metamorpherrat | 46233658f6499adbb58501d286792830234e7a476c6739b9e6f0c72523ff0c81

General

Target

46233658f6499adbb58501d286792830234e7a476c6739b9e6f0c72523ff0c81.exe
Size

78KB
MD5

ebf1474d2a83176252bfcb948af8c175
SHA1

4f07e9560e3960257e099df00b06e0c6982bcda8
SHA256

46233658f6499adbb58501d286792830234e7a476c6739b9e6f0c72523ff0c81
SHA512

d1cdd8903151d0f523fc298563b9026c7fa580ec9caab33fed926a28639ab3d76ad59228a3c847df12babeee544e760f390927423da919c051f8e7eb10a62696
SSDEEP

1536:k5jSVdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQt96Y9/hD11F:k5jSAn7N041QqhgT9/hJ

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	46233658f6499adbb58501d286792830234e7a476c6739b9e6f0c72523ff0c81.exe

Deletes itself 1 IoCs

pid	Process
4704	tmp8BA6.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4704	tmp8BA6.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp8BA6.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8BA6.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	46233658f6499adbb58501d286792830234e7a476c6739b9e6f0c72523ff0c81.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2740	46233658f6499adbb58501d286792830234e7a476c6739b9e6f0c72523ff0c81.exe
Token: SeDebugPrivilege	4704	tmp8BA6.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 1372	2740	46233658f6499adbb58501d286792830234e7a476c6739b9e6f0c72523ff0c81.exe	88
PID 2740 wrote to memory of 1372	2740	46233658f6499adbb58501d286792830234e7a476c6739b9e6f0c72523ff0c81.exe	88
PID 2740 wrote to memory of 1372	2740	46233658f6499adbb58501d286792830234e7a476c6739b9e6f0c72523ff0c81.exe	88
PID 1372 wrote to memory of 3020	1372	vbc.exe	90
PID 1372 wrote to memory of 3020	1372	vbc.exe	90
PID 1372 wrote to memory of 3020	1372	vbc.exe	90
PID 2740 wrote to memory of 4704	2740	46233658f6499adbb58501d286792830234e7a476c6739b9e6f0c72523ff0c81.exe	91
PID 2740 wrote to memory of 4704	2740	46233658f6499adbb58501d286792830234e7a476c6739b9e6f0c72523ff0c81.exe	91
PID 2740 wrote to memory of 4704	2740	46233658f6499adbb58501d286792830234e7a476c6739b9e6f0c72523ff0c81.exe	91

C:\Users\Admin\AppData\Local\Temp\46233658f6499adbb58501d286792830234e7a476c6739b9e6f0c72523ff0c81.exe
"C:\Users\Admin\AppData\Local\Temp\46233658f6499adbb58501d286792830234e7a476c6739b9e6f0c72523ff0c81.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dlmgxyad.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8CDE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc865A74CD99274ED7ADA985155574CD3.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3020
- C:\Users\Admin\AppData\Local\Temp\tmp8BA6.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8BA6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\46233658f6499adbb58501d286792830234e7a476c6739b9e6f0c72523ff0c81.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8CDE.tmp

Filesize
1KB

MD5
3b531891b1d73ea07350e51758825ef4

SHA1
7984827bd972d2d7da1adfe378e66a109206e36d

SHA256
1f75dcdc274cc929a70f1e522bb39753c3f3d0c23a8ea1ca19e9d85c7a3e1a89

SHA512
f79a5b51521612975ace5e6f9e4927a3b4aca1eeea86d0c66465705c19d33d85b145ba91ebd49497653c32501e6ad8b8f24f665038526ade12034b072932f082

Download Submit
C:\Users\Admin\AppData\Local\Temp\dlmgxyad.0.vb

Filesize
14KB

MD5
ce2d3c69c497834a4b16d556cbe73034

SHA1
3988203d388e57c074bb38b1bf282dff6bcc6f35

SHA256
66e72f9c71ffe98786b3e6352fab10e570c4d522c326e6e92ae228a40f880665

SHA512
5406518224110fe91dd934de75ceaa89741fad2b3fb211e2d2b94e3085d4ba57d1f55ecac7b78039366fcc492f2bd27672713bd2cff9ea8d2d38ac93aa23c201

Download Submit
C:\Users\Admin\AppData\Local\Temp\dlmgxyad.cmdline

Filesize
266B

MD5
4c2db8d20a24840e8f158fd22db11719

SHA1
19dda30923cf3b412d6403028920ed46c3bca98f

SHA256
fb04921449f65ffd75927495a0d2ea7f5ad68e02de9edc174f19a7918568ae3c

SHA512
75125fbeb39c378f32d71aa0ea2ee1b7ea43a321d83f6ef118c6015fb3170ace9f7b63b1ca534f2e257f8dd3486bf77d697f75acab067ba43761f6c7d90c2633

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8BA6.tmp.exe

Filesize
78KB

MD5
05a990e53f07e6701825375882b0a78e

SHA1
dcafe32a99f188acdc19872ac23d235e57bd2568

SHA256
5d194a405452617edd372a658b37a7cb22be0a1b2c8b2b732bfdde5cf6d50e52

SHA512
e04f6b9fbc2a4e06f34c80305656861102b2f2ba21e32b1f05d62fb24d406b563848e5c2b48d1eebdcc19a4629195cc985582121c14b5a4f186ecbff3c338066

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc865A74CD99274ED7ADA985155574CD3.TMP

Filesize
660B

MD5
934d30669ceb83f23a9cc0328ba47fa3

SHA1
5e933aa042721a1907a24c8d74aec959289787ba

SHA256
4aae529bbbf1883af235fe875e63104075387bfd4a884b59db649fb19c11d36a

SHA512
5e7147b6a17cffae4cd0388f766250e8bebb9510984098edae3091d683035412fc33b7564373e7d6b157f254faa362281ef64cd6265b53c087f6b4dddc818fde

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/1372-9-0x0000000074F60000-0x0000000075511000-memory.dmp

Filesize
5.7MB

Download
memory/1372-18-0x0000000074F60000-0x0000000075511000-memory.dmp

Filesize
5.7MB

Download
memory/2740-0-0x0000000074F62000-0x0000000074F63000-memory.dmp

Filesize
4KB

Download
memory/2740-2-0x0000000074F60000-0x0000000075511000-memory.dmp

Filesize
5.7MB

Download
memory/2740-1-0x0000000074F60000-0x0000000075511000-memory.dmp

Filesize
5.7MB

Download
memory/2740-22-0x0000000074F60000-0x0000000075511000-memory.dmp

Filesize
5.7MB

Download
memory/4704-23-0x0000000074F60000-0x0000000075511000-memory.dmp

Filesize
5.7MB

Download
memory/4704-24-0x0000000074F60000-0x0000000075511000-memory.dmp

Filesize
5.7MB

Download
memory/4704-25-0x0000000074F60000-0x0000000075511000-memory.dmp

Filesize
5.7MB

Download
memory/4704-27-0x0000000074F60000-0x0000000075511000-memory.dmp

Filesize
5.7MB

Download
memory/4704-28-0x0000000074F60000-0x0000000075511000-memory.dmp

Filesize
5.7MB

Download
memory/4704-29-0x0000000074F60000-0x0000000075511000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads