metamorpherrat | 61c02081dac3602ce3b073298aff8c74724d8745d04b068eda6e136598f1d659

General

Target

61c02081dac3602ce3b073298aff8c74724d8745d04b068eda6e136598f1d659.exe
Size

78KB
MD5

e4897a8be1034d542242980607e943bf
SHA1

e36b731bcce9b5a998c5f6977171b53941eb4441
SHA256

61c02081dac3602ce3b073298aff8c74724d8745d04b068eda6e136598f1d659
SHA512

5d0fed165da8812f4c6320591826bcffd5120c83bec0e4e3e9c8905b5c3f171e20b1ba15af83493e5774e65cb2fff6f555da89f6ee9728683cd90d0186350933
SSDEEP

1536:lWV58BXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtC6G9/kD1u5:lWV58BSyRxvhTzXPvCbW2UO9/N

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	61c02081dac3602ce3b073298aff8c74724d8745d04b068eda6e136598f1d659.exe

Deletes itself 1 IoCs

pid	Process
1456	tmp74C2.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
1456	tmp74C2.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp74C2.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61c02081dac3602ce3b073298aff8c74724d8745d04b068eda6e136598f1d659.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp74C2.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5040	61c02081dac3602ce3b073298aff8c74724d8745d04b068eda6e136598f1d659.exe
Token: SeDebugPrivilege	1456	tmp74C2.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 3820	5040	61c02081dac3602ce3b073298aff8c74724d8745d04b068eda6e136598f1d659.exe	82
PID 5040 wrote to memory of 3820	5040	61c02081dac3602ce3b073298aff8c74724d8745d04b068eda6e136598f1d659.exe	82
PID 5040 wrote to memory of 3820	5040	61c02081dac3602ce3b073298aff8c74724d8745d04b068eda6e136598f1d659.exe	82
PID 3820 wrote to memory of 212	3820	vbc.exe	84
PID 3820 wrote to memory of 212	3820	vbc.exe	84
PID 3820 wrote to memory of 212	3820	vbc.exe	84
PID 5040 wrote to memory of 1456	5040	61c02081dac3602ce3b073298aff8c74724d8745d04b068eda6e136598f1d659.exe	85
PID 5040 wrote to memory of 1456	5040	61c02081dac3602ce3b073298aff8c74724d8745d04b068eda6e136598f1d659.exe	85
PID 5040 wrote to memory of 1456	5040	61c02081dac3602ce3b073298aff8c74724d8745d04b068eda6e136598f1d659.exe	85

C:\Users\Admin\AppData\Local\Temp\61c02081dac3602ce3b073298aff8c74724d8745d04b068eda6e136598f1d659.exe
"C:\Users\Admin\AppData\Local\Temp\61c02081dac3602ce3b073298aff8c74724d8745d04b068eda6e136598f1d659.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d6nujquy.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3820
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES756E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD8AC768797AD42DC8E5F6BE9E7DDF9E.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:212
- C:\Users\Admin\AppData\Local\Temp\tmp74C2.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp74C2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\61c02081dac3602ce3b073298aff8c74724d8745d04b068eda6e136598f1d659.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES756E.tmp

Filesize
1KB

MD5
503fffb6d74f9e34489d5b53aa607a17

SHA1
88819087b66fbb5dacf37ef8b395ee50acb1680b

SHA256
2b6b052dbb657c5101be60ee4ac41f4c43ecbe5f1ff6eb66a795ec777aff3719

SHA512
93f6175401fca767df0a5850f229ffb7e8a109007783d9ad31d517e32d771f531a90e90f23129963401cbeb23dddac4e8e941b07663d77327bd6e41a670d1a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\d6nujquy.0.vb

Filesize
14KB

MD5
13d3907a5e8d1c934882aa05292646b2

SHA1
46a3526abbc2df5593e163d92f3b7c3a2af706de

SHA256
8ab4139f5579f468ad0d21eff18e811607746a5b5b37dc042ca24e2cd4adab80

SHA512
afa9ee981b30aea77a22b85a7f94a256b8ec370f99ce2f96a835e760efdff2f38bebdd2a9d3d553b4fc17d08697677b05ee49097d8ce3486965d4f77d69ad9a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\d6nujquy.cmdline

Filesize
266B

MD5
4867d6c3db9c1c3d7a6d9fa3b9ed9e96

SHA1
7f4f091a71e0fe15f5efa31418b46168e5cbaffe

SHA256
f5ddcf016d039416a730d66f1012bfacb29ccca99dff1894b1089068ed2f0358

SHA512
8edaeead3a9617cc6e0409e1fb2b17ae165f784696742246fc529acc4f9587ce2a04e341bf8172f2d243d3c54f2d9805a9e9d29ac57ce83eae1264b4e9097b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp74C2.tmp.exe

Filesize
78KB

MD5
d1f02770072f82a0e15a3b9995fc7ea5

SHA1
2e6e100241ba45242baf10011e8e79ea1e2e6e8e

SHA256
7d548ef7f6d44eda8beb89bb1fefc6d603b50223e998fb8258900b7a327fd6c4

SHA512
2d436cfbc1b71d7fe67961a5932c1f10dfe02138b06fc63ed4f40d14723041a5bf9d16e3134c622544fc9f8d20770c90a838f7bb4c76f073cd6c8e21c91dd40c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD8AC768797AD42DC8E5F6BE9E7DDF9E.TMP

Filesize
660B

MD5
7e646aaec87d95cffafced401c26f8b0

SHA1
8cb755a48d9d02f2e2b0f327c696e59bb7fa250b

SHA256
a85307a706858a3a99529dbd70c9d687de2d604aea2c4881bd17e33c6151a721

SHA512
6fff3b35e7ac5ed96aebf6577cdb32ed3b3278da9288690c51deac748977a76599b20ecf26d629f7574f60e5871613b2b14884881d31763151cff069a4975b15

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1456-23-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/1456-24-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/1456-26-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/1456-27-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/1456-28-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/3820-8-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/3820-18-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/5040-2-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/5040-0-0x0000000075162000-0x0000000075163000-memory.dmp

Filesize
4KB

Download
memory/5040-1-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/5040-22-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads