metamorpherrat | f7746e5cc7ed28f0eeda18abf65a26b041e4cd9cab90ebf97e17e56638afb833

General

Target

f7746e5cc7ed28f0eeda18abf65a26b041e4cd9cab90ebf97e17e56638afb833.exe
Size

78KB
MD5

109d04e78bfb70fc51dd6e676f63a499
SHA1

6b5000d942424709ff397c07c129552f9413af8a
SHA256

f7746e5cc7ed28f0eeda18abf65a26b041e4cd9cab90ebf97e17e56638afb833
SHA512

f2bd03d0e13b322c8c2193cd7f3ed9484e790bf9fc9d6bc93f76dbd9687a261feb296c7b727cb03cc221ec7726d3ec1ee6addd9c4ab3d58bcc917fba451b35d8
SSDEEP

1536:XRCHY6M7t/vZv0kH9gDDtWzYCnJPeoYrGQteV9/K1Q+V:XRCHYnh/l0Y9MDYrm7eV9/oV

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	f7746e5cc7ed28f0eeda18abf65a26b041e4cd9cab90ebf97e17e56638afb833.exe

Executes dropped EXE 1 IoCs

pid	Process
4372	tmp805B.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmp805B.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7746e5cc7ed28f0eeda18abf65a26b041e4cd9cab90ebf97e17e56638afb833.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp805B.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2856	f7746e5cc7ed28f0eeda18abf65a26b041e4cd9cab90ebf97e17e56638afb833.exe
Token: SeDebugPrivilege	4372	tmp805B.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 4924	2856	f7746e5cc7ed28f0eeda18abf65a26b041e4cd9cab90ebf97e17e56638afb833.exe	83
PID 2856 wrote to memory of 4924	2856	f7746e5cc7ed28f0eeda18abf65a26b041e4cd9cab90ebf97e17e56638afb833.exe	83
PID 2856 wrote to memory of 4924	2856	f7746e5cc7ed28f0eeda18abf65a26b041e4cd9cab90ebf97e17e56638afb833.exe	83
PID 4924 wrote to memory of 1096	4924	vbc.exe	85
PID 4924 wrote to memory of 1096	4924	vbc.exe	85
PID 4924 wrote to memory of 1096	4924	vbc.exe	85
PID 2856 wrote to memory of 4372	2856	f7746e5cc7ed28f0eeda18abf65a26b041e4cd9cab90ebf97e17e56638afb833.exe	86
PID 2856 wrote to memory of 4372	2856	f7746e5cc7ed28f0eeda18abf65a26b041e4cd9cab90ebf97e17e56638afb833.exe	86
PID 2856 wrote to memory of 4372	2856	f7746e5cc7ed28f0eeda18abf65a26b041e4cd9cab90ebf97e17e56638afb833.exe	86

C:\Users\Admin\AppData\Local\Temp\f7746e5cc7ed28f0eeda18abf65a26b041e4cd9cab90ebf97e17e56638afb833.exe
"C:\Users\Admin\AppData\Local\Temp\f7746e5cc7ed28f0eeda18abf65a26b041e4cd9cab90ebf97e17e56638afb833.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mar6xbhr.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8155.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc35D472BEDF1E423F86F0FC942BF274AE.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1096
- C:\Users\Admin\AppData\Local\Temp\tmp805B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp805B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f7746e5cc7ed28f0eeda18abf65a26b041e4cd9cab90ebf97e17e56638afb833.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8155.tmp

Filesize
1KB

MD5
b5e0bd4444313a65a1295d3fdc918bc3

SHA1
64ba39e794f538ec6e74399201d224338425de68

SHA256
23f0bda34f9c69e4bc48780b933fe296ea31099233c702eafd452a49d8b0c670

SHA512
695290dbd56103eb59370fca519017dfa84648ed8e604bc24c9932b6fea9fb6478fd3b6d162b797ba0bff3a8ed752f168ebb32f0f5155c76699c79faa8129543

Download Submit
C:\Users\Admin\AppData\Local\Temp\mar6xbhr.0.vb

Filesize
15KB

MD5
da2340b6b7f22f1b86688980551e40e2

SHA1
cc43f0db1af4987e6ccd3b6db4f233232ba828f5

SHA256
02ad2de40c58d70d691a7f8e082efb3fc5654e4cb2d1d53cd8f40fb757fea42a

SHA512
87647786dadd5d4b2ec821ddf7fc470723a4e8d8bc69cca0cb86a16a8faacbf5adef790aeb0733a65da124eae127d6d27e96f4c93d2939fd54f5c3bf785bf487

Download Submit
C:\Users\Admin\AppData\Local\Temp\mar6xbhr.cmdline

Filesize
266B

MD5
636b041a278f08b075c27cb45306e17f

SHA1
5baa1a2e201c01d0ea8d39ae5482f0de7206a1d2

SHA256
0b85b57b2a32c342b83ce106f9c12fdd0c5124d53cb90e5e0027349f974bcd35

SHA512
008649a90afcb027fd70f6d9b08ac7cf39d85f4a9691addf66b000507f3e69d3689801c0aa06627bcd66b7c231551c1026ba0fdd0a40874ca2fe46f2c61d4ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp805B.tmp.exe

Filesize
78KB

MD5
80a4c009df3c3b6a0a3b256d95d50f91

SHA1
13b6428cb58031e80068a7fb16f30dff307fbedf

SHA256
85b851e7f5a1bd4e786b86412009bca376c40b3c84470165764750eb8fd70800

SHA512
8740485af6729f26c32c0d9e66a8c8ed62eaf23474a20732fe44414ccc9ec40d07e756d78a2b70f497ccdcfc60925ce50bbb4cbb8f56e8adfbfcf71ade95fa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc35D472BEDF1E423F86F0FC942BF274AE.TMP

Filesize
660B

MD5
8b4f6e3c5ec87cd97cc24f022242f950

SHA1
4c062b85cbd269fe482f1249ff09d8bdf39a2f39

SHA256
fab93703b93f687b598cca0e4c1cfa305d5d5ae12c60cc948e95936c66f575a7

SHA512
c0ece332135c75ffb0128a6d7f53effb3edc45802c0e8bcf0106d7f109bbfb1ed74c28c511023ab982cbf2e8225083e43245d9c66fa80170e9c86a560a52b0b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/2856-1-0x0000000074EE0000-0x0000000075491000-memory.dmp

Filesize
5.7MB

Download
memory/2856-2-0x0000000074EE0000-0x0000000075491000-memory.dmp

Filesize
5.7MB

Download
memory/2856-0-0x0000000074EE2000-0x0000000074EE3000-memory.dmp

Filesize
4KB

Download
memory/2856-22-0x0000000074EE0000-0x0000000075491000-memory.dmp

Filesize
5.7MB

Download
memory/4372-23-0x0000000074EE0000-0x0000000075491000-memory.dmp

Filesize
5.7MB

Download
memory/4372-24-0x0000000074EE0000-0x0000000075491000-memory.dmp

Filesize
5.7MB

Download
memory/4372-26-0x0000000074EE0000-0x0000000075491000-memory.dmp

Filesize
5.7MB

Download
memory/4372-27-0x0000000074EE0000-0x0000000075491000-memory.dmp

Filesize
5.7MB

Download
memory/4372-28-0x0000000074EE0000-0x0000000075491000-memory.dmp

Filesize
5.7MB

Download
memory/4924-18-0x0000000074EE0000-0x0000000075491000-memory.dmp

Filesize
5.7MB

Download
memory/4924-8-0x0000000074EE0000-0x0000000075491000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads