metamorpherrat | da730918dfa4c2ff130f8121a680acc8b39971ee0537a17a95911b260a23c8dc

General

Target

da730918dfa4c2ff130f8121a680acc8b39971ee0537a17a95911b260a23c8dc.exe
Size

78KB
MD5

f81f70cb711c0ef11a6f37f502cd35c8
SHA1

3661fb6a5aa39bcfa4d6413c723dbdb435c41c86
SHA256

da730918dfa4c2ff130f8121a680acc8b39971ee0537a17a95911b260a23c8dc
SHA512

9a53a473281ad6496b37f0af701d1582c8ff8488c4057d0d77ee3c46d95f18dd062b9c9a1ae03e09f2838014ff92f7abff0df97ac1a8c68a2af043b11481e239
SSDEEP

1536:B586dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC659/Cw1eYM:B581n7N041QqhgB9/3M

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Downloads MZ/PE file 1 IoCs

flow	pid	Process
38	716	Process not Found

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\Control Panel\International\Geo\Nation	da730918dfa4c2ff130f8121a680acc8b39971ee0537a17a95911b260a23c8dc.exe

Executes dropped EXE 1 IoCs

pid	Process
968	tmp3870.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp3870.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp3870.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da730918dfa4c2ff130f8121a680acc8b39971ee0537a17a95911b260a23c8dc.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4136	MicrosoftEdgeUpdate.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	880	da730918dfa4c2ff130f8121a680acc8b39971ee0537a17a95911b260a23c8dc.exe
Token: SeDebugPrivilege	968	tmp3870.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 4844	880	da730918dfa4c2ff130f8121a680acc8b39971ee0537a17a95911b260a23c8dc.exe	88
PID 880 wrote to memory of 4844	880	da730918dfa4c2ff130f8121a680acc8b39971ee0537a17a95911b260a23c8dc.exe	88
PID 880 wrote to memory of 4844	880	da730918dfa4c2ff130f8121a680acc8b39971ee0537a17a95911b260a23c8dc.exe	88
PID 4844 wrote to memory of 1744	4844	vbc.exe	92
PID 4844 wrote to memory of 1744	4844	vbc.exe	92
PID 4844 wrote to memory of 1744	4844	vbc.exe	92
PID 880 wrote to memory of 968	880	da730918dfa4c2ff130f8121a680acc8b39971ee0537a17a95911b260a23c8dc.exe	93
PID 880 wrote to memory of 968	880	da730918dfa4c2ff130f8121a680acc8b39971ee0537a17a95911b260a23c8dc.exe	93
PID 880 wrote to memory of 968	880	da730918dfa4c2ff130f8121a680acc8b39971ee0537a17a95911b260a23c8dc.exe	93

C:\Users\Admin\AppData\Local\Temp\da730918dfa4c2ff130f8121a680acc8b39971ee0537a17a95911b260a23c8dc.exe
"C:\Users\Admin\AppData\Local\Temp\da730918dfa4c2ff130f8121a680acc8b39971ee0537a17a95911b260a23c8dc.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:880
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\utujkz_p.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES391C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9E5A6C67C9CF42C3AB8977DD3CC7C8EF.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1744
- C:\Users\Admin\AppData\Local\Temp\tmp3870.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp3870.tmp.exe" C:\Users\Admin\AppData\Local\Temp\da730918dfa4c2ff130f8121a680acc8b39971ee0537a17a95911b260a23c8dc.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:968

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NEY1MEY4MDctQjlEQS00Qzg5LThFMDMtNjgzQjk4MzMwNTgyfSIgdXNlcmlkPSJ7RUM5QTgyNDMtMEY3Qi00RjI1LTkwOEYtMEE3QTJEQUM5RUQxfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NkUyRjBFNkYtQTE4Mi00NkRELUFBOEItN0M5MDgzN0Q1NDM3fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI1IiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODM0MTAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NTUzNjg2NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MzY2MTA4Nzk1Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES391C.tmp

Filesize
1KB

MD5
934e399e5856238ea7fce4ff97eec797

SHA1
2b4105f6e2a698473a7a6804962523217e082c67

SHA256
26f74fcc497b21612988ed06c221b15ef9a9a78516a7eadf213748c3df96e37e

SHA512
a5d18d8f63652a5b7ac5a14ea0345bc2da6063d908af3ad5d122d3559aee40de18ae4045d3c63f2eb0275ca7f6ffbb89df413354799677bb698fb6128e509c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3870.tmp.exe

Filesize
78KB

MD5
1ecfe1967fb3bd47e2f4ded631c741ec

SHA1
7db0456581e384a3485c15f195d3c29bc13de943

SHA256
362384ff242cd70ad90f4861d072d2d10870848d01aeaf2bb7d81d517ff8ef74

SHA512
9c7401713f74f31235f58ce021a19612791d40bff7a841615f2669cf6949519aadc2b4e4858710f1c7ac148e43202059f2dab22de999f4220ade0a747036d3df

Download Submit
C:\Users\Admin\AppData\Local\Temp\utujkz_p.0.vb

Filesize
14KB

MD5
3f05b45c269bb9369d2197104e9c2044

SHA1
b90be0a2da541fd11fc61cd5d34a6b6b0a3ed517

SHA256
88214536b98ecb257a691303d83eb854f6635956f3e0bc8e9995891efd360451

SHA512
57b24d6e0b683676022a2dfceaca7b3ccb447c0e2c05a256527c62f647dcb46ad315190da01619de9f88d52e9307f6a6f0c15f8df4e8ae55611d4dd4d98082f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\utujkz_p.cmdline

Filesize
266B

MD5
a14aea19dd33f31c4a8179fd7560b923

SHA1
17ff891d275bffdbafdc554ffce8b0cbe8c8abff

SHA256
e47f0ec3077e4da8ea2992772b4c13b2d3517e29010772a437c9898ac4cece7b

SHA512
c7953adfe696ee59a605ce61d6ec55b3b5df2434d7014ada5d43935a08bfa484b1fe4e1567a56d43beadbaead56f17bcb62a001ddbc936a444d75404567b1e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9E5A6C67C9CF42C3AB8977DD3CC7C8EF.TMP

Filesize
660B

MD5
84dd22662d257e5a93dd8c5907792327

SHA1
8eb0e46e4f44d4082f6b9691f1b9b00bc3297780

SHA256
2cad5a884c3f0f60d393c21211da08f9f7e3c19bdff75a1d282c788b8d26848a

SHA512
357f16c317209ef7912d62e1822f25c8592cbedefa8a79682d1ed17e676ded12240962d45b1b54c98582f324155b1edff25f7d995a0c654be909373c44db3f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/880-22-0x0000000074820000-0x0000000074DD1000-memory.dmp

Filesize
5.7MB

Download
memory/880-2-0x0000000074820000-0x0000000074DD1000-memory.dmp

Filesize
5.7MB

Download
memory/880-1-0x0000000074820000-0x0000000074DD1000-memory.dmp

Filesize
5.7MB

Download
memory/880-0-0x0000000074822000-0x0000000074823000-memory.dmp

Filesize
4KB

Download
memory/968-23-0x0000000074820000-0x0000000074DD1000-memory.dmp

Filesize
5.7MB

Download
memory/968-24-0x0000000074820000-0x0000000074DD1000-memory.dmp

Filesize
5.7MB

Download
memory/968-26-0x0000000074820000-0x0000000074DD1000-memory.dmp

Filesize
5.7MB

Download
memory/968-27-0x0000000074820000-0x0000000074DD1000-memory.dmp

Filesize
5.7MB

Download
memory/968-28-0x0000000074820000-0x0000000074DD1000-memory.dmp

Filesize
5.7MB

Download
memory/4844-8-0x0000000074820000-0x0000000074DD1000-memory.dmp

Filesize
5.7MB

Download
memory/4844-18-0x0000000074820000-0x0000000074DD1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads