metamorpherrat | 4d0b294e486697445d33f5b49f764be42d7872903c7c58008d56effadbb37469

General

Target

4d0b294e486697445d33f5b49f764be42d7872903c7c58008d56effadbb37469.exe
Size

78KB
MD5

f8fdd74feaefcb78be46039b2d1c8ef7
SHA1

3662f57522fec40ba02abf47cab8d78a19d08730
SHA256

4d0b294e486697445d33f5b49f764be42d7872903c7c58008d56effadbb37469
SHA512

84c22a7781c7f309107d7b5b5fe8b0a69951c6bd3a65843bdad35a14509d46b688259ab712f1adcd5e31b25d4f7661196ee34da5a298e1441284f4be88cc37e3
SSDEEP

1536:tWtHF3M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtRj9/P1Z+:tWtHF8hASyRxvhTzXPvCbW2URj9/O

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	4d0b294e486697445d33f5b49f764be42d7872903c7c58008d56effadbb37469.exe

Executes dropped EXE 1 IoCs

pid	Process
1892	tmpB873.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpB873.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4d0b294e486697445d33f5b49f764be42d7872903c7c58008d56effadbb37469.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB873.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4808	4d0b294e486697445d33f5b49f764be42d7872903c7c58008d56effadbb37469.exe
Token: SeDebugPrivilege	1892	tmpB873.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 1156	4808	4d0b294e486697445d33f5b49f764be42d7872903c7c58008d56effadbb37469.exe	83
PID 4808 wrote to memory of 1156	4808	4d0b294e486697445d33f5b49f764be42d7872903c7c58008d56effadbb37469.exe	83
PID 4808 wrote to memory of 1156	4808	4d0b294e486697445d33f5b49f764be42d7872903c7c58008d56effadbb37469.exe	83
PID 1156 wrote to memory of 2040	1156	vbc.exe	85
PID 1156 wrote to memory of 2040	1156	vbc.exe	85
PID 1156 wrote to memory of 2040	1156	vbc.exe	85
PID 4808 wrote to memory of 1892	4808	4d0b294e486697445d33f5b49f764be42d7872903c7c58008d56effadbb37469.exe	86
PID 4808 wrote to memory of 1892	4808	4d0b294e486697445d33f5b49f764be42d7872903c7c58008d56effadbb37469.exe	86
PID 4808 wrote to memory of 1892	4808	4d0b294e486697445d33f5b49f764be42d7872903c7c58008d56effadbb37469.exe	86

C:\Users\Admin\AppData\Local\Temp\4d0b294e486697445d33f5b49f764be42d7872903c7c58008d56effadbb37469.exe
"C:\Users\Admin\AppData\Local\Temp\4d0b294e486697445d33f5b49f764be42d7872903c7c58008d56effadbb37469.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\znk5grtt.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB9F9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5C0F1185742E49138185D091A98D4841.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2040
- C:\Users\Admin\AppData\Local\Temp\tmpB873.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB873.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4d0b294e486697445d33f5b49f764be42d7872903c7c58008d56effadbb37469.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB9F9.tmp

Filesize
1KB

MD5
349b83856d8e05a13e8a932af0229025

SHA1
723a83b3c5cfbd194efd6b756ccc1fcdea2a2aac

SHA256
b965975d958e9aaebeb1efb0a437c32f57a3c62e7dc8cff0c1f547d1c0138113

SHA512
a92a056b6f3329dd45be06a611d1a9f3ec440e8e9a3d130020f555ebcb8ff516f21773487eac6a8ab816296eb4d925a24e5d299580024ceba040e0c6cd5f1494

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB873.tmp.exe

Filesize
78KB

MD5
a485f52ebb9ca6cd7e84aab6df6e01c3

SHA1
7217078b25c1e12dc4ed6a097784136fed8ee4af

SHA256
b71898ca4b7220dd39eb678b6491bca6ee5f3dc24f3e6e3d639dd18e2b2c43eb

SHA512
29e3cc36b2f08823dd98cb0e5b0643b5e2a7fb7d6431feef7699f255af57347aae4c1e16e147cfbe05a28d8812316b6da683861d9f47e9dbd2f387839d1c0aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5C0F1185742E49138185D091A98D4841.TMP

Filesize
660B

MD5
0e7ad07c91f082d9088497d2bac767d2

SHA1
fdf07b26ec26dc4f917f379e5b74876191286416

SHA256
0dd138ff4d9e4a0aaa2d3548991a5f901ac589f782c88acf02fc7eef3f85c5a9

SHA512
22460c66d1afd74aa58f9f19331d3f81c3b1afb327af8179cd9474336351a07e58ce4d6f91ff7a2e7a8dd5238a4542ee7d82f917d00fcb2849bf3b4cece06db0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
C:\Users\Admin\AppData\Local\Temp\znk5grtt.0.vb

Filesize
15KB

MD5
ce359e637bec5da795366a9782e0c321

SHA1
fe107779897a7aa6798075f7b7730f39ac4e4965

SHA256
109c8afd6b8cff380abe99aacf9a222632f641fb3824da985912b855bf12dff5

SHA512
38cad7d859e7c630cab9b9706001bfdf6c49279c9430962988f40ee956be3b7b08c877a16f9dc8444123de7a6493a02639035c0131f8fd862c8faed9ed759077

Download Submit
C:\Users\Admin\AppData\Local\Temp\znk5grtt.cmdline

Filesize
266B

MD5
af29ce5b71ecb1075c81957f3b3809a2

SHA1
2d44e4a1053cafabcc65927944ea42593f751808

SHA256
39d8a14dc79cf5213df4d04765111597b338787ce1704483fec1b698878002f3

SHA512
4e7f757a56755f8db741977cadb27fd0bb73aa91b7410703b00a154f990f12bed664e7da5497e0a44c4fd9533bcfef1db85cb05ea6a64eec87d9b97de691bd45

Download Submit
memory/1156-8-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/1156-18-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/1892-24-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/1892-23-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/1892-26-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/1892-27-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/1892-28-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/4808-0-0x00000000750B2000-0x00000000750B3000-memory.dmp

Filesize
4KB

Download
memory/4808-2-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/4808-1-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/4808-22-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads