metamorpherrat | 26303b3203438716d2073688a6858ebe01dd731ecb0e3c72d4299913a02480d9

General

Target

26303b3203438716d2073688a6858ebe01dd731ecb0e3c72d4299913a02480d9.exe
Size

78KB
MD5

790d0326246a8ab6fc4adb98ec27ea4a
SHA1

70816ddf9fded00157b9fda700e0c1ab36f230f4
SHA256

26303b3203438716d2073688a6858ebe01dd731ecb0e3c72d4299913a02480d9
SHA512

973902ccb7693b191e4936dbbae44c6a56f52bf1ced9c4960905b3a783fda1bb6c0636febf82bb69c9556ec5143ce9be7d158fa53b072e4b7718e69e3369cad5
SSDEEP

1536:zWtHF3M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtev9/O1NN:zWtHF8hASyRxvhTzXPvCbW2Uev9/o

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	26303b3203438716d2073688a6858ebe01dd731ecb0e3c72d4299913a02480d9.exe

Deletes itself 1 IoCs

pid	Process
3212	tmpDB2D.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3212	tmpDB2D.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpDB2D.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26303b3203438716d2073688a6858ebe01dd731ecb0e3c72d4299913a02480d9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpDB2D.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1544	26303b3203438716d2073688a6858ebe01dd731ecb0e3c72d4299913a02480d9.exe
Token: SeDebugPrivilege	3212	tmpDB2D.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 1300	1544	26303b3203438716d2073688a6858ebe01dd731ecb0e3c72d4299913a02480d9.exe	82
PID 1544 wrote to memory of 1300	1544	26303b3203438716d2073688a6858ebe01dd731ecb0e3c72d4299913a02480d9.exe	82
PID 1544 wrote to memory of 1300	1544	26303b3203438716d2073688a6858ebe01dd731ecb0e3c72d4299913a02480d9.exe	82
PID 1300 wrote to memory of 2848	1300	vbc.exe	84
PID 1300 wrote to memory of 2848	1300	vbc.exe	84
PID 1300 wrote to memory of 2848	1300	vbc.exe	84
PID 1544 wrote to memory of 3212	1544	26303b3203438716d2073688a6858ebe01dd731ecb0e3c72d4299913a02480d9.exe	85
PID 1544 wrote to memory of 3212	1544	26303b3203438716d2073688a6858ebe01dd731ecb0e3c72d4299913a02480d9.exe	85
PID 1544 wrote to memory of 3212	1544	26303b3203438716d2073688a6858ebe01dd731ecb0e3c72d4299913a02480d9.exe	85

C:\Users\Admin\AppData\Local\Temp\26303b3203438716d2073688a6858ebe01dd731ecb0e3c72d4299913a02480d9.exe
"C:\Users\Admin\AppData\Local\Temp\26303b3203438716d2073688a6858ebe01dd731ecb0e3c72d4299913a02480d9.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pgqgeir1.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1300
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDC56.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE4F4C2F378B648A9B93D639C0165AAA.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2848
- C:\Users\Admin\AppData\Local\Temp\tmpDB2D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpDB2D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\26303b3203438716d2073688a6858ebe01dd731ecb0e3c72d4299913a02480d9.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESDC56.tmp

Filesize
1KB

MD5
e73d906a0f0ca53f7642adc6056ba5b4

SHA1
260f6107534ca84517be268e73ae6de6a25d6884

SHA256
f531e6b3fe61285a7347b88df8673304cc6591142d0c5bd1813261c40f338393

SHA512
0e84d083cd462d318bd79f34ef7b1af2618eafed80c1deacbb6e2411396035fa20c4ee89b2ab325c9c71bc68e2e7e5665aba682556a76248eb402f813ad612aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\pgqgeir1.0.vb

Filesize
15KB

MD5
0fa64561167bfe9f461f25fadf7ee9e8

SHA1
ba75a2f3d3a16c66034c162090038a182bdf3e1c

SHA256
c4c2b841a347977ce672b2900bf2f889fb04a6486a567afbe52a77ba291a3aa5

SHA512
57e711b587aa33160b73e7f99163cc8a5f9e98306a0e2ae64f90c24b444e22007e29a5b556ac2ffac50a936fed2d0a736440994f5269597b4e08cf0f1ab190db

Download Submit
C:\Users\Admin\AppData\Local\Temp\pgqgeir1.cmdline

Filesize
266B

MD5
468db545bedebb2e66c9b899b4ec0930

SHA1
0e27efd7f62bf9b02e3163887c445b54fa54d893

SHA256
80e1184940d4e27460fd4f32412cbc77777a2ac4dc041a818d9df8aaef3217d4

SHA512
df48fbb22baee06b31704c4c6ab7a6f0d3ff71c77f650de1debbbbbcb5dd514ea6f864c44b8df9e8066a34fa0d8c89cb5034cf89589e501ac237297ad8d137aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDB2D.tmp.exe

Filesize
78KB

MD5
070b7bff42f5c8d17d8adabe6714d697

SHA1
43da1a722fc04d36494a7fa2abb8de13e13fa559

SHA256
4b40fc5c41ab2783428c312137f463c5c71c3ac4cbfb682042c6045d4c6aa4b0

SHA512
edce68c655a28e0186166e819215e79c0e051ae3c21cccea7ffd482c0117760f6da428ee0a8c0e68b3f67b8538ab032142aa2e71930317780e8497a93e2bf3a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE4F4C2F378B648A9B93D639C0165AAA.TMP

Filesize
660B

MD5
7b3f061d8d42752888e8b85a49625de7

SHA1
a1eab7ee575b71cb510212c9e0271dee7bfa636c

SHA256
3822bd7819a868f20804f1ea72bce651ca0e38ae285723b2ff33c259643d7a01

SHA512
7d8fe35b8bcd9ea7861b1cc98d1a670ef87fd8c3742a9ba6e380b2b504f18717222955c0c3a74c9e71666971d736bb6ecdbe3a9995e29a4bcbcd93f60de1f9b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1300-9-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/1300-18-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/1544-22-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/1544-1-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/1544-2-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/1544-0-0x0000000074E92000-0x0000000074E93000-memory.dmp

Filesize
4KB

Download
memory/3212-23-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/3212-24-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/3212-25-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/3212-27-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/3212-28-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/3212-29-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads