e01e628020068daef3c2f549ad888fcd2a3f017b869

SHA512
09d44c0c47689f21a7ebeaf53fd06356b0eebd4f05107979a0bbdd76b4b0a53e81adbd769e299a4461981fd1db220a5d2490a201fa3c4b8d53eb79c063201273

Download Submit
C:\Users\Admin\AppData\Local\Temp\nuht9ug3.cmdline

Filesize
266B

MD5
49959442ce0a2fc67023a49b123db185

SHA1
6b2809b0ee56f28cfe83f91cf29bbf0e6cc93805

SHA256
e174ebbfdba60cfcf98605f05f8fcb5723ddca42ce59cdcf2912ac9c2f692f25

SHA512
34b4a62d873f5a28702aaec96f1ba03024d028bb44534c34c1f1e893b179ae3d4271bd25381658758a987da424677d59790a1106b75646884bb265716a5941c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp95F6.tmp.exe

Filesize
78KB

MD5
4c2d15b782f7d45770329100889153de

SHA1
45c3432d4ef8f88b18f99b3ea90eace80c25cdb3

SHA256
e5124270b1feadee807394b99ffc698971e29542de09d00fa30dc17135d693c1

SHA512
4d0c92e5b5e531b4c10eeed2407e23caa85c26caf039d798d3064ae8c260ed8b5287f9c3a9ff49caa3e4148541176569f45d62dae1fea0d1c3f0db3aa6f44ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc998691CD3313484394E9A395D4C35CDE.TMP

Filesize
660B

MD5
4f9b816515b3eb77a367e9eedc7fd976

SHA1
de65af5d0efefc9b2033a860dd4dad260a4a59b7

SHA256
4bc7fd974034ac7cc5ae16b4e136167f8a1ae2ff82e939860deca536c63cbda3

SHA512
8a9ca2494961873695961a6ca201037cdc858a9792af2f9915461b5495141fd4e3f155f43c6203291d8b42fe89bdb4646cb1956676033269fd0a69f37bc3261e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1844-23-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/1844-24-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/1844-26-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/1844-27-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/1844-28-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/2704-8-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/2704-18-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/4024-2-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/4024-1-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/4024-22-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/4024-0-0x0000000074E82000-0x0000000074E83000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads