metamorpherrat | 4f46bea84881f0a2a900afb1a86742bfd3bb531c0e0ef5c69567518a5966d4b2

General

Target

4f46bea84881f0a2a900afb1a86742bfd3bb531c0e0ef5c69567518a5966d4b2.exe
Size

78KB
MD5

0e8e21864547ecde60c6d1747016c0a9
SHA1

087492c141051e9ef01b5617f62af826aa800e0f
SHA256

4f46bea84881f0a2a900afb1a86742bfd3bb531c0e0ef5c69567518a5966d4b2
SHA512

6fba64291a2b76d3eeb5d63e9aec9097ec9b7f6c1835976dd3d29aa9ea9b202c8361954a0f8ac8b9969db4e09e626662e72974600630c8b2d2119e1381e975b1
SSDEEP

1536:BWtHY6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQter9/G1Xf:BWtHY53Ln7N041Qqhger9/c

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	4f46bea84881f0a2a900afb1a86742bfd3bb531c0e0ef5c69567518a5966d4b2.exe

Executes dropped EXE 1 IoCs

pid	Process
4456	tmp7A31.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp7A31.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4f46bea84881f0a2a900afb1a86742bfd3bb531c0e0ef5c69567518a5966d4b2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7A31.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2108	4f46bea84881f0a2a900afb1a86742bfd3bb531c0e0ef5c69567518a5966d4b2.exe
Token: SeDebugPrivilege	4456	tmp7A31.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2516	2108	4f46bea84881f0a2a900afb1a86742bfd3bb531c0e0ef5c69567518a5966d4b2.exe	87
PID 2108 wrote to memory of 2516	2108	4f46bea84881f0a2a900afb1a86742bfd3bb531c0e0ef5c69567518a5966d4b2.exe	87
PID 2108 wrote to memory of 2516	2108	4f46bea84881f0a2a900afb1a86742bfd3bb531c0e0ef5c69567518a5966d4b2.exe	87
PID 2516 wrote to memory of 4772	2516	vbc.exe	89
PID 2516 wrote to memory of 4772	2516	vbc.exe	89
PID 2516 wrote to memory of 4772	2516	vbc.exe	89
PID 2108 wrote to memory of 4456	2108	4f46bea84881f0a2a900afb1a86742bfd3bb531c0e0ef5c69567518a5966d4b2.exe	90
PID 2108 wrote to memory of 4456	2108	4f46bea84881f0a2a900afb1a86742bfd3bb531c0e0ef5c69567518a5966d4b2.exe	90
PID 2108 wrote to memory of 4456	2108	4f46bea84881f0a2a900afb1a86742bfd3bb531c0e0ef5c69567518a5966d4b2.exe	90

C:\Users\Admin\AppData\Local\Temp\4f46bea84881f0a2a900afb1a86742bfd3bb531c0e0ef5c69567518a5966d4b2.exe
"C:\Users\Admin\AppData\Local\Temp\4f46bea84881f0a2a900afb1a86742bfd3bb531c0e0ef5c69567518a5966d4b2.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\apqub1og.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7C15.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc12F9A8CDDC504A30BCDB9015619E2DFF.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4772
- C:\Users\Admin\AppData\Local\Temp\tmp7A31.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7A31.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4f46bea84881f0a2a900afb1a86742bfd3bb531c0e0ef5c69567518a5966d4b2.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7C15.tmp

Filesize
1KB

MD5
12f4afc0df76517337d4bf642f1e9b21

SHA1
772ecff38e03c6b80973aa89107ca5009636203b

SHA256
db921d88259925e8fe569c70c4f4303ef00055101e0ecfa79cfc294022d8cb21

SHA512
0523eb55d26c46c5540b9304c6ca146d81e50e6f60ae5f7e44f5bc0a44f06d77adf5f6801c17245a6bd27ea644ee2c038268adfc14a0465c9c63db21bf29385f

Download Submit
C:\Users\Admin\AppData\Local\Temp\apqub1og.0.vb

Filesize
15KB

MD5
ce394ea71f907e563a1cf0aeef27820f

SHA1
44375a68c5ce9055f1b2910a08578a5ea2be8593

SHA256
1e405591a11771452f82527369e50de4ef67acd691258c1aa01413b15f76b6ff

SHA512
aa5b1d6674aa47cbb79f5979d4810e16b6a08d7dd243553b5b18fc6862eca7042920a8219387621e9fb8f459f0f3a95c17f9044e45469506e6e06674f8a341ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\apqub1og.cmdline

Filesize
266B

MD5
dc30f25fa18676459053642f0415c7a2

SHA1
a186ce60884d7196adca5ab7e90fa024509b4346

SHA256
6b41b6c8f3dad11d68dc54356302f801e46bf471c0763a96374e04517cd760b4

SHA512
11a0fc30ad24374276600975b50aea965b91860aef3f6d0081942489fc9ac20b94e273f1a9ced1e47ab5623e8758056552e210876ec50c32ea263308ea9e1939

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7A31.tmp.exe

Filesize
78KB

MD5
4a49bca5b63d11637a0c5a31eb1b8f00

SHA1
c295fd75f28f12a158b3c1be44bd9a79fed5a326

SHA256
56b83453b93f98b374ea204ef59118062a1c76e1c749da23ca0621e9a0776b97

SHA512
183127f44ea5d76f4f7cd96712b3f8ddd3fa460a03da9088c50b7352d0ffc8797160eadb1247abc950f093dc4e0248163add326864818c8855637baeff98ab21

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc12F9A8CDDC504A30BCDB9015619E2DFF.TMP

Filesize
660B

MD5
9c4386ff8da6d1f8c395c9fa85e8eb0d

SHA1
dc7ee35eeaefbcbc016d1d51fdc4f9c487cf3c64

SHA256
381addd657a43320f7c93b3b19fd193e8c37c9dcf5f29bb6fb21b964909a6aea

SHA512
92395c60674bd34953de6c0b8746b8fda32da10ac476c4c7e0744954a5e07745b6b9cdff90d34d3c0cfb4cee525790449e80e85d644ca638e203168a7da86158

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2108-1-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/2108-2-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/2108-0-0x00000000747C2000-0x00000000747C3000-memory.dmp

Filesize
4KB

Download
memory/2108-22-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/2516-9-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/2516-18-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/4456-23-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/4456-24-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/4456-25-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/4456-27-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/4456-28-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/4456-29-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads