metamorpherrat | 4db877338b83434ef48cb10da3234084ed8784fa00632535dc8f5192127b9958

General

Target

4db877338b83434ef48cb10da3234084ed8784fa00632535dc8f5192127b9958.exe
Size

78KB
MD5

4a6df5ed5fd827595e6aa1e0183f9977
SHA1

4b6b213814da26ecb5b945179ed4b69169d3e205
SHA256

4db877338b83434ef48cb10da3234084ed8784fa00632535dc8f5192127b9958
SHA512

688d2fbfb8b5fd3554a0f66a4cc064ebdc01ef5dc8ce57a85494fcd7077bd88e75b45330b38e553138b8bbe489c0637342cd25cd4da06c4016d136970b328189
SSDEEP

1536:0StHFo6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQte679/ih1a3R:0StHFo53Ln7N041Qqhge679/nR

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	4db877338b83434ef48cb10da3234084ed8784fa00632535dc8f5192127b9958.exe

Executes dropped EXE 1 IoCs

pid	Process
2196	tmpB2A6.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpB2A6.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB2A6.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4db877338b83434ef48cb10da3234084ed8784fa00632535dc8f5192127b9958.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4496	4db877338b83434ef48cb10da3234084ed8784fa00632535dc8f5192127b9958.exe
Token: SeDebugPrivilege	2196	tmpB2A6.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4496 wrote to memory of 432	4496	4db877338b83434ef48cb10da3234084ed8784fa00632535dc8f5192127b9958.exe	87
PID 4496 wrote to memory of 432	4496	4db877338b83434ef48cb10da3234084ed8784fa00632535dc8f5192127b9958.exe	87
PID 4496 wrote to memory of 432	4496	4db877338b83434ef48cb10da3234084ed8784fa00632535dc8f5192127b9958.exe	87
PID 432 wrote to memory of 4396	432	vbc.exe	90
PID 432 wrote to memory of 4396	432	vbc.exe	90
PID 432 wrote to memory of 4396	432	vbc.exe	90
PID 4496 wrote to memory of 2196	4496	4db877338b83434ef48cb10da3234084ed8784fa00632535dc8f5192127b9958.exe	92
PID 4496 wrote to memory of 2196	4496	4db877338b83434ef48cb10da3234084ed8784fa00632535dc8f5192127b9958.exe	92
PID 4496 wrote to memory of 2196	4496	4db877338b83434ef48cb10da3234084ed8784fa00632535dc8f5192127b9958.exe	92

C:\Users\Admin\AppData\Local\Temp\4db877338b83434ef48cb10da3234084ed8784fa00632535dc8f5192127b9958.exe
"C:\Users\Admin\AppData\Local\Temp\4db877338b83434ef48cb10da3234084ed8784fa00632535dc8f5192127b9958.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\onrxdafx.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:432
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB3FE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9A3403D6DC0641EB862637EF9EF632A6.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4396
- C:\Users\Admin\AppData\Local\Temp\tmpB2A6.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB2A6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4db877338b83434ef48cb10da3234084ed8784fa00632535dc8f5192127b9958.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB3FE.tmp

Filesize
1KB

MD5
63dfb11469c1ecdbbb61d97b1b5819e4

SHA1
5eeae0f668e6bd0f4e5ab13ca875acb160e83236

SHA256
ff496e96380e899ca2e93342fc5d8d0609c6fa6f3b1af5369358dc91d8f62f80

SHA512
f1a6ca532d16af503308584cf81328921b3f0c50572f9a57fbdd437f20752c23609e7793bb7acd3f1c0033bf794f914af684887e01026e84f8a5f4c43940bfb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\onrxdafx.0.vb

Filesize
15KB

MD5
25ec18c6523029056b03da96d16039af

SHA1
adf2bc8e6077dd0d0e9cb9513ca239e7c28333c1

SHA256
c61bbd08a6574ac267170c8d182fc48501474b1d32e9de28cc34e474c0b263b4

SHA512
652338657bb84211a97aab4c10e5544c14366b6e000ec2ee04c732ef66c1d03e06b0894abbcd84d75f934b4788f8c7712fc2be3a33d267b5641e46c04eb0bcb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\onrxdafx.cmdline

Filesize
266B

MD5
e41956d40fa69376c27a32f301f3824a

SHA1
eb77ce51aeafd22b1834de076a46547bb7c09351

SHA256
571e6e8234dbc9dec05ccc5a0cc225fbe6bedfb422a7b6cc5cc57f70ab3eb27e

SHA512
7b106f110448bbe5d362a5529627d9c90bdd3cba2a452dffc250da1bd638e8d86427bc6d93df0783ad8d5d66a499f8cb52e79eb81570c17f869ae88192d2d92a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB2A6.tmp.exe

Filesize
78KB

MD5
dba41f3ea6ef15b4e4ca72fd19c2bc10

SHA1
3eb222673369a17a3b9abb455b8eb0010af1de1d

SHA256
dc274de3955956b34d872ddcec33e8ee41bf2f9dc4b29ac6907d0e46677ecd01

SHA512
41b2341718abf7a13e004d218991700e4a2327f46a634b95651664977d29a06b172dcb20e5d4f0dc83745de80764003c3517561afbbcf3b3516239367dd59bea

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9A3403D6DC0641EB862637EF9EF632A6.TMP

Filesize
660B

MD5
c3c88c3671c77fe1ef957ab571669f47

SHA1
56049374359a7215949818dfb8957e0d27c4b2c0

SHA256
2aec569e95940da9dd0015a051038b14d876d8a97aed3163738fa6bcc13c6f9f

SHA512
1aaef3ca78868d22166064d3c786325168c6388f8134fad83a58638e3878b333dd389f22b8bd83a29a7e7a93e189224ab96115e893b937d036fb17bddd33c783

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/432-9-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/432-18-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/2196-23-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/2196-24-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/2196-25-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/2196-27-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/2196-28-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/2196-29-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/4496-0-0x0000000074862000-0x0000000074863000-memory.dmp

Filesize
4KB

Download
memory/4496-2-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/4496-1-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/4496-22-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads