metamorpherrat | e74ed9efa9ad6dfaae48ccfab4499ccfc5fb6b95720925f92207748fec1c2424

General

Target

e74ed9efa9ad6dfaae48ccfab4499ccfc5fb6b95720925f92207748fec1c2424.exe
Size

78KB
MD5

28d8e6bf05a793ca0023d131386207d5
SHA1

1a2e8dfb2359a8d9b5b8bcb159d04b3c286f46fc
SHA256

e74ed9efa9ad6dfaae48ccfab4499ccfc5fb6b95720925f92207748fec1c2424
SHA512

26d2fd442f4af4f6e1e7d5db2ef4b9347c08cc0dfa6db966b454a49cc0c1afdf133af723ade3074be16c14a28f190afb7ae7937b75cd2d10859cb7a5bf9e30f5
SSDEEP

1536:fCHF3M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQti9/N1AgG:fCHF8hASyRxvhTzXPvCbW2Ui9/FG

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	e74ed9efa9ad6dfaae48ccfab4499ccfc5fb6b95720925f92207748fec1c2424.exe

Executes dropped EXE 1 IoCs

pid	Process
3568	tmp8A6D.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp8A6D.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e74ed9efa9ad6dfaae48ccfab4499ccfc5fb6b95720925f92207748fec1c2424.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8A6D.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3176	e74ed9efa9ad6dfaae48ccfab4499ccfc5fb6b95720925f92207748fec1c2424.exe
Token: SeDebugPrivilege	3568	tmp8A6D.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3176 wrote to memory of 3196	3176	e74ed9efa9ad6dfaae48ccfab4499ccfc5fb6b95720925f92207748fec1c2424.exe	83
PID 3176 wrote to memory of 3196	3176	e74ed9efa9ad6dfaae48ccfab4499ccfc5fb6b95720925f92207748fec1c2424.exe	83
PID 3176 wrote to memory of 3196	3176	e74ed9efa9ad6dfaae48ccfab4499ccfc5fb6b95720925f92207748fec1c2424.exe	83
PID 3196 wrote to memory of 2952	3196	vbc.exe	85
PID 3196 wrote to memory of 2952	3196	vbc.exe	85
PID 3196 wrote to memory of 2952	3196	vbc.exe	85
PID 3176 wrote to memory of 3568	3176	e74ed9efa9ad6dfaae48ccfab4499ccfc5fb6b95720925f92207748fec1c2424.exe	86
PID 3176 wrote to memory of 3568	3176	e74ed9efa9ad6dfaae48ccfab4499ccfc5fb6b95720925f92207748fec1c2424.exe	86
PID 3176 wrote to memory of 3568	3176	e74ed9efa9ad6dfaae48ccfab4499ccfc5fb6b95720925f92207748fec1c2424.exe	86

C:\Users\Admin\AppData\Local\Temp\e74ed9efa9ad6dfaae48ccfab4499ccfc5fb6b95720925f92207748fec1c2424.exe
"C:\Users\Admin\AppData\Local\Temp\e74ed9efa9ad6dfaae48ccfab4499ccfc5fb6b95720925f92207748fec1c2424.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qb7qsiny.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3196
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8BA6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAEE38D8A3E304CCF8C1BE03C63A14BB6.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2952
- C:\Users\Admin\AppData\Local\Temp\tmp8A6D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8A6D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e74ed9efa9ad6dfaae48ccfab4499ccfc5fb6b95720925f92207748fec1c2424.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8BA6.tmp

Filesize
1KB

MD5
688efc5ffcc7bdac27c4ffb84ace9954

SHA1
f2f6b7702073081125eebca885e149c73bf61e91

SHA256
b8b5f023615af65c00b5cf8dddfc4b3ca6cc211ade90aca222aa02baf39ac7ea

SHA512
0c808dc5548a514cfca79d2d4cf39f45ad67cf124f7409d99c8501c90681d46713bf776a125bb16a9d9c08e877fa4de10945e7681a5e4c5f78829fd659fd1da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\qb7qsiny.0.vb

Filesize
15KB

MD5
943d12e6a3e9e44f61549845d5d73147

SHA1
1ef8087b2cbf643330e147ff625818295aac6df9

SHA256
1f4b0142a9b4324e0036781e2fcaa45328623dd78e916a505ab94ea7cb6f1743

SHA512
9c9307a787c92f6a9566c58ff50738ea1ab1cc554ca87e33e8f20d77c6beb93a5182f137325db43e3e57f64a816ddc8c301dfb4c1c2417185f8d8b18f9c73210

Download Submit
C:\Users\Admin\AppData\Local\Temp\qb7qsiny.cmdline

Filesize
266B

MD5
f98afafc799fb94633c8a7d36207cb58

SHA1
d1eee77a0dfcca060681ef38a0402a27e0ed6793

SHA256
cb3c0d5c857605b5791126b004b2ba59b05b861a4afcf2f57499111dbe134e1f

SHA512
8a2e48347b4da5c071909a7dd95b25c7744b514b84d0f7af9829db1eb431b1e061f2fd43953c8107c3253b6a35a6a6cefbb1e856fe54c6db15e1daa267dc4a71

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8A6D.tmp.exe

Filesize
78KB

MD5
69d1a7b2705197fdf1712177632fe6cc

SHA1
ec3334b555c557f6c34e8cac5540495bf0b6eba9

SHA256
c143657a7eed0940c75f82524043822210e52f9220f50069c29b1a78d1dac919

SHA512
55fd63b3ec9bb73acf6aff9fe9642b6e6a7b670c4de9a87054bb94ef5a48d7e125218500dac451178cead5893b13620ab7d5e7b4a593a635212b87972606953d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAEE38D8A3E304CCF8C1BE03C63A14BB6.TMP

Filesize
660B

MD5
0bc7614a8cdf9f594291d11bd17273be

SHA1
d6f89fb1e4c787b220d9ae6e3bb42c92ba7de33b

SHA256
892868e3870b67469385c17972a4ccd3676fd4b551bfc4ae620101d787d69f91

SHA512
ef7505b402fb8dcffa8412a765b2e2e0e5ccb8d4364b67446ed5ee4ecf2ce6b1845cd27bb79f97d452d9f4f96d775d34d6a034f51d46b08b1e1df5e5a3876f18

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/3176-1-0x0000000075350000-0x0000000075901000-memory.dmp

Filesize
5.7MB

Download
memory/3176-2-0x0000000075350000-0x0000000075901000-memory.dmp

Filesize
5.7MB

Download
memory/3176-0-0x0000000075352000-0x0000000075353000-memory.dmp

Filesize
4KB

Download
memory/3176-22-0x0000000075350000-0x0000000075901000-memory.dmp

Filesize
5.7MB

Download
memory/3196-8-0x0000000075350000-0x0000000075901000-memory.dmp

Filesize
5.7MB

Download
memory/3196-18-0x0000000075350000-0x0000000075901000-memory.dmp

Filesize
5.7MB

Download
memory/3568-23-0x0000000075350000-0x0000000075901000-memory.dmp

Filesize
5.7MB

Download
memory/3568-24-0x0000000075350000-0x0000000075901000-memory.dmp

Filesize
5.7MB

Download
memory/3568-26-0x0000000075350000-0x0000000075901000-memory.dmp

Filesize
5.7MB

Download
memory/3568-27-0x0000000075350000-0x0000000075901000-memory.dmp

Filesize
5.7MB

Download
memory/3568-28-0x0000000075350000-0x0000000075901000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads