metamorpherrat | 965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd

General

Target

965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe
Size

78KB
MD5

b209d0f39e8ccfe218225108100664d1
SHA1

6a0896294a8d9e1442b5a7b70e1c8ef30844ff2e
SHA256

965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd
SHA512

9c52f9a7656905baf1173b59a18ab5bf9de8cf09013f2468bc99b573f24cb34eb155439be50e09d010f7286cfc3c9e58d4df781f9c146f954d2e52ca3aa3335d
SSDEEP

1536:NB58eXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtN6Z9/IT15VP:X58WSyRxvhTzXPvCbW2U29/mP

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe

Deletes itself 1 IoCs

pid	Process
528	tmpBD35.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
528	tmpBD35.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpBD35.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBD35.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	532	965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe
Token: SeDebugPrivilege	528	tmpBD35.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 532 wrote to memory of 2004	532	965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe	83
PID 532 wrote to memory of 2004	532	965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe	83
PID 532 wrote to memory of 2004	532	965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe	83
PID 2004 wrote to memory of 548	2004	vbc.exe	85
PID 2004 wrote to memory of 548	2004	vbc.exe	85
PID 2004 wrote to memory of 548	2004	vbc.exe	85
PID 532 wrote to memory of 528	532	965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe	86
PID 532 wrote to memory of 528	532	965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe	86
PID 532 wrote to memory of 528	532	965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe	86

C:\Users\Admin\AppData\Local\Temp\965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe
"C:\Users\Admin\AppData\Local\Temp\965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:532
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xtikomw0.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBFB6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF78A081CFC44E3F865FE74F7276F0D3.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:548
- C:\Users\Admin\AppData\Local\Temp\tmpBD35.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpBD35.tmp.exe" C:\Users\Admin\AppData\Local\Temp\965a9ff8aefa5f2cd84039ad21b490d565008e3d94980636835e7e3c29835ffd.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBFB6.tmp

Filesize
1KB

MD5
07596beea31e52dda01debfaab298e2f

SHA1
ea9fe176c90ef1711d6572f444530f426b68e764

SHA256
c77a1b5ac6718fb0828484d377014beae611e16f714932c1935415616f4d6705

SHA512
649cbfa96731d027644c5e6ec896847f2d043018443c038d391df90189d250879e18447ae343816b17e96b29a8fce3c30a163c41d3183d23cbc0810418e4447e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBD35.tmp.exe

Filesize
78KB

MD5
e2e1db7bf1177f0bdc9a6fd7dc54bcd1

SHA1
5e265c5ad6eddb46adfcbbec87eb77eaa4f22dcc

SHA256
b259c58a58e2d9c658f040acaee89000d4881507c6ebf20bbcda8aed30a0e724

SHA512
71b499734c2e134b09e837faf38100f6175dc82160ad7be0bcb7dc4e6c425d7b03277ce03b3e65aaeac2cee1420cfa4d33b7bf733579866ed577f9a3b4d63ee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF78A081CFC44E3F865FE74F7276F0D3.TMP

Filesize
660B

MD5
4d54f061efff9cc751a5c36a0d471d44

SHA1
378d07e4333cde8385cd9f13153dc411202c416a

SHA256
0debe719b70154bb1c810249d7e64939533bea061d7b9da99426b1fe60af6414

SHA512
51fa0cbe871ecf12aeb7b5602a7d27e6c4613446850448f816272d74de3951649422738e42e5a7f75fcc057eabd005d6b8b00956767fb53ba2dcc7724aa71804

Download Submit
C:\Users\Admin\AppData\Local\Temp\xtikomw0.0.vb

Filesize
14KB

MD5
c28e510e91ec914a0261a0ab35ec4dd9

SHA1
2d51aec30ee95eaed3a1140049ec979d25b3cd86

SHA256
afa3535978094729d3d9f811c80149042cf44cb282e617f0fb6cb994eb4de930

SHA512
cfec6c71c292d6be597d1589e5349588c56bce01541ea9f4ffcbf2151ebd099306eb2421e533321e7b4e8225ffd2412f4d16d3d440b7d24ddb8f6348bf098782

Download Submit
C:\Users\Admin\AppData\Local\Temp\xtikomw0.cmdline

Filesize
266B

MD5
34196c39ff7f3467216a7bcaffd699ef

SHA1
4f3bdb7541b486e67e4924bd3df1d61bd264283b

SHA256
25180210e9922d0fa67a0ab4d940779c96d452817e2aaa9086f45afb7926acf5

SHA512
68b5faabb8ce6a025d779105155df7e770814c6e58c6c6b111658ae116b23f2bb3996ba6b81aa67c2dd8db18a4042e8985e54b63de3a54e8f5461df93c103dc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/528-23-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/528-24-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/528-26-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/528-27-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/528-28-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/532-2-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/532-1-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/532-22-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/532-0-0x0000000074702000-0x0000000074703000-memory.dmp

Filesize
4KB

Download
memory/2004-9-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/2004-18-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads