metamorpherrat | 4dd9eed2b0a4494c655f07b90acc24b3ca1aeb5792adbe7313e949da14e8b80c

General

Target

4dd9eed2b0a4494c655f07b90acc24b3ca1aeb5792adbe7313e949da14e8b80cN.exe
Size

78KB
MD5

fdca00e3cab6ca4b1624adc781a79e40
SHA1

1da36b77c73dc6ca0d7604861349ed063a0f4d67
SHA256

4dd9eed2b0a4494c655f07b90acc24b3ca1aeb5792adbe7313e949da14e8b80c
SHA512

dcd3b2281d1dd5abf784d332a9344e51360b5c6d81021e1fc230070f457a2078f193596b27ddcf691b79fb780fab7e4d7d1801d8ae99f717632205230f60bee9
SSDEEP

1536:dRWV5jWXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt96j9/w81GN:dRWV5jeSyRxvhTzXPvCbW2UM9/e

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	4dd9eed2b0a4494c655f07b90acc24b3ca1aeb5792adbe7313e949da14e8b80cN.exe

Deletes itself 1 IoCs

pid	Process
3760	tmp86F3.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3760	tmp86F3.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp86F3.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4dd9eed2b0a4494c655f07b90acc24b3ca1aeb5792adbe7313e949da14e8b80cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp86F3.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4856	4dd9eed2b0a4494c655f07b90acc24b3ca1aeb5792adbe7313e949da14e8b80cN.exe
Token: SeDebugPrivilege	3760	tmp86F3.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 4476	4856	4dd9eed2b0a4494c655f07b90acc24b3ca1aeb5792adbe7313e949da14e8b80cN.exe	83
PID 4856 wrote to memory of 4476	4856	4dd9eed2b0a4494c655f07b90acc24b3ca1aeb5792adbe7313e949da14e8b80cN.exe	83
PID 4856 wrote to memory of 4476	4856	4dd9eed2b0a4494c655f07b90acc24b3ca1aeb5792adbe7313e949da14e8b80cN.exe	83
PID 4476 wrote to memory of 2380	4476	vbc.exe	85
PID 4476 wrote to memory of 2380	4476	vbc.exe	85
PID 4476 wrote to memory of 2380	4476	vbc.exe	85
PID 4856 wrote to memory of 3760	4856	4dd9eed2b0a4494c655f07b90acc24b3ca1aeb5792adbe7313e949da14e8b80cN.exe	86
PID 4856 wrote to memory of 3760	4856	4dd9eed2b0a4494c655f07b90acc24b3ca1aeb5792adbe7313e949da14e8b80cN.exe	86
PID 4856 wrote to memory of 3760	4856	4dd9eed2b0a4494c655f07b90acc24b3ca1aeb5792adbe7313e949da14e8b80cN.exe	86

C:\Users\Admin\AppData\Local\Temp\4dd9eed2b0a4494c655f07b90acc24b3ca1aeb5792adbe7313e949da14e8b80cN.exe
"C:\Users\Admin\AppData\Local\Temp\4dd9eed2b0a4494c655f07b90acc24b3ca1aeb5792adbe7313e949da14e8b80cN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yyvpevec.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4476
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES882B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc681804F5B5794029ADC7442333174B7A.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2380
- C:\Users\Admin\AppData\Local\Temp\tmp86F3.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp86F3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4dd9eed2b0a4494c655f07b90acc24b3ca1aeb5792adbe7313e949da14e8b80cN.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES882B.tmp

Filesize
1KB

MD5
ea90f76a5773d978bb211eba168ccaa7

SHA1
dd1a01e8d3e0bade5cddd1c3a9b4f72223061da3

SHA256
9925b007fd787ef4331715da974237f8a866381a09e2b5d573341d29239908fa

SHA512
7fdcfaab9f6eca51cdaf0d8f42c118b3a7ac44075cb762c9dfb7899d1f9258ac2fd957db0f370e4f241e6bd44a4252bea9fd324cd43d2b834b74da50c0bb1b1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp86F3.tmp.exe

Filesize
78KB

MD5
3c95e6e66ae2b035efb994614b32082c

SHA1
dab4bf8fa96caf3bc6c41c9a559e4642c0945645

SHA256
cf4a3d7087b2830c8813f6299b93b13653d82479ed441d984e4b57886f5e3c63

SHA512
1ff14d81cab7a517548ca9e31b0a9ca92f78fee2a001e55461a92006f09a9fd7169ffe8723741a01100b5703cfd2ef014e94a32cd0bf8de0949957b1c0dad945

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc681804F5B5794029ADC7442333174B7A.TMP

Filesize
660B

MD5
4587acda035601f51f2678413e4459a3

SHA1
455ffd111ea390149697e60989d070ae702e0a8c

SHA256
4c8a4a6ad578bab3e00aad2b49c7533d69756ec0fb3ac79d0a5a97376869e410

SHA512
82686f49ff005f225056b4441850b0cf1e09753bc7aa1d8fd86bd0ddea1663ea63a9258bbed51092cba0a2002e82e19d97ca8d7a399b1a4076aef38e722cdfd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\yyvpevec.0.vb

Filesize
14KB

MD5
8f559d22b8ef2af5fad07280fd984438

SHA1
a998eb5ce15b249e4ed0fe864d5f870470c862a3

SHA256
1686bb161202a5fc3eb3b95eae5c7d914def600b9d962b3adca6225e36e6b63d

SHA512
61d4d7e6d738f90af77cdf832f864a7756fa75960a226ab0681893e1f5cffcd440d6d193835c73556d9a9a6e56eff864377a51b2a323225d6ceae3106dfb5c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yyvpevec.cmdline

Filesize
266B

MD5
7782a0cbbc05992df84960d4096ae9d7

SHA1
1f90e0ce886d3b1513cf511421f3e917f5a49b39

SHA256
360c91a4151682912ff3729942b74fda8247facce49053a2017924cc5e659dd5

SHA512
ad5b6cffa2e8a835d625a55af005b0f29327e7ed9638b191f6b3ac5d10a8e3523750faae44299140f415a5c44b70633c741bb95a0797f04bb8ffdac263326cf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/3760-23-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/3760-24-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/3760-26-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/3760-27-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/3760-28-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/4476-8-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/4476-18-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/4856-2-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/4856-1-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/4856-22-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/4856-0-0x00000000752A2000-0x00000000752A3000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads