metamorpherrat | 46f544419567b69302e1e49fb3c9a1d77e38d18706b255c448505829df0863ee

General

Target

46f544419567b69302e1e49fb3c9a1d77e38d18706b255c448505829df0863eeN.exe
Size

78KB
MD5

3eade96ff4f99d2abb78de49abc6ebe0
SHA1

b36254d2f81c0d98e4ecc205cbe0e2e7c0a363bb
SHA256

46f544419567b69302e1e49fb3c9a1d77e38d18706b255c448505829df0863ee
SHA512

e94a7449302f37f6e2aab9747a10770306a999945c119bebd8dc2beaa87cb32df932c90251450693c18d8c463aca6253e59f0b400549aca9c96fd66a78d49c2c
SSDEEP

1536:BHFo6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQteN9/01pP:BHFonhASyRxvhTzXPvCbW2UeN9/0

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	46f544419567b69302e1e49fb3c9a1d77e38d18706b255c448505829df0863eeN.exe

Executes dropped EXE 1 IoCs

pid	Process
2904	tmp731D.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp731D.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp731D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	46f544419567b69302e1e49fb3c9a1d77e38d18706b255c448505829df0863eeN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4808	46f544419567b69302e1e49fb3c9a1d77e38d18706b255c448505829df0863eeN.exe
Token: SeDebugPrivilege	2904	tmp731D.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 4252	4808	46f544419567b69302e1e49fb3c9a1d77e38d18706b255c448505829df0863eeN.exe	83
PID 4808 wrote to memory of 4252	4808	46f544419567b69302e1e49fb3c9a1d77e38d18706b255c448505829df0863eeN.exe	83
PID 4808 wrote to memory of 4252	4808	46f544419567b69302e1e49fb3c9a1d77e38d18706b255c448505829df0863eeN.exe	83
PID 4252 wrote to memory of 1600	4252	vbc.exe	85
PID 4252 wrote to memory of 1600	4252	vbc.exe	85
PID 4252 wrote to memory of 1600	4252	vbc.exe	85
PID 4808 wrote to memory of 2904	4808	46f544419567b69302e1e49fb3c9a1d77e38d18706b255c448505829df0863eeN.exe	86
PID 4808 wrote to memory of 2904	4808	46f544419567b69302e1e49fb3c9a1d77e38d18706b255c448505829df0863eeN.exe	86
PID 4808 wrote to memory of 2904	4808	46f544419567b69302e1e49fb3c9a1d77e38d18706b255c448505829df0863eeN.exe	86

C:\Users\Admin\AppData\Local\Temp\46f544419567b69302e1e49fb3c9a1d77e38d18706b255c448505829df0863eeN.exe
"C:\Users\Admin\AppData\Local\Temp\46f544419567b69302e1e49fb3c9a1d77e38d18706b255c448505829df0863eeN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vlmesa1c.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4252
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES74B3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3A9F59EA65BF4F159BC0B2D7118BF924.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1600
- C:\Users\Admin\AppData\Local\Temp\tmp731D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp731D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\46f544419567b69302e1e49fb3c9a1d77e38d18706b255c448505829df0863eeN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES74B3.tmp

Filesize
1KB

MD5
1b9d52b6c127689fe26ecef7f2ec746d

SHA1
1d1daca955bc5bb767283ba00bfc702bfb5e33ed

SHA256
bb670e4d994a188d90e50bc1c956c28300dd3d50537590155f3a9e7a40a48640

SHA512
a6abffb5b74fd6fdca90fc8a55f6828c3bc2fcaa678f044cc385c43049dc020770dfe2c66b187c3ed67fba8d45da78b9a6581c66728e20196754ba0fbc784df5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp731D.tmp.exe

Filesize
78KB

MD5
8d0000849d1f12fd20899470742b5af6

SHA1
2a1d8c35b13b547edee9d5eb556e03e9124baa3f

SHA256
77a4eccd84b154d197fc23ea3ab9fedae78f5820235794e728fa643399d110ba

SHA512
c1cc59a450832fe402477b3626463cf4f10230997b0baaf50a5c68a091a0722453292c7be7338d8ebdcee955bd084d64f6345c387b84fc3e7838f3c4a921e782

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3A9F59EA65BF4F159BC0B2D7118BF924.TMP

Filesize
660B

MD5
530998809fda3e5823264c4f2c2bea8d

SHA1
f325ebbc72e26a09a3c5776cd6aeee3a5c7e36fb

SHA256
0ec66fe7d64c9f355bd8de5a818e24f45b6cf66b7e6e206f8565670f378ca2ed

SHA512
e7d69de193c5a774dc38fb89d2afa44e5a266275c320d8e0fc8d80ea48f902a29f9ba612dbe928a9262ec70a08d0a0a07dee757b95b45a4f7aeee864ad7f4573

Download Submit
C:\Users\Admin\AppData\Local\Temp\vlmesa1c.0.vb

Filesize
15KB

MD5
d2cd553086734b42b13a2836d992bdcb

SHA1
6b8288257d67863c2e7bb64121440b0adb718ab5

SHA256
f82d4e6e0891eaa58d089a3a0fb5dd83df2570242d61eefd03972c3bdff59a3d

SHA512
084ceda7270a4ab5b2c5ca853894b3e4a141cf9d455a20c70e8f3b22863b804b11abe54bc9263cdb491d79e0e386e46170f0c0b79231a1094fcc728f8fa4eb08

Download Submit
C:\Users\Admin\AppData\Local\Temp\vlmesa1c.cmdline

Filesize
266B

MD5
2935ad23be99629f654074d6a9128039

SHA1
3ff6d53c7b69646e78fa58580d43495ea1041890

SHA256
307a83df71e0c6d868521363ec584fcebbcd286fff6314cd20d5e0376411e775

SHA512
ecd39b2dc2d7e48b3f624e58e585ba2a615900547617d8edeafc74fd5e2560d2fca3816b653e8e5dd29efbe21c68a78729038b57421b2e8e3045798e93fc503b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2904-24-0x0000000075090000-0x0000000075641000-memory.dmp

Filesize
5.7MB

Download
memory/2904-23-0x0000000075090000-0x0000000075641000-memory.dmp

Filesize
5.7MB

Download
memory/2904-26-0x0000000075090000-0x0000000075641000-memory.dmp

Filesize
5.7MB

Download
memory/2904-27-0x0000000075090000-0x0000000075641000-memory.dmp

Filesize
5.7MB

Download
memory/2904-28-0x0000000075090000-0x0000000075641000-memory.dmp

Filesize
5.7MB

Download
memory/4252-9-0x0000000075090000-0x0000000075641000-memory.dmp

Filesize
5.7MB

Download
memory/4252-18-0x0000000075090000-0x0000000075641000-memory.dmp

Filesize
5.7MB

Download
memory/4808-2-0x0000000075090000-0x0000000075641000-memory.dmp

Filesize
5.7MB

Download
memory/4808-1-0x0000000075090000-0x0000000075641000-memory.dmp

Filesize
5.7MB

Download
memory/4808-22-0x0000000075090000-0x0000000075641000-memory.dmp

Filesize
5.7MB

Download
memory/4808-0-0x0000000075092000-0x0000000075093000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads