metamorpherrat | 9f29c275889b5735a3d8bc09b04354ac6abe57545ecfc23d389ced8f854c0998

General

Target

9f29c275889b5735a3d8bc09b04354ac6abe57545ecfc23d389ced8f854c0998.exe
Size

78KB
MD5

d07e16c653397a6d7afc1071c8f83ec4
SHA1

61af8fd022c3653b84e221afcce624e7758b3d95
SHA256

9f29c275889b5735a3d8bc09b04354ac6abe57545ecfc23d389ced8f854c0998
SHA512

77da0d2d3463b3433e546e38792d22b9eaac7904bf14a3e6c1d6285f56151641a2811fcd56805c3cebacefa5e40953f49058b6ef1b15f38fdeb72a50b8c2f978
SSDEEP

1536:oOPWV5jSbvZv0kH9gDDtWzYCnJPeoYrGQtC6N9/ju11P:DPWV5jSbl0Y9MDYrm7l9/jm

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	9f29c275889b5735a3d8bc09b04354ac6abe57545ecfc23d389ced8f854c0998.exe

Deletes itself 1 IoCs

pid	Process
1872	tmp8E36.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
1872	tmp8E36.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmp8E36.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8E36.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9f29c275889b5735a3d8bc09b04354ac6abe57545ecfc23d389ced8f854c0998.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2896	9f29c275889b5735a3d8bc09b04354ac6abe57545ecfc23d389ced8f854c0998.exe
Token: SeDebugPrivilege	1872	tmp8E36.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2456	2896	9f29c275889b5735a3d8bc09b04354ac6abe57545ecfc23d389ced8f854c0998.exe	83
PID 2896 wrote to memory of 2456	2896	9f29c275889b5735a3d8bc09b04354ac6abe57545ecfc23d389ced8f854c0998.exe	83
PID 2896 wrote to memory of 2456	2896	9f29c275889b5735a3d8bc09b04354ac6abe57545ecfc23d389ced8f854c0998.exe	83
PID 2456 wrote to memory of 208	2456	vbc.exe	85
PID 2456 wrote to memory of 208	2456	vbc.exe	85
PID 2456 wrote to memory of 208	2456	vbc.exe	85
PID 2896 wrote to memory of 1872	2896	9f29c275889b5735a3d8bc09b04354ac6abe57545ecfc23d389ced8f854c0998.exe	86
PID 2896 wrote to memory of 1872	2896	9f29c275889b5735a3d8bc09b04354ac6abe57545ecfc23d389ced8f854c0998.exe	86
PID 2896 wrote to memory of 1872	2896	9f29c275889b5735a3d8bc09b04354ac6abe57545ecfc23d389ced8f854c0998.exe	86

C:\Users\Admin\AppData\Local\Temp\9f29c275889b5735a3d8bc09b04354ac6abe57545ecfc23d389ced8f854c0998.exe
"C:\Users\Admin\AppData\Local\Temp\9f29c275889b5735a3d8bc09b04354ac6abe57545ecfc23d389ced8f854c0998.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pne3vifb.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES900B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc333D632DCBD94F0E812955BD876A92B.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:208
- C:\Users\Admin\AppData\Local\Temp\tmp8E36.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8E36.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9f29c275889b5735a3d8bc09b04354ac6abe57545ecfc23d389ced8f854c0998.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES900B.tmp

Filesize
1KB

MD5
f4323b43b59406d22813063eb98c1457

SHA1
be882b6d5e161844a99e2b533e5a7711c43396fa

SHA256
8fa26145e8419894e66895dfbd318c7cca3ce0471a8685143c166609a8f77287

SHA512
51f0f3c98c2661025116587b2d0f114b347bb68e366b177baeb62e759b204986bdf32508b5b3dbb9061bfc18db6f6c8740cf84e07a39dfa10ca4559c59b25e10

Download Submit
C:\Users\Admin\AppData\Local\Temp\pne3vifb.0.vb

Filesize
14KB

MD5
4296cb469ec394afb594afa39e8d0b87

SHA1
429590203a1a4439eef7616df631539a1fca406d

SHA256
be07f7d843042941e2b042ad53e421b71cab437e9ac5780b8883dcdbb3d8cdad

SHA512
00ddf79f6d0cd67b17b32937d2cac5c0f5b4753a1bf215a32c9fd5d1a9f87afb08c5f4ad149664672fe32edd684fc8d25d27781923d93e253dd84de42a05c0f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\pne3vifb.cmdline

Filesize
266B

MD5
8d8279864e029902e1b8e40be84a3a2d

SHA1
ee57a0db1b02f25f646ce498ddfd7db3b12ae3ad

SHA256
7e2be4f8c1528b5bbffbec2b4a879cf91f988a4237c68c36640cfaea58f40dc9

SHA512
cf6b3e775c7b4b98fec4e2f3cae492ff3446833526a0860f042784690f11e6c2539d17f7810b879ba71ea5c4741863395e5e7f773c9b1ea152277ecbbf0c56dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8E36.tmp.exe

Filesize
78KB

MD5
685d50469354a640750b015ea8d886a1

SHA1
6153ec863999d34d0b292881472cd6c1b3a6cb32

SHA256
838ba2bebf197d3ac11aa0a75fe02f284929a2988d4718aeea40a70f93b370bb

SHA512
8a08418683661a821fcc8a6b0e96760857c90de1edd0ff9ddaf2db4d8499ed9932942811beb12090e134ab56826ea2b349f26fe2703f30a26eaef2c2a2df49b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc333D632DCBD94F0E812955BD876A92B.TMP

Filesize
660B

MD5
bf6f9f54be0acf1235dc136c3fbae20b

SHA1
5f5d38340cd7212027692904c3aaa9dece007c9c

SHA256
a68542a713a6cd176836592ec855221f259b2b4dc476c4d5c102faa071edf197

SHA512
a5f5e491f2d714180b33ec4f4964e62e4e2465067c92056d32ac8e28959af7f91dc65db343ef5cc6f70fce3f688752ab983b793976c9cf34b51e6a3887ba9a04

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/1872-23-0x0000000074DD0000-0x0000000075381000-memory.dmp

Filesize
5.7MB

Download
memory/1872-24-0x0000000074DD0000-0x0000000075381000-memory.dmp

Filesize
5.7MB

Download
memory/1872-26-0x0000000074DD0000-0x0000000075381000-memory.dmp

Filesize
5.7MB

Download
memory/1872-27-0x0000000074DD0000-0x0000000075381000-memory.dmp

Filesize
5.7MB

Download
memory/1872-28-0x0000000074DD0000-0x0000000075381000-memory.dmp

Filesize
5.7MB

Download
memory/1872-29-0x0000000074DD0000-0x0000000075381000-memory.dmp

Filesize
5.7MB

Download
memory/1872-30-0x0000000074DD0000-0x0000000075381000-memory.dmp

Filesize
5.7MB

Download
memory/2456-8-0x0000000074DD0000-0x0000000075381000-memory.dmp

Filesize
5.7MB

Download
memory/2456-18-0x0000000074DD0000-0x0000000075381000-memory.dmp

Filesize
5.7MB

Download
memory/2896-2-0x0000000074DD0000-0x0000000075381000-memory.dmp

Filesize
5.7MB

Download
memory/2896-1-0x0000000074DD0000-0x0000000075381000-memory.dmp

Filesize
5.7MB

Download
memory/2896-22-0x0000000074DD0000-0x0000000075381000-memory.dmp

Filesize
5.7MB

Download
memory/2896-0-0x0000000074DD2000-0x0000000074DD3000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads