metamorpherrat | 90fa4a03b9d36758c59a51702839a62cc1e551bf45ae32c07f29666de7a7bd5e

General

Target

90fa4a03b9d36758c59a51702839a62cc1e551bf45ae32c07f29666de7a7bd5e.exe
Size

78KB
MD5

7398657f6e29412c7b7b60fadd719f11
SHA1

615e1d808eecfc48cafc46645f99253326f56544
SHA256

90fa4a03b9d36758c59a51702839a62cc1e551bf45ae32c07f29666de7a7bd5e
SHA512

60a764f03ef44ab93027dd86a94329f604820a3ab5f8a37734394da6aea66e931f83645296e6187dcd2a6a309189bdbee3312046328d4404fe89a904bd0fcebd
SSDEEP

1536:dPCHY6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQt/9/B1Ar:dPCHY53Ln7N041Qqhg/9/2

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	90fa4a03b9d36758c59a51702839a62cc1e551bf45ae32c07f29666de7a7bd5e.exe

Executes dropped EXE 1 IoCs

pid	Process
1124	tmp73F7.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp73F7.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp73F7.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	90fa4a03b9d36758c59a51702839a62cc1e551bf45ae32c07f29666de7a7bd5e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4836	90fa4a03b9d36758c59a51702839a62cc1e551bf45ae32c07f29666de7a7bd5e.exe
Token: SeDebugPrivilege	1124	tmp73F7.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 5060	4836	90fa4a03b9d36758c59a51702839a62cc1e551bf45ae32c07f29666de7a7bd5e.exe	85
PID 4836 wrote to memory of 5060	4836	90fa4a03b9d36758c59a51702839a62cc1e551bf45ae32c07f29666de7a7bd5e.exe	85
PID 4836 wrote to memory of 5060	4836	90fa4a03b9d36758c59a51702839a62cc1e551bf45ae32c07f29666de7a7bd5e.exe	85
PID 5060 wrote to memory of 3676	5060	vbc.exe	88
PID 5060 wrote to memory of 3676	5060	vbc.exe	88
PID 5060 wrote to memory of 3676	5060	vbc.exe	88
PID 4836 wrote to memory of 1124	4836	90fa4a03b9d36758c59a51702839a62cc1e551bf45ae32c07f29666de7a7bd5e.exe	91
PID 4836 wrote to memory of 1124	4836	90fa4a03b9d36758c59a51702839a62cc1e551bf45ae32c07f29666de7a7bd5e.exe	91
PID 4836 wrote to memory of 1124	4836	90fa4a03b9d36758c59a51702839a62cc1e551bf45ae32c07f29666de7a7bd5e.exe	91

C:\Users\Admin\AppData\Local\Temp\90fa4a03b9d36758c59a51702839a62cc1e551bf45ae32c07f29666de7a7bd5e.exe
"C:\Users\Admin\AppData\Local\Temp\90fa4a03b9d36758c59a51702839a62cc1e551bf45ae32c07f29666de7a7bd5e.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bnqfmqle.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5060
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES74D2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8CE867E966ED46A389CF24FF9C4223B5.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3676
- C:\Users\Admin\AppData\Local\Temp\tmp73F7.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp73F7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\90fa4a03b9d36758c59a51702839a62cc1e551bf45ae32c07f29666de7a7bd5e.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES74D2.tmp

Filesize
1KB

MD5
78daf59a067dc77ee2a7907640bdd10f

SHA1
f7f220e1febb3a35c279c3ba03ef164e5c0c9557

SHA256
0117173f8285430a2cc98030ab422c1c14f71c6a46152335d0ff0cb4c8038e3b

SHA512
4bd117b081a70392dd9b6a7f729d15ada5a8537431ceb565e887bdaef5183a3e8c9df5635568b919ed24357107161696b013c86dde9a98ffb110b66b07eb71c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\bnqfmqle.0.vb

Filesize
15KB

MD5
b4d5359396354cbde27d3e46cf39d29f

SHA1
05003c94bf88e3b923eb288202f86a35f0a2a723

SHA256
4d112d065251a826e8d35354c629a78b3fceec1833a23bd4a082a2ec95ca5f70

SHA512
45fcb7f4c9ad5e6cede5e611a2dec7476f54843371e0ff2550778d5258a321b9cbe539c9f73562b83b433d4050d4f81e7542300ac74873b4af6db1be3516ec1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bnqfmqle.cmdline

Filesize
266B

MD5
3c4f275965dc6566e298d7ca2756e91d

SHA1
bff09e9bfe7289f32d98e1bd7eb42f67f3d6d9de

SHA256
f586f89d74affeba91402184a0e558bfcdaddced7728b5790564b5eef10d8cfc

SHA512
a192448f30abd77897233ed596e6fe5252f335e3dcaa8b7124de201f92dc3f9d2b355a2ccf847bc7f84efc3ca483da94ad06c3bf4cca823f28b9571db3b2e437

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp73F7.tmp.exe

Filesize
78KB

MD5
12d42495c2607b4ae65f9c9494d23632

SHA1
89fde5e803e4e233bb5a49f8d579392018596c3c

SHA256
eac76e3628f9213042e7bcb7e541f537b408e17993dcac03dd70a947ae7b3b6d

SHA512
6fdd1e3aea6f8d4c5d3e0d7a9eaa4c12769e601ee4c80b4f06075646742a1da82f0d5bb6590c4eb57975405a26ba6d5bf3c12bf4651687b4a3b7f8d88f2ee223

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8CE867E966ED46A389CF24FF9C4223B5.TMP

Filesize
660B

MD5
ebee8554b3fcdfda54cfb3237ba7ce50

SHA1
0399f0c06441e813ae95bf685e2049740e2c31fa

SHA256
803a16f2941d430293fc7d3d2183939afc92c92a5b8c6a3f1b29dbfd35017be3

SHA512
b7e958ac0b278189681b2682186453a9aa58df61863d4aca3d39ffbfc833488b59750dfedf5ce7251126343b2a9d0c79cf54d5ee5ec75db20d13e1a07e210cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/1124-23-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/1124-24-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/1124-25-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/1124-27-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/1124-28-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/1124-29-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/4836-22-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/4836-1-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/4836-2-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/4836-0-0x0000000074DE2000-0x0000000074DE3000-memory.dmp

Filesize
4KB

Download
memory/5060-9-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/5060-18-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads