metamorpherrat | 9158094219ff5ee41bce5411174f1f10e03bbef565b4b8541395c2dbb362cdcc

General

Target

9158094219ff5ee41bce5411174f1f10e03bbef565b4b8541395c2dbb362cdcc.exe
Size

78KB
MD5

0217b9eea299591e3ec04b407460b196
SHA1

5c94b5c4c23790df7786521952dccc59275d4a0a
SHA256

9158094219ff5ee41bce5411174f1f10e03bbef565b4b8541395c2dbb362cdcc
SHA512

68adca67136a41482b92f4fa795d5068d133350aa12a2b4cd13557f40e8401fae9c98666a16a6c42887a2556ce2477db4859a1896ad81ec6f4067f8bd4edcfb0
SSDEEP

1536:QRWtHF3M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtRD9/p1re:QRWtHF8hASyRxvhTzXPvCbW2URD9/m

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	9158094219ff5ee41bce5411174f1f10e03bbef565b4b8541395c2dbb362cdcc.exe

Deletes itself 1 IoCs

pid	Process
112	tmpC870.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
112	tmpC870.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpC870.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9158094219ff5ee41bce5411174f1f10e03bbef565b4b8541395c2dbb362cdcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC870.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4240	9158094219ff5ee41bce5411174f1f10e03bbef565b4b8541395c2dbb362cdcc.exe
Token: SeDebugPrivilege	112	tmpC870.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4240 wrote to memory of 1764	4240	9158094219ff5ee41bce5411174f1f10e03bbef565b4b8541395c2dbb362cdcc.exe	82
PID 4240 wrote to memory of 1764	4240	9158094219ff5ee41bce5411174f1f10e03bbef565b4b8541395c2dbb362cdcc.exe	82
PID 4240 wrote to memory of 1764	4240	9158094219ff5ee41bce5411174f1f10e03bbef565b4b8541395c2dbb362cdcc.exe	82
PID 1764 wrote to memory of 2312	1764	vbc.exe	84
PID 1764 wrote to memory of 2312	1764	vbc.exe	84
PID 1764 wrote to memory of 2312	1764	vbc.exe	84
PID 4240 wrote to memory of 112	4240	9158094219ff5ee41bce5411174f1f10e03bbef565b4b8541395c2dbb362cdcc.exe	85
PID 4240 wrote to memory of 112	4240	9158094219ff5ee41bce5411174f1f10e03bbef565b4b8541395c2dbb362cdcc.exe	85
PID 4240 wrote to memory of 112	4240	9158094219ff5ee41bce5411174f1f10e03bbef565b4b8541395c2dbb362cdcc.exe	85

C:\Users\Admin\AppData\Local\Temp\9158094219ff5ee41bce5411174f1f10e03bbef565b4b8541395c2dbb362cdcc.exe
"C:\Users\Admin\AppData\Local\Temp\9158094219ff5ee41bce5411174f1f10e03bbef565b4b8541395c2dbb362cdcc.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4240
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bghf9ks9.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCA45.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc61329CE6585C4CFFBD1C64814F6B3DD.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2312
- C:\Users\Admin\AppData\Local\Temp\tmpC870.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpC870.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9158094219ff5ee41bce5411174f1f10e03bbef565b4b8541395c2dbb362cdcc.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESCA45.tmp

Filesize
1KB

MD5
34b359565317284c4ad89484966ba3bc

SHA1
8ee5869560296bc4c539941ea8ed097d4bd8afd7

SHA256
b3b39f638fe3712db3e3f8ddd168a2d26fcfe50d944973f871053b0436959f90

SHA512
9a50ba9730177b544bbc19795374efc3d0c5ee673a442986f2039314a1c8855e66ab3fd6fc0322d06924cd053e4b35676a17812a8ebae67af3a9e248606b8337

Download Submit
C:\Users\Admin\AppData\Local\Temp\bghf9ks9.0.vb

Filesize
15KB

MD5
63243394cf7f9f8d1c87ed22e5b5dbb9

SHA1
85385c756c2517da0088001b40707934816af539

SHA256
311feefa7f24194e38b573cc30dbe3795b0c41f5e443db03bf3b49e034a69bc5

SHA512
1371cbb6df535f3de1367af396078de1c8863d611b681880f15b2b0e71e4e29ed8125a13f9e26451121763b2db42f8558e8de90e80eee8f62d82cccca020900c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bghf9ks9.cmdline

Filesize
266B

MD5
4c18d94c39baf8e6a09414b279213cd6

SHA1
62b9eb9c3527e497edf7d57a3e757cc82312c701

SHA256
592df83e5d299d7cfcee31ea1da78a541e52ab2d03d09b5e0476e494338abdb3

SHA512
ec2b65e2d517904a7c9481bbff27ca96990e74db5954fab6da7e04398243c65f27c8c9ab4154b3d5c802a995fdbaf6e6924a8175e7fa4eb6f777a7ac6588aa41

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC870.tmp.exe

Filesize
78KB

MD5
5d5f9971ffa57620205678e284080461

SHA1
3e133898f829cdb356da4009e46fc50d66ab45b6

SHA256
c6f14367a0d73e75d9cde0296d6c1bf9c49187f35eb953be67734bf0b30a4cad

SHA512
27a24e1a43b9004272f8e27c2bef843bfd4214b41777fd7b692410eb1d5331f4c813e11c0a01eeed2cb3d47c3c5f99e13f96fd138fd40e697f22701d37b8699e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc61329CE6585C4CFFBD1C64814F6B3DD.TMP

Filesize
660B

MD5
0b59dceff8e88dae4b93b1ceeb9dd4c2

SHA1
77db6f05883b15a69d31481909afbb6cccb3faaa

SHA256
2c26dff8df2c6826be88695f9507e89c0ca22ca151e2df333ddd5beb313a36ce

SHA512
cf25ad8dfa14bca9765792d8eba986ef42c75896f2d27cd1c20cf44a6023c88901d891f7c0665dba2a86eed12ef9cc89da1c8a18304af51f8803807487cfd25b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/112-24-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/112-28-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/112-27-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/112-26-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/112-23-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/1764-18-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/1764-9-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/4240-22-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/4240-2-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/4240-1-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/4240-0-0x0000000074C72000-0x0000000074C73000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads