metamorpherrat | 068d8c867397ab98a320d300b68ef45e55aa9ec53b878693786cc47b13aab661

General

Target

068d8c867397ab98a320d300b68ef45e55aa9ec53b878693786cc47b13aab661.exe
Size

78KB
MD5

dac11fc0102d2da445dd5d2a31c73d6b
SHA1

3df37dc3d98d3a28446d742ec2123a5ba7c962e4
SHA256

068d8c867397ab98a320d300b68ef45e55aa9ec53b878693786cc47b13aab661
SHA512

e017b2e10686f6f99db49f7e6558ffd3f812430ee7ad92531d065710589231a7790ed89161aa5b78a5fc68af5a6d1433ca5bb81bbb6b1dfc27849d717145d003
SSDEEP

1536:o5jSYLT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtM639/ME1D2:o5jS+E2EwR4uY41HyvYJ9/Mb

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	068d8c867397ab98a320d300b68ef45e55aa9ec53b878693786cc47b13aab661.exe

Executes dropped EXE 1 IoCs

pid	Process
5016	tmpB844.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmpB844.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB844.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	068d8c867397ab98a320d300b68ef45e55aa9ec53b878693786cc47b13aab661.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4828	068d8c867397ab98a320d300b68ef45e55aa9ec53b878693786cc47b13aab661.exe
Token: SeDebugPrivilege	5016	tmpB844.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4828 wrote to memory of 1216	4828	068d8c867397ab98a320d300b68ef45e55aa9ec53b878693786cc47b13aab661.exe	83
PID 4828 wrote to memory of 1216	4828	068d8c867397ab98a320d300b68ef45e55aa9ec53b878693786cc47b13aab661.exe	83
PID 4828 wrote to memory of 1216	4828	068d8c867397ab98a320d300b68ef45e55aa9ec53b878693786cc47b13aab661.exe	83
PID 1216 wrote to memory of 2648	1216	vbc.exe	85
PID 1216 wrote to memory of 2648	1216	vbc.exe	85
PID 1216 wrote to memory of 2648	1216	vbc.exe	85
PID 4828 wrote to memory of 5016	4828	068d8c867397ab98a320d300b68ef45e55aa9ec53b878693786cc47b13aab661.exe	86
PID 4828 wrote to memory of 5016	4828	068d8c867397ab98a320d300b68ef45e55aa9ec53b878693786cc47b13aab661.exe	86
PID 4828 wrote to memory of 5016	4828	068d8c867397ab98a320d300b68ef45e55aa9ec53b878693786cc47b13aab661.exe	86

C:\Users\Admin\AppData\Local\Temp\068d8c867397ab98a320d300b68ef45e55aa9ec53b878693786cc47b13aab661.exe
"C:\Users\Admin\AppData\Local\Temp\068d8c867397ab98a320d300b68ef45e55aa9ec53b878693786cc47b13aab661.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rwkbdqpm.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1216
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB9EA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAFDB768369FC4B138CD7A42306168D.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2648
- C:\Users\Admin\AppData\Local\Temp\tmpB844.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB844.tmp.exe" C:\Users\Admin\AppData\Local\Temp\068d8c867397ab98a320d300b68ef45e55aa9ec53b878693786cc47b13aab661.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB9EA.tmp

Filesize
1KB

MD5
21c37d9c2488a9016c5d6daf49eb78a1

SHA1
fd4751c95032a8cac34a430f641f0286221492d9

SHA256
ca2aeab27858d29e7bc56024671c14b01b969dc140432f04d62c80ec489ea020

SHA512
1a7f8f1a83fd0dd0b066ca595f70a59aecaeb5864d9ae5f827cf48a1c010dd3172bedeb34b91935b469a62c4f440de15b8f59e0561bdf06f3ab79a495f52d8b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\rwkbdqpm.0.vb

Filesize
14KB

MD5
eba3d3bef5c081fd35a4bb664826eb16

SHA1
34c1017416861b8fc234ec986663a8d1438212bf

SHA256
0fea1e7da7b54bc2b664ef41e65ffe6ff3a168321368837113fa79067dc9dd76

SHA512
849e05201d24a8a155e360bb9dddd3a56d5ba1f8eaf7d2b5e958f34e8e7a0a7efc75aba24564a03c3dfd5c60351aab9d98d3d03004c2f4c0916ce9cf08e0c40a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rwkbdqpm.cmdline

Filesize
266B

MD5
ec643a7a234c8497936ac574113a117c

SHA1
8684a7517709e243df98a6eedfa39abf9ee8c1d8

SHA256
30ab286f495d0de4625ae4b015d35633fe9de7ff5fcb7810bda685ebdf7eb1ba

SHA512
1b75d14f42a3e4ff521f4dcbfcc1216daa1430faf6a84baf7a051950e7d43ddefa59a5b8ca728d0ddc58f8ed4bd4e007ccf76e31eb68c33d5bb951d764d6b9bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB844.tmp.exe

Filesize
78KB

MD5
bfe472840436499fea5c94452b7bf86e

SHA1
dcfc50521464007cdd310b02b077619cdb8cad20

SHA256
252e99b74e93f2c1aab3fd66e9343708d689dcb303c5348fdd72aa3d939770eb

SHA512
dc034d51c5f01b56937a9ae756c41059ee2b8e4c865a05f0ebb35a100b87025aacaf999c75b9acbc581c92ee2d2766cd9a72eccc08f6769df729a700b4e06a4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAFDB768369FC4B138CD7A42306168D.TMP

Filesize
660B

MD5
9207560a6ded1e6874384179a6523b04

SHA1
ce2cf7c8d1316a32129d7f89a11dd51f4ccfcea2

SHA256
9c889b397d7ad7ae90f797ab42ca065c56523c62ce4d6d1b4be3665a84c70189

SHA512
7d88d40f22141ee5fba0dae057dd817c0b90bd5357e327d83e2ebfb5c6299eaf39a78d5059168edd38e04e48650542263a683d9f7adedb0952ea88d818c3badb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/1216-18-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/1216-9-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/4828-2-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/4828-1-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/4828-0-0x0000000074892000-0x0000000074893000-memory.dmp

Filesize
4KB

Download
memory/4828-22-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/5016-23-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/5016-25-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/5016-26-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/5016-27-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads