metamorpherrat | aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7

General

Target

aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe
Size

78KB
MD5

733319b3eef1c7bbd30aa8dac6519aac
SHA1

fce2c55c1436a9d8ef0ab7dd25decf3fc2eb54eb
SHA256

aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7
SHA512

104309319cc30b3180e0148efbdcfa73b5319dd39d8206ef77f176110ed7a30f491c37c6108827fd356bcac1d5b15ff507c0d2011aee7694947f73830011ec6a
SSDEEP

1536:NPCHHM7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtv9/M162A:NPCHshASyRxvhTzXPvCbW2Uv9/4A

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe

Deletes itself 1 IoCs

pid	Process
4812	tmpB0B2.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4812	tmpB0B2.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpB0B2.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB0B2.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4076	aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe
Token: SeDebugPrivilege	4812	tmpB0B2.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4076 wrote to memory of 3980	4076	aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe	84
PID 4076 wrote to memory of 3980	4076	aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe	84
PID 4076 wrote to memory of 3980	4076	aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe	84
PID 3980 wrote to memory of 4288	3980	vbc.exe	86
PID 3980 wrote to memory of 4288	3980	vbc.exe	86
PID 3980 wrote to memory of 4288	3980	vbc.exe	86
PID 4076 wrote to memory of 4812	4076	aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe	87
PID 4076 wrote to memory of 4812	4076	aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe	87
PID 4076 wrote to memory of 4812	4076	aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe	87

C:\Users\Admin\AppData\Local\Temp\aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe
"C:\Users\Admin\AppData\Local\Temp\aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ddwu5qlq.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3980
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB19D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE65BEEBD69A44D8A0DE1DBF1187913C.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4288
- C:\Users\Admin\AppData\Local\Temp\tmpB0B2.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB0B2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB19D.tmp

Filesize
1KB

MD5
6e4f7cb3f57f13d16d496e1f50beb3a8

SHA1
7f1426ff6bc24eee863ec4bfe885eb2e62df79d3

SHA256
95ff6bb84659fe1be740aa40f03a51f9188b293bb9b19c99a0970c5a6513680a

SHA512
5c3c53d508fd210b00439335c8c06a5facd69f7ce3d604ebb838603eb73014beac402e0e6f4e89230eb8dd090e4c49a9feceb4add65ef936105dcd497fccba43

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddwu5qlq.0.vb

Filesize
15KB

MD5
8e258db47d15f3a21f7e9183f589ef9f

SHA1
3e2e1ac6f54a7c62fedc289213eb9d6ea44501af

SHA256
a05ec98c24ec88188d5efe7a1b85acd9d5c3935dcc84ba36b1bb7f3858d8c0c8

SHA512
e9c2fdb866fa6aebc098b46b7d9f05d62b7be75a6e8c5e3bd676eb85b9605fcf8b3e8c8bca4a360706b425d11f0a47ad8e09ca1e962ca70aaa053cb5afbc92f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddwu5qlq.cmdline

Filesize
266B

MD5
953c7ee0ac1fa91c1e375da9f51e96ac

SHA1
d363170170b24de6881ad8a669f0cb1cc6b81bb1

SHA256
c9d3dc6d264914f9534ec62d5ba66cf450c9bdc1a35824bad5b192df6f3e9fa9

SHA512
4154b6b27851061783919e1132e7cdeb1618a268a56801d5de2f49ccd6a12ed2167cb92d4499565076a97daf146a16f72aff20378271d2b47189daec6b5dbb85

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB0B2.tmp.exe

Filesize
78KB

MD5
a46189b50abf5ab3951d83fb7f59b69b

SHA1
5d6bca265cbd8f1fe07d4b226ef9e69dbc987613

SHA256
72027bcc7aff06b745517296ef25b3c46b97a1cf3c71686d05bc907c2833227d

SHA512
4dd12e59f2d21015b39630be96337af26133c3fc494e4f4b729a20b00455f10e0667b5066be0d654991d5d4f52ce470e9018bd1a768c7fc628710b6c600ba4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE65BEEBD69A44D8A0DE1DBF1187913C.TMP

Filesize
660B

MD5
53239c31109d0fc93e0e0fa23eef462e

SHA1
436ec3d0c81c1de26fd189afdfa2bdca41e0b50a

SHA256
ce49ce1a2fd29b4fae5b70778507e39d27867aa7f5cd19b0ee5e18167df750e6

SHA512
c7f9872d02c305d7bd6be2b5eaa3b5646798b42c01f1b56f2a9b5bcbd79eb3dc0d27bd50d2f97366947a9b81285067225f7a8ce5009bf0cc7fda343a9f8e8cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/3980-9-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/3980-18-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/4076-0-0x0000000074AB2000-0x0000000074AB3000-memory.dmp

Filesize
4KB

Download
memory/4076-2-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/4076-1-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/4076-22-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/4812-23-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/4812-24-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/4812-25-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/4812-27-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/4812-28-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/4812-29-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads