metamorpherrat | efa80d35db452df70f3addd9d6565578ebf80276e06dd70af98a93cb5c086890

General

Target

efa80d35db452df70f3addd9d6565578ebf80276e06dd70af98a93cb5c086890.exe
Size

78KB
MD5

9a412ac39baa32f0bfaa8191e951b5da
SHA1

8881fbf8cc4a33a8d067febb7df6e7d5a45e4548
SHA256

efa80d35db452df70f3addd9d6565578ebf80276e06dd70af98a93cb5c086890
SHA512

800f5155e2dd51df7051cdac16a73b1e57f270195d7f4c721935236744214cd4cedfc38283232a13a72a954482ea0ece7f44c06115f3330e0220e624f655050c
SSDEEP

1536:7zV5jS2vZv0kH9gDDtWzYCnJPeoYrGQtC6N9/M1+V9:nV5jS2l0Y9MDYrm719/f9

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	efa80d35db452df70f3addd9d6565578ebf80276e06dd70af98a93cb5c086890.exe

Executes dropped EXE 1 IoCs

pid	Process
3744	tmpB4AA.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmpB4AA.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efa80d35db452df70f3addd9d6565578ebf80276e06dd70af98a93cb5c086890.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB4AA.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1888	efa80d35db452df70f3addd9d6565578ebf80276e06dd70af98a93cb5c086890.exe
Token: SeDebugPrivilege	3744	tmpB4AA.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 3356	1888	efa80d35db452df70f3addd9d6565578ebf80276e06dd70af98a93cb5c086890.exe	83
PID 1888 wrote to memory of 3356	1888	efa80d35db452df70f3addd9d6565578ebf80276e06dd70af98a93cb5c086890.exe	83
PID 1888 wrote to memory of 3356	1888	efa80d35db452df70f3addd9d6565578ebf80276e06dd70af98a93cb5c086890.exe	83
PID 3356 wrote to memory of 956	3356	vbc.exe	85
PID 3356 wrote to memory of 956	3356	vbc.exe	85
PID 3356 wrote to memory of 956	3356	vbc.exe	85
PID 1888 wrote to memory of 3744	1888	efa80d35db452df70f3addd9d6565578ebf80276e06dd70af98a93cb5c086890.exe	86
PID 1888 wrote to memory of 3744	1888	efa80d35db452df70f3addd9d6565578ebf80276e06dd70af98a93cb5c086890.exe	86
PID 1888 wrote to memory of 3744	1888	efa80d35db452df70f3addd9d6565578ebf80276e06dd70af98a93cb5c086890.exe	86

C:\Users\Admin\AppData\Local\Temp\efa80d35db452df70f3addd9d6565578ebf80276e06dd70af98a93cb5c086890.exe
"C:\Users\Admin\AppData\Local\Temp\efa80d35db452df70f3addd9d6565578ebf80276e06dd70af98a93cb5c086890.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7dl_zlof.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3356
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB6DC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCEA93C29A5449D3937C9582171425D2.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:956
- C:\Users\Admin\AppData\Local\Temp\tmpB4AA.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB4AA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\efa80d35db452df70f3addd9d6565578ebf80276e06dd70af98a93cb5c086890.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7dl_zlof.0.vb

Filesize
14KB

MD5
9efe50d78b6c3546b1b2115b438ac4c8

SHA1
c438cd407a0f5c5c1bef87e6c6bb9852ad49fb3a

SHA256
07235071e1f4084111a369108e1dd89ccac4891bfb954d9cdb6f261012708059

SHA512
77d9a34f05f30b9f86ee3e7952de237020db237a63d57916bff185fe18a9e908489ccdbcdf55414ffe0b189afe49a4ac752601c04a902a208599ba3522da29a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7dl_zlof.cmdline

Filesize
266B

MD5
dc1047ef2faf2579be381b8a8fe13c4c

SHA1
1e577ebbae8211bc9a3088c17fc3ca388d7af1d5

SHA256
74ff50293f98471e572c86df082ee76d7886b2aebc9800df2154eccc973851e1

SHA512
58b9309d32bbfdbb863971f7ab5fb58496d88616868b5f6cfa2ff5004ed1c0f1d31186f139afb2aa27a25c2eeaea2de67408fafbb924e84fa83b8dbb7e31e0af

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB6DC.tmp

Filesize
1KB

MD5
f8017f09b08899e088c131b8c7b7bf01

SHA1
f5e13b8e9357e7cadd15d402f0f77f3c172f2454

SHA256
c9a9cc502e4d5cf337d67185cdb0042ff730f75a52013ceb6db4282db2873d35

SHA512
6d95f7fa4609b9947756de9073027324b226e225361e928cdb3a8a550ad25284549d31852b0de4f4e4d8892cefc9611d7bb6b269adc4deafd96d12cc059876c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB4AA.tmp.exe

Filesize
78KB

MD5
5494f77769d5cf9a2389584e69be1155

SHA1
e99f255fdaae753be7f748bbb75465fd1c0fef52

SHA256
cebebf6b6d7738e6f4d34ce8ac2ed43919e780ac22bed7bd9617a13f2bdce193

SHA512
24f43a2096c2f856d3973809e9f74c25dc211259667d426f9e843214980b418660ae271ec26e35ca46b2eaa632dd09a77b3cabc7d4c79c0a3d313700a8049e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCEA93C29A5449D3937C9582171425D2.TMP

Filesize
660B

MD5
57451314de6ed070436941776ff146d8

SHA1
4d7cb1a251386517b1573652b448407274a2852d

SHA256
fcb00a83c89c5f7d58e16d6cd4f04d4179bdf4d2358276794405f17aaa6a07c6

SHA512
5c762c141efe3ceb8932ef779a583106dec2fbaf5eaaaabe02ae4b5b16ca187ad24042189852afbf90a3fc82ef77fc6d9ae3fc944114613c837e65be99ce35bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/1888-1-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/1888-2-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/1888-0-0x00000000749B2000-0x00000000749B3000-memory.dmp

Filesize
4KB

Download
memory/1888-22-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/3356-9-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/3356-18-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/3744-23-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/3744-24-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/3744-25-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/3744-27-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/3744-28-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/3744-29-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/3744-30-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/3744-31-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads