metamorpherrat | 76e04a609b4e864573e24ab9ec846f6cf57318af83a986aa2c4c1415e21199ab

General

Target

76e04a609b4e864573e24ab9ec846f6cf57318af83a986aa2c4c1415e21199abN.exe
Size

78KB
MD5

61010335d8e998d2ac1492920b3e2090
SHA1

e485e13772b6dae5cc46a8aefa3082aff9778d6e
SHA256

76e04a609b4e864573e24ab9ec846f6cf57318af83a986aa2c4c1415e21199ab
SHA512

1f55ae2648502273faef5966341134ffdfdb3ff4b76b8d123c34f582388f4f09635fc9e3ea251ba5f881f4f1f0f74cd5977669ba239334e8114a82aa5d34b91c
SSDEEP

1536:WOc58rvZv0kH9gDDtWzYCnJPeoYrGQtC6T9/Xq1c8:Fc58rl0Y9MDYrm7b9/G

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	76e04a609b4e864573e24ab9ec846f6cf57318af83a986aa2c4c1415e21199abN.exe

Executes dropped EXE 1 IoCs

pid	Process
1656	tmp9E24.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmp9E24.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	76e04a609b4e864573e24ab9ec846f6cf57318af83a986aa2c4c1415e21199abN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9E24.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1960	76e04a609b4e864573e24ab9ec846f6cf57318af83a986aa2c4c1415e21199abN.exe
Token: SeDebugPrivilege	1656	tmp9E24.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2724	1960	76e04a609b4e864573e24ab9ec846f6cf57318af83a986aa2c4c1415e21199abN.exe	82
PID 1960 wrote to memory of 2724	1960	76e04a609b4e864573e24ab9ec846f6cf57318af83a986aa2c4c1415e21199abN.exe	82
PID 1960 wrote to memory of 2724	1960	76e04a609b4e864573e24ab9ec846f6cf57318af83a986aa2c4c1415e21199abN.exe	82
PID 2724 wrote to memory of 4104	2724	vbc.exe	84
PID 2724 wrote to memory of 4104	2724	vbc.exe	84
PID 2724 wrote to memory of 4104	2724	vbc.exe	84
PID 1960 wrote to memory of 1656	1960	76e04a609b4e864573e24ab9ec846f6cf57318af83a986aa2c4c1415e21199abN.exe	85
PID 1960 wrote to memory of 1656	1960	76e04a609b4e864573e24ab9ec846f6cf57318af83a986aa2c4c1415e21199abN.exe	85
PID 1960 wrote to memory of 1656	1960	76e04a609b4e864573e24ab9ec846f6cf57318af83a986aa2c4c1415e21199abN.exe	85

C:\Users\Admin\AppData\Local\Temp\76e04a609b4e864573e24ab9ec846f6cf57318af83a986aa2c4c1415e21199abN.exe
"C:\Users\Admin\AppData\Local\Temp\76e04a609b4e864573e24ab9ec846f6cf57318af83a986aa2c4c1415e21199abN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iw0eu6bf.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA047.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1C86077DF78C45049B5CBE6CC454599D.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4104
- C:\Users\Admin\AppData\Local\Temp\tmp9E24.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9E24.tmp.exe" C:\Users\Admin\AppData\Local\Temp\76e04a609b4e864573e24ab9ec846f6cf57318af83a986aa2c4c1415e21199abN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA047.tmp

Filesize
1KB

MD5
1a6e442df945b9b2380726a3b20e96a8

SHA1
dde6abfc1828310e05752f2683a1e2a1727becde

SHA256
143946b3bde0caf4572f1ca526d4d25f5f311bb40f61227b33bd848031183792

SHA512
0a286cae013ba6d4db36ffbeb8da9b52f8e8ae0c4999cbaed6243c586e2f05e4af4d85c06b7389015f4ec29047507404f643ce59a85388afa289a97d0b4f5536

Download Submit
C:\Users\Admin\AppData\Local\Temp\iw0eu6bf.0.vb

Filesize
14KB

MD5
ed195a28a90f02b8928567438776a74d

SHA1
6ac430fb7a019a431c2c327e06516a3acb22f60b

SHA256
cdd2799404938a754fed1aaa35409d5d18269943d08c425a88e1a878f207a2db

SHA512
96b793071830dab5ef3f5c1ed015e5759ee39c0cb994624512383c273a4bc28a757f28c56fa29c48699c9fcaf6defc3511341bdf9b41ca92c1cdee50c3169454

Download Submit
C:\Users\Admin\AppData\Local\Temp\iw0eu6bf.cmdline

Filesize
266B

MD5
3c8f4b8f270ed135a9e186906760a547

SHA1
dc8577b553522acf0b2e0c64e3f0f634329d17db

SHA256
6cfa6a45bd608d5fe90a2e23e11167e1b337f3dae83d97e51986e83e83af1aa6

SHA512
ef243f24ed478fbfb70d496d98e1b90df9a85fd18685e85077ef570aa9480f700e30f2fae91cbf73218cd96960d32e71eda65d012aa639d544aec2b60de4a839

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9E24.tmp.exe

Filesize
78KB

MD5
505d4d3bfa88d17ff0e913e5df0d7a7b

SHA1
75d37e2697e63c770ec471314afd8b6a93b47503

SHA256
30180ec26c45de2974ad882e6ca50ef0f15f91ad601c09bc3b9bf42466da72e3

SHA512
453d507d111d446fba2ff440b87b24ed8d4eb8c3a0d91c2b343f25a94fb9dc1cbaff18e03e0a5d552a9f7682a4288fd08a2e720ee4df0ea72ece1ac750e741dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1C86077DF78C45049B5CBE6CC454599D.TMP

Filesize
660B

MD5
7686eb7d8ccd3222b3b41e6d6ece6614

SHA1
8e5c95f1977bff6adc17b02e1480f48211ef56b5

SHA256
56cc46ea62059aff35ad9b9da4e6c035c328fd9a8af5da7b1e4de7a28bf68c73

SHA512
17555b4760fa9fc4c77b90effc51fac8346c0ca16d7ccbb2e929fe82270923595604f489d5b985fc6330793d8823b6632bc40df0167dfdf93556f4e26969d8c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/1656-24-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/1656-28-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/1656-29-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/1656-27-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/1656-30-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/1656-23-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/1656-26-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/1960-22-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/1960-0-0x00000000750B2000-0x00000000750B3000-memory.dmp

Filesize
4KB

Download
memory/1960-2-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/1960-1-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/2724-18-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/2724-8-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads