metamorpherrat | c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75

General

Target

c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe
Size

78KB
MD5

92b56149bcaa610de8cee54fac72d887
SHA1

c30d7b6bf60600a5fc775c81b735e581b9c42b1d
SHA256

c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75
SHA512

3ea9310e06749d2644518e3ea2d1795aa04a29943a00e4afb4a17adbc4b31a558060859322afd51cc85ce0d82e2453ab9567954a4a4c9d20504f7030b0be3a46
SSDEEP

1536:JRWV5jGXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtC6f9/gu1aaa:JRWV5jOSyRxvhTzXPvCbW2Un9/Ta

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe

Deletes itself 1 IoCs

pid	Process
4600	tmpC7B5.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4600	tmpC7B5.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpC7B5.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC7B5.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1212	c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe
Token: SeDebugPrivilege	4600	tmpC7B5.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 1840	1212	c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe	82
PID 1212 wrote to memory of 1840	1212	c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe	82
PID 1212 wrote to memory of 1840	1212	c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe	82
PID 1840 wrote to memory of 3928	1840	vbc.exe	84
PID 1840 wrote to memory of 3928	1840	vbc.exe	84
PID 1840 wrote to memory of 3928	1840	vbc.exe	84
PID 1212 wrote to memory of 4600	1212	c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe	85
PID 1212 wrote to memory of 4600	1212	c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe	85
PID 1212 wrote to memory of 4600	1212	c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe	85

C:\Users\Admin\AppData\Local\Temp\c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe
"C:\Users\Admin\AppData\Local\Temp\c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q6cftafb.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC9B8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6E073EB193DC46C28D89CCFBB49FEB6F.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3928
- C:\Users\Admin\AppData\Local\Temp\tmpC7B5.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpC7B5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c770f5fa75a08a206bfd700e982a15f11e3da483ff7c35bb22b9165f1f59ef75.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC9B8.tmp

Filesize
1KB

MD5
479b0874f2c5f0529ca0386c80bbb862

SHA1
77c70fd03981f40196ef1ab56267a45e9a36e37c

SHA256
10e33314316c22d5e1a2c1c1d255befe4a70d552cc25d8ba3904b2b2bf93fa56

SHA512
f8de511b80d8352eecfdd2ce8bd9eea4bf29e41eae027e851986d5dcadb29585ea161c33290f43da612dfe1e0f2682baece52b7ff92b717f2e9777d4a9df790d

Download Submit
C:\Users\Admin\AppData\Local\Temp\q6cftafb.0.vb

Filesize
14KB

MD5
b59f20c8773ab0f4095bdb5df0b4ac61

SHA1
7100cc37ba41662cc46839eae9da24de8326ae4d

SHA256
dce31f257fd944141da247e59a02f4768d5698c5a41e6e23b1b8d149ae42ed1f

SHA512
4361296436a9a30ccf925465f7ec9f2844c23a23ddae936be07f1889444114708f81d4b8345ab08a2ead9f7965ffca84685158ce4bb4e0a5f97db7861dc2ad54

Download Submit
C:\Users\Admin\AppData\Local\Temp\q6cftafb.cmdline

Filesize
266B

MD5
3a924228b0e6250e1e1a02efd25cf6bb

SHA1
353786f2cd23ea6e8d1486edd10f754a362dd2fd

SHA256
14f949e3bc10f6889307d67ba3fe403e03208bfb031b85c8d90dbe0646300496

SHA512
5e4008097de1633fcd8955039b3dbe7c6f375fcc5059ae7b715d0f083accc2f5c55a24c3e079d5b17d8903ef0b01bbd95030d9e2917312431a92266b454a8954

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC7B5.tmp.exe

Filesize
78KB

MD5
0fdffc47648cd90611ba1deae4612dc0

SHA1
6691404a6bda6e9de6aabadf3db73f46e956e617

SHA256
755f66ae3a99f20cc3b2a1b72b48663296f685d6b4d5a0ec861f75b6a1a28393

SHA512
27ace894d8e27f7b2c853b427f959f139e1b26ae38290eff8a45cec2d9226a9dd2e476db7ce119ee8d53741499905551a8457a55d71b102a0ff55c00be878731

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6E073EB193DC46C28D89CCFBB49FEB6F.TMP

Filesize
660B

MD5
a8db961132067efc32baea6fcb8ddff6

SHA1
9065719ceab25b17b3b323ace0f3ffcda055eaed

SHA256
8a37e27fe2519b04a994ae23b5d3a34de80bb964ac6006199eb0d2c81df12268

SHA512
a9f05c4fb7f87dab5d091672b5f9a42b888a295519a242a1fb32b8ef1796f4322b106dca6f9abcd0b1f201d819474d084d7735bb0a66a81c9ccc1fefc14b9d12

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1212-22-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/1212-2-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/1212-1-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/1212-0-0x0000000074BE2000-0x0000000074BE3000-memory.dmp

Filesize
4KB

Download
memory/1840-8-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/1840-18-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/4600-23-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/4600-24-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/4600-26-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/4600-27-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/4600-28-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads