metamorpherrat | 839095c13600f439f062b01bc8d10fd9ef2aedbda53c269a345d65a95a77fdba

General

Target

839095c13600f439f062b01bc8d10fd9ef2aedbda53c269a345d65a95a77fdba.exe
Size

78KB
MD5

c021a736bee71fc4ba1c46a45d61f79b
SHA1

b2646767cfde9523540ccf4f21e0f9c8ded2cd3c
SHA256

839095c13600f439f062b01bc8d10fd9ef2aedbda53c269a345d65a95a77fdba
SHA512

f8c71912bf7e570048e18858915a45a4ee4983a3803303bd5ecda6a82a6e7baf98d87a4e28c7a980f4f65b9e96f98e4cb045d54ea1779b6ae25f8ce2cad66a4c
SSDEEP

1536:BHFo6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQteN9/01pPp:BHFonhASyRxvhTzXPvCbW2UeN9/0p

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	839095c13600f439f062b01bc8d10fd9ef2aedbda53c269a345d65a95a77fdba.exe

Deletes itself 1 IoCs

pid	Process
3708	tmp2837.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3708	tmp2837.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp2837.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	839095c13600f439f062b01bc8d10fd9ef2aedbda53c269a345d65a95a77fdba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp2837.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2440	839095c13600f439f062b01bc8d10fd9ef2aedbda53c269a345d65a95a77fdba.exe
Token: SeDebugPrivilege	3708	tmp2837.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 1884	2440	839095c13600f439f062b01bc8d10fd9ef2aedbda53c269a345d65a95a77fdba.exe	82
PID 2440 wrote to memory of 1884	2440	839095c13600f439f062b01bc8d10fd9ef2aedbda53c269a345d65a95a77fdba.exe	82
PID 2440 wrote to memory of 1884	2440	839095c13600f439f062b01bc8d10fd9ef2aedbda53c269a345d65a95a77fdba.exe	82
PID 1884 wrote to memory of 1644	1884	vbc.exe	84
PID 1884 wrote to memory of 1644	1884	vbc.exe	84
PID 1884 wrote to memory of 1644	1884	vbc.exe	84
PID 2440 wrote to memory of 3708	2440	839095c13600f439f062b01bc8d10fd9ef2aedbda53c269a345d65a95a77fdba.exe	85
PID 2440 wrote to memory of 3708	2440	839095c13600f439f062b01bc8d10fd9ef2aedbda53c269a345d65a95a77fdba.exe	85
PID 2440 wrote to memory of 3708	2440	839095c13600f439f062b01bc8d10fd9ef2aedbda53c269a345d65a95a77fdba.exe	85

C:\Users\Admin\AppData\Local\Temp\839095c13600f439f062b01bc8d10fd9ef2aedbda53c269a345d65a95a77fdba.exe
"C:\Users\Admin\AppData\Local\Temp\839095c13600f439f062b01bc8d10fd9ef2aedbda53c269a345d65a95a77fdba.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\umr0famd.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES29DD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc90E9A885174545D6884469AF90E454A8.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1644
- C:\Users\Admin\AppData\Local\Temp\tmp2837.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp2837.tmp.exe" C:\Users\Admin\AppData\Local\Temp\839095c13600f439f062b01bc8d10fd9ef2aedbda53c269a345d65a95a77fdba.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES29DD.tmp

Filesize
1KB

MD5
b48961c8b980e8af18d4a83792730f6f

SHA1
caa29f5fe7446284d21712d856fad0712a1e5a54

SHA256
7307df5cd5310644e977bae3efe7f7d8204003fd67df3bbb54bff09003c5c857

SHA512
d0e278afe90902e2cf9d31df3135be9d5db70eb9ad7074a394b2cc6c8019ceeb1295a01aa71edd4d3d6c32b76742a740341ded2cdfb3efdcf729338190b45226

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2837.tmp.exe

Filesize
78KB

MD5
91b54da854e0ee6609217aed867096b0

SHA1
69f5e90714de3d20b51d7632d3684d47ec21e9bb

SHA256
dae93343bb18f86a13019169b58766fd73abf070124e9e9f2cc047bd9f1b188a

SHA512
c20baebe8c9243939c3557adc75c2eb12a7dee40e0435eccde0a5e630f2f695dd213b3a5c3db0507648d93211dcd2fc54c071199ccc0c107299046780a3b878d

Download Submit
C:\Users\Admin\AppData\Local\Temp\umr0famd.0.vb

Filesize
15KB

MD5
af2408c4e29ab4308b8a1b8a6122ed50

SHA1
180580dd0d3647eced20c78a472607d6ee96553d

SHA256
afe289efeca83054a0d67fa46a11096e4997fe3108145b3e9d950e670368afda

SHA512
b9f134964d24e592070b3c040df987fbde3e3cb23781d5c22c2194bbde7f6f36ae4223db9f5c6125fcc84e156f1d5c311dbd63afe4f1646d3efac612216f4129

Download Submit
C:\Users\Admin\AppData\Local\Temp\umr0famd.cmdline

Filesize
266B

MD5
d5620511bdfc0510f996059f5507054f

SHA1
230507e67932e25dfd699dcef16de6b52dfef4ac

SHA256
c208f409dd35e6af9df150dac017e84958971100c2388bb821add6c3605f3d08

SHA512
44ea7235b0aac7fabc839177a750164e13923bc7d548618311d0fe396043bfa97687d92a2b5c6f2fc6df721feda8830dbc29ed3243acb4591ab861a76e1dddf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc90E9A885174545D6884469AF90E454A8.TMP

Filesize
660B

MD5
2de76e7fe1097929a5c7098e0f5ecd14

SHA1
994e9e587c2c206ee69d183c5e7c1ebb65ef805b

SHA256
318068b8f9d4dc32a1dd485388787df66e7d6a3d50b8f99ea69e863cd635f727

SHA512
05b2fc32eebb91d155f8b5c1acdd8fb79e74bf8a6310f5d985eff7a04102ca18c74bcc62600234c4df1566b8f6ffca5266e81ef726ed95f9363615a5b1c18844

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1884-18-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/1884-9-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/2440-2-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/2440-0-0x0000000074BB2000-0x0000000074BB3000-memory.dmp

Filesize
4KB

Download
memory/2440-1-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/2440-22-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/3708-23-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/3708-25-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/3708-24-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/3708-27-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/3708-28-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/3708-29-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads