metamorpherrat | 107ced0aef1bbb8fdcd7fb70cf09f1c4fa51b47bf0c1fcac856a60166bfff950

General

Target

107ced0aef1bbb8fdcd7fb70cf09f1c4fa51b47bf0c1fcac856a60166bfff950.exe
Size

78KB
MD5

aaaeb0b67f3d18ff3a375b80b718dffe
SHA1

68162e4e9a2c39c81c9a3da78ee70eb95e9a4f7c
SHA256

107ced0aef1bbb8fdcd7fb70cf09f1c4fa51b47bf0c1fcac856a60166bfff950
SHA512

69598ad4b82136abb3568fe6a827d571fca5cc9abe0592b90d35de8b91179339bbaf60b1b6ef904390f8ef6834282bd390ea3cb3728f119b16176eea024a4544
SSDEEP

1536:VStHY6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtem9/m1cr:VStHYnhASyRxvhTzXPvCbW2Uem9/p

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	107ced0aef1bbb8fdcd7fb70cf09f1c4fa51b47bf0c1fcac856a60166bfff950.exe

Deletes itself 1 IoCs

pid	Process
2880	tmpAE9F.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2880	tmpAE9F.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpAE9F.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	107ced0aef1bbb8fdcd7fb70cf09f1c4fa51b47bf0c1fcac856a60166bfff950.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpAE9F.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4360	107ced0aef1bbb8fdcd7fb70cf09f1c4fa51b47bf0c1fcac856a60166bfff950.exe
Token: SeDebugPrivilege	2880	tmpAE9F.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4360 wrote to memory of 3052	4360	107ced0aef1bbb8fdcd7fb70cf09f1c4fa51b47bf0c1fcac856a60166bfff950.exe	84
PID 4360 wrote to memory of 3052	4360	107ced0aef1bbb8fdcd7fb70cf09f1c4fa51b47bf0c1fcac856a60166bfff950.exe	84
PID 4360 wrote to memory of 3052	4360	107ced0aef1bbb8fdcd7fb70cf09f1c4fa51b47bf0c1fcac856a60166bfff950.exe	84
PID 3052 wrote to memory of 4948	3052	vbc.exe	88
PID 3052 wrote to memory of 4948	3052	vbc.exe	88
PID 3052 wrote to memory of 4948	3052	vbc.exe	88
PID 4360 wrote to memory of 2880	4360	107ced0aef1bbb8fdcd7fb70cf09f1c4fa51b47bf0c1fcac856a60166bfff950.exe	89
PID 4360 wrote to memory of 2880	4360	107ced0aef1bbb8fdcd7fb70cf09f1c4fa51b47bf0c1fcac856a60166bfff950.exe	89
PID 4360 wrote to memory of 2880	4360	107ced0aef1bbb8fdcd7fb70cf09f1c4fa51b47bf0c1fcac856a60166bfff950.exe	89

C:\Users\Admin\AppData\Local\Temp\107ced0aef1bbb8fdcd7fb70cf09f1c4fa51b47bf0c1fcac856a60166bfff950.exe
"C:\Users\Admin\AppData\Local\Temp\107ced0aef1bbb8fdcd7fb70cf09f1c4fa51b47bf0c1fcac856a60166bfff950.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4360
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vzwjvcdh.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB120.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3CC29FC5828844949D8C2A5242FBE4DD.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4948
- C:\Users\Admin\AppData\Local\Temp\tmpAE9F.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpAE9F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\107ced0aef1bbb8fdcd7fb70cf09f1c4fa51b47bf0c1fcac856a60166bfff950.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB120.tmp

Filesize
1KB

MD5
9dabfaa2051388cc3b6c4a9d160b343d

SHA1
b4dea56c0bb248ecb6fea40af2a6585ed23d68cb

SHA256
9e0d84fc6cccb10ad682ea5279e43fe42ee2366905ba2e493bb883f0868992b0

SHA512
6921d66631bc99f0866804411afa622acf6b3a1f3e3736ecf56fde471e58f77fae26f7014cedc53e011c18fd51c81a3be6eb9fae6b3e1adadb7bd3bd54fd798d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAE9F.tmp.exe

Filesize
78KB

MD5
7b44a9bd186d1031dd82e77dbed8f156

SHA1
55b1f014c34e1d2c92ea6ffed3bdd93da420c5a5

SHA256
153557522ad5da6ca349b24aa39ec1d4160e46cb079b562358152916db9649cc

SHA512
7fe31e93117651f329694e0fc436aa9b57b358dd51cdc550a03a0375af7e97df651e3d7e0309c50484ad4a2d77687e7a1ce56b12d7f64048a25da4f4ef04d78c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3CC29FC5828844949D8C2A5242FBE4DD.TMP

Filesize
660B

MD5
0ae695f7599039d6471632a8cdcb5a2e

SHA1
1825db7eb937804e51ed9c0ee6d71975b4567788

SHA256
d913f9b19333d105d531ee797e835e53334f3974147f5a4fefc410cf48356722

SHA512
91460e46b03a6baaff5197eddfdac23bf2ba81518e095f2ce0710d48f81b7b27d08b972fbff5fbc03082f591a2d27539fd3b507717095e7fae8460c2e92b502a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vzwjvcdh.0.vb

Filesize
15KB

MD5
35af26d4df5fa27366c926432d05a072

SHA1
a319edd2035026193059b33ae3a39dd84ca6ad2f

SHA256
04c9bc263e5d464f85048bddb648122f5cdd5575374d89de3e290ba6fbdfd556

SHA512
e34d516513e988752498838225c45e903735dcc4664f7bef7e2ddfe94959f5dc1c54362c2efc39fd280c0fbb0b33b8d304aae9173545946da2bffdd311434aa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vzwjvcdh.cmdline

Filesize
266B

MD5
db37d6e0b65e74d3d983e9f0f60e1ef3

SHA1
d8264187299a34e1d53bfc004394b8bf6d202c53

SHA256
0fbf66f161489d4476cf90dff17d88792be722ca06259d3d70f9fa7c33aea8f6

SHA512
500360e6006713c0120713c530d04b4eaaef970152d3a93885600d17ba3b8020d76e61c452b32b4aadb0a97fb816fc2d65156665046c081d5c2ac41944dfd9c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2880-24-0x0000000074F20000-0x00000000754D1000-memory.dmp

Filesize
5.7MB

Download
memory/2880-23-0x0000000074F20000-0x00000000754D1000-memory.dmp

Filesize
5.7MB

Download
memory/2880-26-0x0000000074F20000-0x00000000754D1000-memory.dmp

Filesize
5.7MB

Download
memory/2880-27-0x0000000074F20000-0x00000000754D1000-memory.dmp

Filesize
5.7MB

Download
memory/2880-28-0x0000000074F20000-0x00000000754D1000-memory.dmp

Filesize
5.7MB

Download
memory/3052-8-0x0000000074F20000-0x00000000754D1000-memory.dmp

Filesize
5.7MB

Download
memory/3052-18-0x0000000074F20000-0x00000000754D1000-memory.dmp

Filesize
5.7MB

Download
memory/4360-2-0x0000000074F20000-0x00000000754D1000-memory.dmp

Filesize
5.7MB

Download
memory/4360-1-0x0000000074F20000-0x00000000754D1000-memory.dmp

Filesize
5.7MB

Download
memory/4360-22-0x0000000074F20000-0x00000000754D1000-memory.dmp

Filesize
5.7MB

Download
memory/4360-0-0x0000000074F22000-0x0000000074F23000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads