metamorpherrat | e6806de448ff52ea2c78106fd0022ac06becee89011484b4a779eb701f4009ce

General

Target

e6806de448ff52ea2c78106fd0022ac06becee89011484b4a779eb701f4009ce.exe
Size

78KB
MD5

456c1ad72e09f02d88e6ab78d6ce43f4
SHA1

49e1e1e8180c54c9a8900592462a5acff2d78df4
SHA256

e6806de448ff52ea2c78106fd0022ac06becee89011484b4a779eb701f4009ce
SHA512

df660ad128a8bb6d43a48e804e75b17273bd959679a740b2e8ab82f348d6f26e5cfebeb3d22b12af57841c612b936756bee3204902f8be3b00f0340d3f877b61
SSDEEP

1536:sPWtHFo6M7t/vZv0kH9gDDtWzYCnJPeoYrGQtQ9/01pg:sPWtHFonh/l0Y9MDYrm7Q9/L

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	e6806de448ff52ea2c78106fd0022ac06becee89011484b4a779eb701f4009ce.exe

Deletes itself 1 IoCs

pid	Process
396	tmpE501.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
396	tmpE501.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmpE501.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e6806de448ff52ea2c78106fd0022ac06becee89011484b4a779eb701f4009ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE501.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2308	e6806de448ff52ea2c78106fd0022ac06becee89011484b4a779eb701f4009ce.exe
Token: SeDebugPrivilege	396	tmpE501.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 1752	2308	e6806de448ff52ea2c78106fd0022ac06becee89011484b4a779eb701f4009ce.exe	87
PID 2308 wrote to memory of 1752	2308	e6806de448ff52ea2c78106fd0022ac06becee89011484b4a779eb701f4009ce.exe	87
PID 2308 wrote to memory of 1752	2308	e6806de448ff52ea2c78106fd0022ac06becee89011484b4a779eb701f4009ce.exe	87
PID 1752 wrote to memory of 2860	1752	vbc.exe	91
PID 1752 wrote to memory of 2860	1752	vbc.exe	91
PID 1752 wrote to memory of 2860	1752	vbc.exe	91
PID 2308 wrote to memory of 396	2308	e6806de448ff52ea2c78106fd0022ac06becee89011484b4a779eb701f4009ce.exe	93
PID 2308 wrote to memory of 396	2308	e6806de448ff52ea2c78106fd0022ac06becee89011484b4a779eb701f4009ce.exe	93
PID 2308 wrote to memory of 396	2308	e6806de448ff52ea2c78106fd0022ac06becee89011484b4a779eb701f4009ce.exe	93

C:\Users\Admin\AppData\Local\Temp\e6806de448ff52ea2c78106fd0022ac06becee89011484b4a779eb701f4009ce.exe
"C:\Users\Admin\AppData\Local\Temp\e6806de448ff52ea2c78106fd0022ac06becee89011484b4a779eb701f4009ce.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kbs5kxfj.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE687.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF5F857E5F6D344888512766198D121F.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2860
- C:\Users\Admin\AppData\Local\Temp\tmpE501.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpE501.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e6806de448ff52ea2c78106fd0022ac06becee89011484b4a779eb701f4009ce.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE687.tmp

Filesize
1KB

MD5
c9f000b5cb551745c2b04d24aabe3dec

SHA1
0aab4f1fc5e1f796affcf8df15d500e39fe7456b

SHA256
ea0e0e79837c0bbbb26f5b327b0d98cfbf1413a40adf49853f39c7b27062f2ac

SHA512
78e97720633cba3787a78c2514aa50c8b3f65b786e298c91098e4af5a1a4ae3903c0c09b0509a00aad537286c448733ded38ab338c26ee4a948165ae25794d71

Download Submit
C:\Users\Admin\AppData\Local\Temp\kbs5kxfj.0.vb

Filesize
15KB

MD5
8db36dce74a27a697a20df27e6838e26

SHA1
f3f4bb1ffa70a873221dc8b1040badc6b5884626

SHA256
ada850b2e99b232b334771199fd157e38699175c42261f3968d88705a6b87214

SHA512
9e15cfa048860f444ea913105e212ddde366e5dc9e90887bc15cf3568a1db3e847f2bd07dca94e8a7077afd4232d493a3ea8b42b63b7f60c3caee8d0957a8247

Download Submit
C:\Users\Admin\AppData\Local\Temp\kbs5kxfj.cmdline

Filesize
266B

MD5
ceaa405f85ab62080eeb2d7662ee4a1d

SHA1
699a248c7febdc43955829192de74d698726323d

SHA256
77ea83068506a8eed05f81e762eee56b88ba483640cccb0d188a03c0621c53a7

SHA512
e08767d48ce49090de50852bebf421e5b3a10834611df679b87629a3f6b5fea3e8b82a4f8af60675e3ceb0d1ddcc4f2e8c7601f8a08f6d1abc9290e872fafaea

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE501.tmp.exe

Filesize
78KB

MD5
04791c452cca15fa811bf51b7e43c309

SHA1
8020b110e948f64af2b6a30a61c6999437636ccd

SHA256
64a52678f7a636c2f37d774dc34570564a7907265ec4b38ff1ded0c98a73e722

SHA512
1ccc8415e8e9dde5997bda6372335a05edfa539784612b05a5475e8beb8dbb6abd9673f104245b64b169b0147ae1e5036e8d739e7481d9cac467500c5dcd5a07

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF5F857E5F6D344888512766198D121F.TMP

Filesize
660B

MD5
c1315cfe8dba15fc288b6f85616e2a67

SHA1
d8619f5f8ea583f7875c2d0a5a406ece1d2cbf98

SHA256
6ae79c4e71a85e9543513e2f8c65e3459fc7539c4c21389bd56a1e65dd42b884

SHA512
7be6141a6fab27d23f5ead71e9f9bfb9d25116cfb3bbc4fa0e690cf2551a3767deb490f09e0eb21c7a233101419ad289b239ee45fdb8de5108596f6353783882

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/396-23-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/396-24-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/396-25-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/396-27-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/396-28-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/1752-8-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/1752-18-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/2308-2-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/2308-1-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/2308-22-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/2308-0-0x0000000074C92000-0x0000000074C93000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads