metamorpherrat | 81b4c5615d3839a6cbd9e466823cbfb0d98acc45ee92113e1c6a88c56b5640e1

General

Target

81b4c5615d3839a6cbd9e466823cbfb0d98acc45ee92113e1c6a88c56b5640e1N.exe
Size

78KB
MD5

dfad94f5f6303cfb3de527afd835de60
SHA1

a9ec98e8a304341523c957947ba95dbe4672503b
SHA256

81b4c5615d3839a6cbd9e466823cbfb0d98acc45ee92113e1c6a88c56b5640e1
SHA512

4dac95d80f8fd285ec931ce4e9e4740bab795311b2c22dfecb95f66f36c0013a4cd31364468d3639e7340bd4fe44c95a7b80040798cc840c14d5ffe6b8a403be
SSDEEP

1536:OPy5jqXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQty699//+1xx:OPy5jSSyRxvhTzXPvCbW2UV9//0

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	81b4c5615d3839a6cbd9e466823cbfb0d98acc45ee92113e1c6a88c56b5640e1N.exe

Executes dropped EXE 1 IoCs

pid	Process
2684	tmpD2D1.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpD2D1.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD2D1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	81b4c5615d3839a6cbd9e466823cbfb0d98acc45ee92113e1c6a88c56b5640e1N.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3164	81b4c5615d3839a6cbd9e466823cbfb0d98acc45ee92113e1c6a88c56b5640e1N.exe
Token: SeDebugPrivilege	2684	tmpD2D1.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3164 wrote to memory of 2412	3164	81b4c5615d3839a6cbd9e466823cbfb0d98acc45ee92113e1c6a88c56b5640e1N.exe	84
PID 3164 wrote to memory of 2412	3164	81b4c5615d3839a6cbd9e466823cbfb0d98acc45ee92113e1c6a88c56b5640e1N.exe	84
PID 3164 wrote to memory of 2412	3164	81b4c5615d3839a6cbd9e466823cbfb0d98acc45ee92113e1c6a88c56b5640e1N.exe	84
PID 2412 wrote to memory of 1376	2412	vbc.exe	87
PID 2412 wrote to memory of 1376	2412	vbc.exe	87
PID 2412 wrote to memory of 1376	2412	vbc.exe	87
PID 3164 wrote to memory of 2684	3164	81b4c5615d3839a6cbd9e466823cbfb0d98acc45ee92113e1c6a88c56b5640e1N.exe	89
PID 3164 wrote to memory of 2684	3164	81b4c5615d3839a6cbd9e466823cbfb0d98acc45ee92113e1c6a88c56b5640e1N.exe	89
PID 3164 wrote to memory of 2684	3164	81b4c5615d3839a6cbd9e466823cbfb0d98acc45ee92113e1c6a88c56b5640e1N.exe	89

C:\Users\Admin\AppData\Local\Temp\81b4c5615d3839a6cbd9e466823cbfb0d98acc45ee92113e1c6a88c56b5640e1N.exe
"C:\Users\Admin\AppData\Local\Temp\81b4c5615d3839a6cbd9e466823cbfb0d98acc45ee92113e1c6a88c56b5640e1N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3164
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p2vameoz.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD590.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA7ED7601EF854CE2B5C665F23D20811A.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1376
- C:\Users\Admin\AppData\Local\Temp\tmpD2D1.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpD2D1.tmp.exe" C:\Users\Admin\AppData\Local\Temp\81b4c5615d3839a6cbd9e466823cbfb0d98acc45ee92113e1c6a88c56b5640e1N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD590.tmp

Filesize
1KB

MD5
a86626194c4f645f56e2f2ad8405efc9

SHA1
c05ddbcaf5777803fe9df6d379d3f06df6f2dc25

SHA256
a140161e8e20f1267efd7c759e242da9418b81adbb19c79e13acab2150572474

SHA512
2761c6c797af47124fa954337d74521034f040cbf46b352711e4dafc7a71a713579cfd69dabaaa0cde11125caa504067f64f41e874db26f9f050e6150b198067

Download Submit
C:\Users\Admin\AppData\Local\Temp\p2vameoz.0.vb

Filesize
14KB

MD5
ee1fe6233f565e24ddd71a3c171cc2d7

SHA1
1074b3f80baf9813e33235da3e152e9879effe25

SHA256
0a1970b6a1a9ade6c052a024a1e65cb3c47f6cb3111c75648598bc8342950401

SHA512
1a070c8e9a95627f4cbfb4c5af0ce275a22c14dff632353d100afa66d1a79f021b2b560f845ee76d75d360a99b99b9e74023985346af71e77aa810e49ce41841

Download Submit
C:\Users\Admin\AppData\Local\Temp\p2vameoz.cmdline

Filesize
266B

MD5
011bffc351e5fe06db3f3979f8f7f868

SHA1
d90440a3513e6c14f96ac832f96fba2f57ff9b7e

SHA256
ec480d9ea274bddf542b9f18acbd17c567c2bab9b28fc4ec64e30f0874da3cf3

SHA512
eed3976071695c4ee08b5569572df4b8130b83b29aabe3dd95509e23c2e9c3cf8cfd75750ef373658b6877c0e29b5f1ab28fe89ac650da0b4bba01fdb95befb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD2D1.tmp.exe

Filesize
78KB

MD5
2406dc194aed51a8e50ecdd4598fca12

SHA1
0f411d9123a9539a81d2caff13a259941d5e8f13

SHA256
4f4655a484de18792c1ab2f8f7f3ce15f1f308912d2bc1cce73b417e196d2d44

SHA512
447ecc5fd9f635cec778d6f62d8a9eb59b05166ae589b4ee0c84fb24b5e51c1f3072c8ee2a631df938ba0d64430e5450174453a202e53599aac3b2fdb7696a3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA7ED7601EF854CE2B5C665F23D20811A.TMP

Filesize
660B

MD5
392bdb6899b0e2361e902b30ffb342ea

SHA1
5c8efb959f2933679e12f7956a06e28f14d05ec6

SHA256
b713a56bc359d14a0ff8045dfe3eb813ecf4bfbca53a46721e01b5d5eebb60b3

SHA512
beb393dfb97bde9faf7b4947f284864ed2b8ab03fd5aeb54b052ee4890a083222348b57cd18a732e580d881c8d4e30d4268c0e5766dffb17f2dfca3fb992796e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2412-18-0x0000000075540000-0x0000000075AF1000-memory.dmp

Filesize
5.7MB

Download
memory/2412-9-0x0000000075540000-0x0000000075AF1000-memory.dmp

Filesize
5.7MB

Download
memory/2684-23-0x0000000075540000-0x0000000075AF1000-memory.dmp

Filesize
5.7MB

Download
memory/2684-24-0x0000000075540000-0x0000000075AF1000-memory.dmp

Filesize
5.7MB

Download
memory/2684-26-0x0000000075540000-0x0000000075AF1000-memory.dmp

Filesize
5.7MB

Download
memory/2684-27-0x0000000075540000-0x0000000075AF1000-memory.dmp

Filesize
5.7MB

Download
memory/2684-28-0x0000000075540000-0x0000000075AF1000-memory.dmp

Filesize
5.7MB

Download
memory/3164-2-0x0000000075540000-0x0000000075AF1000-memory.dmp

Filesize
5.7MB

Download
memory/3164-1-0x0000000075540000-0x0000000075AF1000-memory.dmp

Filesize
5.7MB

Download
memory/3164-0-0x0000000075542000-0x0000000075543000-memory.dmp

Filesize
4KB

Download
memory/3164-22-0x0000000075540000-0x0000000075AF1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads