metamorpherrat | 7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8

General

Target

7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8N.exe
Size

78KB
MD5

a0644ba03ff17739ab64dac9d2af1130
SHA1

cc70c7053352b22f6f85460a96cf2cee20bf29f9
SHA256

7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8
SHA512

130b816cfc1bc6a32db07fcab17186fae9fbb8d4aecaf26179365b2e720264a526f6f7a64b1956dcfd3934fff7423b32735a53668e9c9788b61c4a7ebe1f253a
SSDEEP

1536:lRCHY6M7t/vZv0kH9gDDtWzYCnJPeoYrGQteA9/y1ADc:lRCHYnh/l0Y9MDYrm7eA9/pc

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8N.exe

Deletes itself 1 IoCs

pid	Process
3676	tmp7FFD.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3676	tmp7FFD.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmp7FFD.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7FFD.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3396	7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8N.exe
Token: SeDebugPrivilege	3676	tmp7FFD.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3396 wrote to memory of 3504	3396	7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8N.exe	83
PID 3396 wrote to memory of 3504	3396	7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8N.exe	83
PID 3396 wrote to memory of 3504	3396	7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8N.exe	83
PID 3504 wrote to memory of 1152	3504	vbc.exe	85
PID 3504 wrote to memory of 1152	3504	vbc.exe	85
PID 3504 wrote to memory of 1152	3504	vbc.exe	85
PID 3396 wrote to memory of 3676	3396	7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8N.exe	86
PID 3396 wrote to memory of 3676	3396	7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8N.exe	86
PID 3396 wrote to memory of 3676	3396	7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8N.exe	86

C:\Users\Admin\AppData\Local\Temp\7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8N.exe
"C:\Users\Admin\AppData\Local\Temp\7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yw4ltskk.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3504
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES826E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAC0EE47B4EEC496BA235FB172AFFA56.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1152
- C:\Users\Admin\AppData\Local\Temp\tmp7FFD.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7FFD.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7ad55881d74d6c315d1dbe42c274e0cda07a7cda8dbb1e1f974f601cc3a7a0d8N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES826E.tmp

Filesize
1KB

MD5
80b859cb8dbaf8b022c4f58a56e1843c

SHA1
a7ce49bffb45998c41d66dcb0d9bfae4c5325905

SHA256
50e34c5295a27b300ac7d31f5aa51b6fadff859d4194a99431b7e883f9c898a1

SHA512
72500c05bf24c270980c321cf1b6f299f7a322ae6d91f12f77329ce38669067ad66493983b63d009586874c37873ef51178e90d5dedca4f7941b049f9e2aed32

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7FFD.tmp.exe

Filesize
78KB

MD5
3fb34a809a42733151e69aa1cef628ce

SHA1
4912f93b6ca62514743b4c56da7e054c8430aa60

SHA256
93ced1ac0d6ca3dd0dcdea0ed1f0ff47f85f77b3754468e2d8118c89f0059671

SHA512
e2b56a039e449dd81a86ca869c402b6a8c0e03c0844c76979c5b364b118476802effdd7182ca4ae2b269c347e7eee0fb27498455351a8e0e72d61780bbd4b50e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAC0EE47B4EEC496BA235FB172AFFA56.TMP

Filesize
660B

MD5
40b3f914b990ec97330da5adc8a2ae47

SHA1
6d78b3d581185097433bad389e2c753c23efe141

SHA256
b0307812d47e03ba1afcf821a861adeea8ae15f0745d696932aacc8b88a2d0e0

SHA512
a82541db6012e39a2b4793d9f75f0817f38bed4120a80adb03cf2cd86a95d8e1ca0e76cfd2b62539343eb7aae9cb30f53a422d8035420396f79f4e0403ae3a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\yw4ltskk.0.vb

Filesize
15KB

MD5
a07ea58cfa9193ceee631daffc6ea3b0

SHA1
96dc89bcb5d65706ab06502c11df6664c51b9f0e

SHA256
f336b61246cc16638631bbe3c40792973626b2f21704094c096f9f69eec9ba7c

SHA512
e6ff116eb816a08d1f01f7c768268be2e5a42889aa68d751f08f87fe519fc45a70e806894fdb12fa98d66733000adb16ad128280904755ee2180c22da9217a42

Download Submit
C:\Users\Admin\AppData\Local\Temp\yw4ltskk.cmdline

Filesize
266B

MD5
972cb188ef880136ca75ae81c6bf6332

SHA1
0c6432c4c6669c5b70397235e1ac59712e1ab2f1

SHA256
ff5987779eaf209d832394550f827fc37c158a23941cba6aade71cc39e9babab

SHA512
22fc08de4e117f1737c3a7ec8fba263b4f3b3368a231505037620c1e8798936e41eced4ad4a6be9811fd0f6d52c35ba8a721f2ed71138f1d9b539935b57ae093

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/3396-1-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/3396-2-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/3396-0-0x0000000074F52000-0x0000000074F53000-memory.dmp

Filesize
4KB

Download
memory/3396-22-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/3504-9-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/3504-18-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/3676-23-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/3676-24-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/3676-26-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/3676-27-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/3676-28-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/3676-29-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/3676-30-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads