metamorpherrat | ee2aa77fd0b7b5e1d02e4dc411ecde9042237869aa8a4a77eaf3b204b22d117d

General

Target

ee2aa77fd0b7b5e1d02e4dc411ecde9042237869aa8a4a77eaf3b204b22d117d.exe
Size

78KB
MD5

74921ae1ff9ebcf44aad3fe2ce87acca
SHA1

26283b9057972692c0121590b7d3621f114a4daa
SHA256

ee2aa77fd0b7b5e1d02e4dc411ecde9042237869aa8a4a77eaf3b204b22d117d
SHA512

8fc866e869f5adad91fda66e4f8779eb2cd0caf52085eccc8e358b40aadb3df54913fb05d0e6506ad12d768886f92afa85224ecc78c6c33c6e792adf7f53b3c6
SSDEEP

1536:Qmy58QvZv0kH9gDDtWzYCnJPeoYrGQtC67Q9/o1x0w:vy58Ql0Y9MDYrm7jQ9/rw

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	ee2aa77fd0b7b5e1d02e4dc411ecde9042237869aa8a4a77eaf3b204b22d117d.exe

Deletes itself 1 IoCs

pid	Process
3436	tmpA98E.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3436	tmpA98E.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmpA98E.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA98E.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee2aa77fd0b7b5e1d02e4dc411ecde9042237869aa8a4a77eaf3b204b22d117d.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4344	ee2aa77fd0b7b5e1d02e4dc411ecde9042237869aa8a4a77eaf3b204b22d117d.exe
Token: SeDebugPrivilege	3436	tmpA98E.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4344 wrote to memory of 4960	4344	ee2aa77fd0b7b5e1d02e4dc411ecde9042237869aa8a4a77eaf3b204b22d117d.exe	83
PID 4344 wrote to memory of 4960	4344	ee2aa77fd0b7b5e1d02e4dc411ecde9042237869aa8a4a77eaf3b204b22d117d.exe	83
PID 4344 wrote to memory of 4960	4344	ee2aa77fd0b7b5e1d02e4dc411ecde9042237869aa8a4a77eaf3b204b22d117d.exe	83
PID 4960 wrote to memory of 4780	4960	vbc.exe	85
PID 4960 wrote to memory of 4780	4960	vbc.exe	85
PID 4960 wrote to memory of 4780	4960	vbc.exe	85
PID 4344 wrote to memory of 3436	4344	ee2aa77fd0b7b5e1d02e4dc411ecde9042237869aa8a4a77eaf3b204b22d117d.exe	86
PID 4344 wrote to memory of 3436	4344	ee2aa77fd0b7b5e1d02e4dc411ecde9042237869aa8a4a77eaf3b204b22d117d.exe	86
PID 4344 wrote to memory of 3436	4344	ee2aa77fd0b7b5e1d02e4dc411ecde9042237869aa8a4a77eaf3b204b22d117d.exe	86

C:\Users\Admin\AppData\Local\Temp\ee2aa77fd0b7b5e1d02e4dc411ecde9042237869aa8a4a77eaf3b204b22d117d.exe
"C:\Users\Admin\AppData\Local\Temp\ee2aa77fd0b7b5e1d02e4dc411ecde9042237869aa8a4a77eaf3b204b22d117d.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4344
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ciupu4s_.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4960
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESABC1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6D483BB07AB841B9A53C93A416A3D74F.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4780
- C:\Users\Admin\AppData\Local\Temp\tmpA98E.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA98E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ee2aa77fd0b7b5e1d02e4dc411ecde9042237869aa8a4a77eaf3b204b22d117d.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESABC1.tmp

Filesize
1KB

MD5
393b007af6f240660e6d75d561ff338a

SHA1
357c98ed90dd0131f8037077a93ab4de0818a29d

SHA256
c97fee4e6f00cc265375ae4451b15ed0f2946b0623402de5f56ee8b408eee8ce

SHA512
28cd928239915c1df58978f10bfb71dca13bd720c4787bfd06dae42cc209c24887e7b651ce203da9cac5c56c9939cbe68f5c9e9847b3735c25a2de6197bf464b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ciupu4s_.0.vb

Filesize
14KB

MD5
314f2db8b60a362d07a1a6151871d3b7

SHA1
154bf151af40bf64bdc518364cad459316d11414

SHA256
de52e3571a0538edb283d19cbec669cb3003a6c7a0cae3ff28d9c625ada88ed8

SHA512
584ab2cbe906ae0063bc3fea7b3eac44e13ca9343d6090dfd5ab06e731852288cea267dfcd17ae78f6e1a9834a6a4bbbf3f4dc03bca295fd343b41d58305098f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ciupu4s_.cmdline

Filesize
266B

MD5
3ccab5e247ce4e3f47642090c1691d9c

SHA1
2aeb090049e0585c10ce56aaf0ff89257ceb33ba

SHA256
2cb3b6a7f63c31bf5cfedf9d405b0573a1e277d1f5b27211fa3caa005c2a470e

SHA512
b23695660eeaadc421d7cf9317b6ffb38c9018793b0957cb6a39e90eb1135d85d5ab4ac41ceb96a0e280819172253e380aede85246577350afca081a9d125c9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA98E.tmp.exe

Filesize
78KB

MD5
af2900d0be251a9dac27bdaffca40590

SHA1
17966bd31f893b16750fb56535767626c56bfa41

SHA256
82e337190a0a3542ca62fd539f7c88e115f36664578cdb627b56359dd6b46acb

SHA512
e8a5d0238289b876f04217da00b245940035b5bf30c73f5b5c35f95de0725b47c02b008e4900c33a8dcd92b42481c27c9108b359359105fcd65bcd04b9263910

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6D483BB07AB841B9A53C93A416A3D74F.TMP

Filesize
660B

MD5
0d361ee7a5a6d722b546ce9ce3ea036f

SHA1
ed6afdd5ba1bb4859991caa69a058b16285660e2

SHA256
6c3efb0f0d058801ce1bfa76b71bbd4f15e964addf747a924da1c8792562b0fb

SHA512
db881c656840f9323f72f556c7589814f2fb3adcc4df43039feb3465a30a1a526ce12b68863c5883c04bcac3d5173849d3eef63068d36fb2b4d781948e7d26bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/3436-23-0x0000000074D80000-0x0000000075331000-memory.dmp

Filesize
5.7MB

Download
memory/3436-24-0x0000000074D80000-0x0000000075331000-memory.dmp

Filesize
5.7MB

Download
memory/3436-26-0x0000000074D80000-0x0000000075331000-memory.dmp

Filesize
5.7MB

Download
memory/3436-27-0x0000000074D80000-0x0000000075331000-memory.dmp

Filesize
5.7MB

Download
memory/3436-28-0x0000000074D80000-0x0000000075331000-memory.dmp

Filesize
5.7MB

Download
memory/3436-29-0x0000000074D80000-0x0000000075331000-memory.dmp

Filesize
5.7MB

Download
memory/3436-30-0x0000000074D80000-0x0000000075331000-memory.dmp

Filesize
5.7MB

Download
memory/4344-2-0x0000000074D80000-0x0000000075331000-memory.dmp

Filesize
5.7MB

Download
memory/4344-1-0x0000000074D80000-0x0000000075331000-memory.dmp

Filesize
5.7MB

Download
memory/4344-22-0x0000000074D80000-0x0000000075331000-memory.dmp

Filesize
5.7MB

Download
memory/4344-0-0x0000000074D82000-0x0000000074D83000-memory.dmp

Filesize
4KB

Download
memory/4960-8-0x0000000074D80000-0x0000000075331000-memory.dmp

Filesize
5.7MB

Download
memory/4960-18-0x0000000074D80000-0x0000000075331000-memory.dmp

Filesize
5.7MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads