metamorpherrat | 36bbee3658c49a98f4eaa25116c7a49bfa9a269e83f0478fc31fa3563705b71f

General

Target

36bbee3658c49a98f4eaa25116c7a49bfa9a269e83f0478fc31fa3563705b71f.exe
Size

78KB
MD5

a3eb3a25aa665925d3c1d1d63d80efac
SHA1

da2eebdb1492f2e8f554a208d47083d4b4856d99
SHA256

36bbee3658c49a98f4eaa25116c7a49bfa9a269e83f0478fc31fa3563705b71f
SHA512

4a059f9f552a8e003aef65feda5ff52f6268fb0623a43fe31bb5d1e330e079d8ae77458c84fbe66d682c7077f67b2933b5cc19677a6b82eac889d702f702eb74
SSDEEP

1536:6HFo6rdELT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQt99/NV1M+:6HFo8dSE2EwR4uY41HyvY99/h

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	36bbee3658c49a98f4eaa25116c7a49bfa9a269e83f0478fc31fa3563705b71f.exe

Executes dropped EXE 1 IoCs

pid	Process
4468	tmp93F3.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmp93F3.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp93F3.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36bbee3658c49a98f4eaa25116c7a49bfa9a269e83f0478fc31fa3563705b71f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1052	36bbee3658c49a98f4eaa25116c7a49bfa9a269e83f0478fc31fa3563705b71f.exe
Token: SeDebugPrivilege	4468	tmp93F3.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 1680	1052	36bbee3658c49a98f4eaa25116c7a49bfa9a269e83f0478fc31fa3563705b71f.exe	85
PID 1052 wrote to memory of 1680	1052	36bbee3658c49a98f4eaa25116c7a49bfa9a269e83f0478fc31fa3563705b71f.exe	85
PID 1052 wrote to memory of 1680	1052	36bbee3658c49a98f4eaa25116c7a49bfa9a269e83f0478fc31fa3563705b71f.exe	85
PID 1680 wrote to memory of 2792	1680	vbc.exe	88
PID 1680 wrote to memory of 2792	1680	vbc.exe	88
PID 1680 wrote to memory of 2792	1680	vbc.exe	88
PID 1052 wrote to memory of 4468	1052	36bbee3658c49a98f4eaa25116c7a49bfa9a269e83f0478fc31fa3563705b71f.exe	89
PID 1052 wrote to memory of 4468	1052	36bbee3658c49a98f4eaa25116c7a49bfa9a269e83f0478fc31fa3563705b71f.exe	89
PID 1052 wrote to memory of 4468	1052	36bbee3658c49a98f4eaa25116c7a49bfa9a269e83f0478fc31fa3563705b71f.exe	89

C:\Users\Admin\AppData\Local\Temp\36bbee3658c49a98f4eaa25116c7a49bfa9a269e83f0478fc31fa3563705b71f.exe
"C:\Users\Admin\AppData\Local\Temp\36bbee3658c49a98f4eaa25116c7a49bfa9a269e83f0478fc31fa3563705b71f.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kuprkkyh.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES955A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCF2161769861490C8A2F8A499F11C457.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2792
- C:\Users\Admin\AppData\Local\Temp\tmp93F3.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp93F3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\36bbee3658c49a98f4eaa25116c7a49bfa9a269e83f0478fc31fa3563705b71f.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES955A.tmp

Filesize
1KB

MD5
4e27da6e4a1f2c275e6550319d501602

SHA1
69405a897abf9f6a3f176e872fd5ab9635d5adb1

SHA256
c0b8c6756810bb229fad50864a39d7edd2c8c6ae257c8b7bc8199689ae1d4b4c

SHA512
c3bf362cd6187010e32307262ceefe61b4396b332e505210cc5a571d30eaa6a8c4313846116ee3fbd659339c6d77689075cf024b4f2e29023a5b791c98eba756

Download Submit
C:\Users\Admin\AppData\Local\Temp\kuprkkyh.0.vb

Filesize
15KB

MD5
a8fe7190a61b50d777238a0ab187b8ec

SHA1
4018b7223c34606fb1429b4966ea33ab8e676ec6

SHA256
9e31ca1cc20f147b040d55aba938e42b75166c6f87c5f430eacfbd2bee3f51d2

SHA512
f137576838e3c4fb133c381303387e14247c11f9a4023b0267dd9dda2da2b1416de1530e9db441dc8f0a8ced0dadfe4b357762da5b6797e74e40f2ff7d91dcb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\kuprkkyh.cmdline

Filesize
266B

MD5
a535d2e6a2722ec52e4bbe3bfffcf65a

SHA1
d36aa613dc9135b9903c590d658089ebc9f4718f

SHA256
b9af854b9293f01ecc61c3e15f237126d24f54226cca532400c21f5b6dfbee77

SHA512
b96c75c0e654975523f13622d8629b39cc7798c6788e823b7365691f8c796657b09a4cd3a7651fc64c766872a9dcf5ce50267c9d715e43a12ce9e846bc41bbdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp93F3.tmp.exe

Filesize
78KB

MD5
3c731f5a84a663020be9029efe814599

SHA1
ed847694c04530bc31e56c792a239c6e45645492

SHA256
879cdc0ff025f087a6b1e8e36ff27211c8b93ca41d85e37a1e33156c7e2bcae4

SHA512
e2e1c24b82358dad30598a92b20ef5ee7a90c8082d15d9475ebef71cf3cf6f196b80f6d1f7fd79f0130068685b110aeb807aa59ae0c176b39d899ceeac68a4e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCF2161769861490C8A2F8A499F11C457.TMP

Filesize
660B

MD5
02933c1ade72fed91b17669f34764cfc

SHA1
9a3b1eac2fda5efdae4a7bc8b438f14993f158c8

SHA256
eabb0d0287c3fed5a813a31ddb810e2c8d1d68b7cc8736c4811c21f040fafc05

SHA512
bd02c0c051873ea180173977ccb387aa353f01f714528d68fcfb3e253559bf4976dcf960349485ddf01f04bd019e37f38af43855d7e4ae5b8b67fa3782d19ece

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/1052-22-0x0000000075440000-0x00000000759F1000-memory.dmp

Filesize
5.7MB

Download
memory/1052-2-0x0000000075440000-0x00000000759F1000-memory.dmp

Filesize
5.7MB

Download
memory/1052-1-0x0000000075440000-0x00000000759F1000-memory.dmp

Filesize
5.7MB

Download
memory/1052-0-0x0000000075442000-0x0000000075443000-memory.dmp

Filesize
4KB

Download
memory/1680-9-0x0000000075440000-0x00000000759F1000-memory.dmp

Filesize
5.7MB

Download
memory/1680-18-0x0000000075440000-0x00000000759F1000-memory.dmp

Filesize
5.7MB

Download
memory/4468-23-0x0000000075440000-0x00000000759F1000-memory.dmp

Filesize
5.7MB

Download
memory/4468-24-0x0000000075440000-0x00000000759F1000-memory.dmp

Filesize
5.7MB

Download
memory/4468-26-0x0000000075440000-0x00000000759F1000-memory.dmp

Filesize
5.7MB

Download
memory/4468-27-0x0000000075440000-0x00000000759F1000-memory.dmp

Filesize
5.7MB

Download
memory/4468-28-0x0000000075440000-0x00000000759F1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads