metamorpherrat | 5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d

General

Target

5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d.exe
Size

78KB
MD5

cbc8b8f41ccac7371e1e8c987900ef98
SHA1

dc8319f56aa110cef5323b171cd7a800ccacf404
SHA256

5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d
SHA512

cb587c04d55a366fcf91a9b82c5852a24c734b3c88b60aca9a2ef3982fa833c4171e7fd3c24e1443bc4cc088df471d612976b5bd843fdd07ca7bff015b1ab2ed
SSDEEP

1536:cRWtHH638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQte6S9/R1Db:cRWtHa3Ln7N041Qqhge6S9/b

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d.exe

Executes dropped EXE 1 IoCs

pid	Process
1644	tmp6EF6.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp6EF6.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6EF6.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4468	5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d.exe
Token: SeDebugPrivilege	1644	tmp6EF6.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 224	4468	5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d.exe	82
PID 4468 wrote to memory of 224	4468	5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d.exe	82
PID 4468 wrote to memory of 224	4468	5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d.exe	82
PID 224 wrote to memory of 5048	224	vbc.exe	84
PID 224 wrote to memory of 5048	224	vbc.exe	84
PID 224 wrote to memory of 5048	224	vbc.exe	84
PID 4468 wrote to memory of 1644	4468	5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d.exe	85
PID 4468 wrote to memory of 1644	4468	5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d.exe	85
PID 4468 wrote to memory of 1644	4468	5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d.exe	85

C:\Users\Admin\AppData\Local\Temp\5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d.exe
"C:\Users\Admin\AppData\Local\Temp\5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\t_h6ygnf.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES701F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc305BCEB395344767B2C9E429FA2C61AF.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5048
- C:\Users\Admin\AppData\Local\Temp\tmp6EF6.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp6EF6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5452a9050bb25e2631dd9642370fc05c9a7e5cca312b9505dbf3760f3515dd4d.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES701F.tmp

Filesize
1KB

MD5
d112da5f5bb0efb6eede56f221f1900c

SHA1
63b628525616e5aae3ca943ca8e18cd6aefd122a

SHA256
08eddd3e6192f405e2ee80fa0deb5f07e6fd44ca65e87093856d47df8323a923

SHA512
e7839ee36f084e7c3918b17eb82e69be76048a72d785c28659fab1c959e01fa9dc8da8a6c3aa1c941a7f0b92472737d4f2748a5ac0f03a01bba7390ebc6c0e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\t_h6ygnf.0.vb

Filesize
15KB

MD5
ab104280afc365ef50341810aede5a93

SHA1
63b97b18b79f8a4a0156194b5cdcd3854ad8436b

SHA256
26691010c243e4365d9e54c06ac33098b8822f59bf0fe8933a6486ee753ee280

SHA512
36b1180e80c7ae23af883339cb8991ef8b551d4400153fc89aeb195b64385ce18456bd02667396a1b592f67146126bed4a92164da090fb8a1ebc0bb786b7bfe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\t_h6ygnf.cmdline

Filesize
266B

MD5
1eea39afe6e52b706df7a52e3e140a9b

SHA1
1b9ae35c3e8dfc8ba0432c827058202776956baf

SHA256
13244427a879da501ccf170db99528a311cf0f1c4c47f8d02bbe739fb4410bd8

SHA512
018d51760803f31975e4e1d0a1345ab043662d39e09b0c27c85618e02ff773b522a6851301968f8ed2f6ad30a0bc3fe49fdf8d736a1bc54c60d26a14b386e5e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6EF6.tmp.exe

Filesize
78KB

MD5
68da14b570706057c162bd4415ed5ceb

SHA1
42d9f703aa778cdb31b3c94a11cd6af9deb60120

SHA256
c2dc2d424c175eb7bac54508360d77be11b97046a5217eac5e34275f6f38fd7c

SHA512
a43e235dd6c2eeffd34be1115d4a08c7edfcc99b657b059fd0507bf2b4120c2372edec2a995cd80a5358b990443f6d0d160d0a7680e3ed1cfce751b207bbdeb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc305BCEB395344767B2C9E429FA2C61AF.TMP

Filesize
660B

MD5
5ce389c006b12b35ef02844d1822b6b8

SHA1
21f171dd1ea8a966461faf0f73803f0fd5b35429

SHA256
8a27a1e4201152f7108a343bb5aeac38129e8e0fb85be568e11d25a5a56dbffc

SHA512
c18dbc41f7cf65f112cb45e118ccac142232f17d33f82bcc421d56a6537195b61cade9fabfe6ed9dc60dbe9b2ec7f025a5c42bafd2a2cc6e6a060357b09d7d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/224-8-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/224-18-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/1644-24-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/1644-23-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/1644-26-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/1644-27-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/4468-0-0x0000000074E82000-0x0000000074E83000-memory.dmp

Filesize
4KB

Download
memory/4468-2-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/4468-1-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/4468-22-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads