metamorpherrat | 3904483b7cbc7a44401580060fd5486d89c92056eea829165526e500a8fc4205

General

Target

3904483b7cbc7a44401580060fd5486d89c92056eea829165526e500a8fc4205.exe
Size

78KB
MD5

b673e63504b1ea364898ce0486725ec0
SHA1

b41bb7ae4d2385100d088aa3700571d0f047fc5f
SHA256

3904483b7cbc7a44401580060fd5486d89c92056eea829165526e500a8fc4205
SHA512

aa568842f31ba09b94e3756c9fc4698aedc4e4c77eef41d2b91ead471dfef786144230f1582dbd3607ccc11f9f7c7347a5148b7233d077fbe5cf5e8e389e59fc
SSDEEP

1536:4WV52XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt96s9/EtW1uyc:4WV5+SyRxvhTzXPvCbW2UP9/2Gc

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	3904483b7cbc7a44401580060fd5486d89c92056eea829165526e500a8fc4205.exe

Executes dropped EXE 1 IoCs

pid	Process
232	tmp923D.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp923D.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3904483b7cbc7a44401580060fd5486d89c92056eea829165526e500a8fc4205.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp923D.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1876	3904483b7cbc7a44401580060fd5486d89c92056eea829165526e500a8fc4205.exe
Token: SeDebugPrivilege	232	tmp923D.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 4872	1876	3904483b7cbc7a44401580060fd5486d89c92056eea829165526e500a8fc4205.exe	83
PID 1876 wrote to memory of 4872	1876	3904483b7cbc7a44401580060fd5486d89c92056eea829165526e500a8fc4205.exe	83
PID 1876 wrote to memory of 4872	1876	3904483b7cbc7a44401580060fd5486d89c92056eea829165526e500a8fc4205.exe	83
PID 4872 wrote to memory of 3844	4872	vbc.exe	85
PID 4872 wrote to memory of 3844	4872	vbc.exe	85
PID 4872 wrote to memory of 3844	4872	vbc.exe	85
PID 1876 wrote to memory of 232	1876	3904483b7cbc7a44401580060fd5486d89c92056eea829165526e500a8fc4205.exe	86
PID 1876 wrote to memory of 232	1876	3904483b7cbc7a44401580060fd5486d89c92056eea829165526e500a8fc4205.exe	86
PID 1876 wrote to memory of 232	1876	3904483b7cbc7a44401580060fd5486d89c92056eea829165526e500a8fc4205.exe	86

C:\Users\Admin\AppData\Local\Temp\3904483b7cbc7a44401580060fd5486d89c92056eea829165526e500a8fc4205.exe
"C:\Users\Admin\AppData\Local\Temp\3904483b7cbc7a44401580060fd5486d89c92056eea829165526e500a8fc4205.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z5yrdd53.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9318.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE609895FFA064EA1AC3D80CBB4D1434B.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3844
- C:\Users\Admin\AppData\Local\Temp\tmp923D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp923D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3904483b7cbc7a44401580060fd5486d89c92056eea829165526e500a8fc4205.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9318.tmp

Filesize
1KB

MD5
6be752a5251517c21b871c15d8c82639

SHA1
34b6511641b4292ded5b938dfca940271b81ef82

SHA256
2d5c69abd75089d90fde7dca2e98612eb2e52da11ba19226c9482074bacb5f08

SHA512
f9d74343cd6e8b597655a5f84a49f467a0c5a08f3c9d8b1da376922539d0eafb7dc1b61ff809a76666d29415137a821c106969f52fa43d9c6cc4e8b292ea6dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp923D.tmp.exe

Filesize
78KB

MD5
c742ecd0e7823d6df89dce4ed4b8b4be

SHA1
5c88a62d540ba736760d2001333dc42a615659a2

SHA256
4378c02c704b67df507e21960e87f048386e1b071f9c0fb7e63ca95b4eb46643

SHA512
ebf72ad94c7f7ffbfaa77b115340cbeab0a1e7ae87b29bf1b5dbd1e966dc5108d4bd105cf3997b5b97ff9b9ae6822d7f878087dc316df28eae12b78b4e4a5568

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE609895FFA064EA1AC3D80CBB4D1434B.TMP

Filesize
660B

MD5
2bf1cb20d4f352781447b6b69b33a166

SHA1
08f631724ffcf6e5531cd87a7e329f2b490f0876

SHA256
152d0baa8fc69f943ef906c78c6a88cea583398e6fc83a1a9dff70a1e68569d2

SHA512
71df841c7a5f3633a05a5aa3b236ab2818344dae8b5ccad339c9a99031c4fd891c18726a08529fb92eae1c695ef682f1f61c0f93c357fe2efd5f03bd23bab55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\z5yrdd53.0.vb

Filesize
14KB

MD5
e88ef6c1f4e2b95bedd613b409ecdd75

SHA1
04f13c226f18910997829117272554abbffed6a9

SHA256
bdaa3da05e1e7014f15137e80e819567e9c4a6735180c4645cc0002004f6da55

SHA512
7cca31071af1d4c82258d88651c8b3ecab518f3a23d732350991f5521f722e63eade49a3030fe2ca5e410bde69e75120da4c01dbcf8f4d2328456dabec7c46f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\z5yrdd53.cmdline

Filesize
266B

MD5
1077880c49583c2bbd97ed2ca7f33913

SHA1
9fa56e9475ae768cd3404faea3e64a84ff9586db

SHA256
68341b834b0d51d7e8cdc79c693044ae1a7c32c33ce3f976229166688a914b3c

SHA512
b5987365aa91f90bf6a0f0b02bc537c27fade34922483d2ce7d83f09de2b3643cbe5f24c3f554d43cda7682ce523e3047353d67f656d7ecb126d5cde72092b67

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/232-23-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/232-25-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/232-24-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/232-27-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/232-28-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/232-29-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/1876-2-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/1876-1-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/1876-0-0x0000000074F52000-0x0000000074F53000-memory.dmp

Filesize
4KB

Download
memory/1876-22-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/4872-18-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/4872-8-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads