metamorpherrat | 3905c4ab67fa120a5441356d8f47b1f93816e88c622ad8e3bc6159edae80db33

General

Target

3905c4ab67fa120a5441356d8f47b1f93816e88c622ad8e3bc6159edae80db33N.exe
Size

78KB
MD5

ca815db78283e9b32e35a39122824650
SHA1

90f4a3d22a030379ac368ed683825835715af53b
SHA256

3905c4ab67fa120a5441356d8f47b1f93816e88c622ad8e3bc6159edae80db33
SHA512

aa78cc4ba6729537174dc3f514494ec40d5b6ca191a6d2ddd31ca9f0bf080eb9a3b543fd1361fca1f602c6644511fb14a093ed3b5cc61c35ab73354dce081d52
SSDEEP

1536:NPWV5jSvdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQty669/DS1Nn:NPWV5jSun7N041Qqhgi9/K

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	3905c4ab67fa120a5441356d8f47b1f93816e88c622ad8e3bc6159edae80db33N.exe

Deletes itself 1 IoCs

pid	Process
3256	tmp9A1D.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3256	tmp9A1D.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp9A1D.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9A1D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3905c4ab67fa120a5441356d8f47b1f93816e88c622ad8e3bc6159edae80db33N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3620	3905c4ab67fa120a5441356d8f47b1f93816e88c622ad8e3bc6159edae80db33N.exe
Token: SeDebugPrivilege	3256	tmp9A1D.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3620 wrote to memory of 2500	3620	3905c4ab67fa120a5441356d8f47b1f93816e88c622ad8e3bc6159edae80db33N.exe	82
PID 3620 wrote to memory of 2500	3620	3905c4ab67fa120a5441356d8f47b1f93816e88c622ad8e3bc6159edae80db33N.exe	82
PID 3620 wrote to memory of 2500	3620	3905c4ab67fa120a5441356d8f47b1f93816e88c622ad8e3bc6159edae80db33N.exe	82
PID 2500 wrote to memory of 3096	2500	vbc.exe	84
PID 2500 wrote to memory of 3096	2500	vbc.exe	84
PID 2500 wrote to memory of 3096	2500	vbc.exe	84
PID 3620 wrote to memory of 3256	3620	3905c4ab67fa120a5441356d8f47b1f93816e88c622ad8e3bc6159edae80db33N.exe	85
PID 3620 wrote to memory of 3256	3620	3905c4ab67fa120a5441356d8f47b1f93816e88c622ad8e3bc6159edae80db33N.exe	85
PID 3620 wrote to memory of 3256	3620	3905c4ab67fa120a5441356d8f47b1f93816e88c622ad8e3bc6159edae80db33N.exe	85

C:\Users\Admin\AppData\Local\Temp\3905c4ab67fa120a5441356d8f47b1f93816e88c622ad8e3bc6159edae80db33N.exe
"C:\Users\Admin\AppData\Local\Temp\3905c4ab67fa120a5441356d8f47b1f93816e88c622ad8e3bc6159edae80db33N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3620
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gkwf7vyk.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9B75.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB3F92BB5822C45649AC315CAA6417163.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3096
- C:\Users\Admin\AppData\Local\Temp\tmp9A1D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9A1D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3905c4ab67fa120a5441356d8f47b1f93816e88c622ad8e3bc6159edae80db33N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9B75.tmp

Filesize
1KB

MD5
df641188cb1cd8aa5e3b43870e22adff

SHA1
7d0afad589608157be48fd20c3c12affdcaea68b

SHA256
d1d605249618de5fd010ece7180e3d30dbe3dfc3b99d8d107349ea4c3ea72074

SHA512
2bf0393e0cfe955dd3edf3039c9e6eeb4cf8f51f362e99c5258540ffb91a2337a9897345687b278042cbb99c1967d1ff89843f15bdb1d8161812c6850a84c788

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkwf7vyk.0.vb

Filesize
14KB

MD5
8ca93a3f43b638ab3fed12058b2fd1cd

SHA1
e8a0b3aabddc2a9f5c17347ce4df798265c750fd

SHA256
9d2effd07f2f0d00da3003a26c09fc54824589ec09e21e5ddab58ee975c14fc8

SHA512
63eb89449621c9ff2739214a57054072938586071e8efa4b5687335f74475a4645c708643684bb2638ce689dcecf61ad6828645a141b83d3bd61363b8e2b650b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkwf7vyk.cmdline

Filesize
266B

MD5
433a41f265aa73bc9ec1591ea9541b0a

SHA1
0cd508e8393d00380e17100f115a03b260b1b1c5

SHA256
bf197cc7d06cd6f797d6a5d6b3187f6c98be985e3ddb5ee3492f361d83e408dd

SHA512
ed17b904f1b00946bcbb555bd58f44305c78023ae93c1b0c89571953d4a7982570b81caec30bec307dd12a3959cb2d1e83a809fbe6ee8e87a08a1d19a0ee578a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9A1D.tmp.exe

Filesize
78KB

MD5
aafee8e3d0e7c1b4319ff6dfcf37156c

SHA1
dac7c07122c0757c42b78d877247b96f45925ff5

SHA256
5a1342ed875250c1215fc64f3052102cf35b9ec913acaa8d5b8e55ba9b47e7bc

SHA512
8cf3e661ed2868035aae28f8d5fdee71a1534203e9fe9650551bed742d7571f6df9c02e36a4a931b2bdfa29e6aaf235442b486c47595744a6afc0675e901c218

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB3F92BB5822C45649AC315CAA6417163.TMP

Filesize
660B

MD5
d1e57e6671cb306aea9b7c7e34933594

SHA1
6d56a45f12e2a328f6ad500f71c6a871e8610db4

SHA256
631d090efa69bbd564177e2da02b8219afbe3256c7e70df7261218377dcc255c

SHA512
521d24c62e59e4a6829a9ad5d5e5d3fef8a32f43239b3e576da56c155663ddaeb5274289c0f9cdae9b26a322e0f4017c4806ed942e28b39960f10eba9161028b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2500-8-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/2500-18-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/3256-23-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/3256-24-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/3256-26-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/3256-27-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/3256-28-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/3620-0-0x00000000748C2000-0x00000000748C3000-memory.dmp

Filesize
4KB

Download
memory/3620-2-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/3620-1-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/3620-22-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads