metamorpherrat | 1e70f7f27e0bd9561eba3865ef79ab285b428d5ee11897e71b1c0fb8321cdfe4

General

Target

1e70f7f27e0bd9561eba3865ef79ab285b428d5ee11897e71b1c0fb8321cdfe4.exe
Size

78KB
MD5

2a21da074f16697437f40b59fc876ecc
SHA1

865380c43639748c3ae8cb7fd6ccca277a5cc7bc
SHA256

1e70f7f27e0bd9561eba3865ef79ab285b428d5ee11897e71b1c0fb8321cdfe4
SHA512

e2a42afca1764b1b1d08a7596d92024b8c5abdebbac186bfd9a039825ecd087a022a7ab7276d7622da1a36dae2d384cdcfbb0849873e6bf3d4ad62b89588c9eb
SSDEEP

1536:Uy5Ndy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6z9/Pp1kP:Uy5Yn7N041Qqhg79/W

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	1e70f7f27e0bd9561eba3865ef79ab285b428d5ee11897e71b1c0fb8321cdfe4.exe

Executes dropped EXE 1 IoCs

pid	Process
4756	tmp8676.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp8676.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8676.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e70f7f27e0bd9561eba3865ef79ab285b428d5ee11897e71b1c0fb8321cdfe4.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	324	1e70f7f27e0bd9561eba3865ef79ab285b428d5ee11897e71b1c0fb8321cdfe4.exe
Token: SeDebugPrivilege	4756	tmp8676.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 324 wrote to memory of 3840	324	1e70f7f27e0bd9561eba3865ef79ab285b428d5ee11897e71b1c0fb8321cdfe4.exe	86
PID 324 wrote to memory of 3840	324	1e70f7f27e0bd9561eba3865ef79ab285b428d5ee11897e71b1c0fb8321cdfe4.exe	86
PID 324 wrote to memory of 3840	324	1e70f7f27e0bd9561eba3865ef79ab285b428d5ee11897e71b1c0fb8321cdfe4.exe	86
PID 3840 wrote to memory of 5472	3840	vbc.exe	88
PID 3840 wrote to memory of 5472	3840	vbc.exe	88
PID 3840 wrote to memory of 5472	3840	vbc.exe	88
PID 324 wrote to memory of 4756	324	1e70f7f27e0bd9561eba3865ef79ab285b428d5ee11897e71b1c0fb8321cdfe4.exe	90
PID 324 wrote to memory of 4756	324	1e70f7f27e0bd9561eba3865ef79ab285b428d5ee11897e71b1c0fb8321cdfe4.exe	90
PID 324 wrote to memory of 4756	324	1e70f7f27e0bd9561eba3865ef79ab285b428d5ee11897e71b1c0fb8321cdfe4.exe	90

C:\Users\Admin\AppData\Local\Temp\1e70f7f27e0bd9561eba3865ef79ab285b428d5ee11897e71b1c0fb8321cdfe4.exe
"C:\Users\Admin\AppData\Local\Temp\1e70f7f27e0bd9561eba3865ef79ab285b428d5ee11897e71b1c0fb8321cdfe4.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:324
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lgvfbirh.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3840
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8770.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8FD0AF3EE2964D278D8DAE454BCD3EA.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5472
- C:\Users\Admin\AppData\Local\Temp\tmp8676.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8676.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1e70f7f27e0bd9561eba3865ef79ab285b428d5ee11897e71b1c0fb8321cdfe4.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8770.tmp

Filesize
1KB

MD5
4e062d05fbe1aadf681013e0b387de15

SHA1
3763bb76980ba806ae89b32169035f2984bc7e59

SHA256
0afb945bb632e5c7cf66e97ff7fc616a6efd2865e448285c84a2c6b48fafee6e

SHA512
f1899d05f4202fce0abc5d95f2d240da184c3dfe0c7ec07db81801409bf151e72b3c27cb484cf244c28ee7232d88c21e3ee1075f0884663d34b29779e0c11bee

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgvfbirh.0.vb

Filesize
14KB

MD5
c2394814566da56dd1e7e184edd7dd0b

SHA1
f73e2cbfe689b5667f1bddf582277ab684c34f73

SHA256
0b3a02434c65f424d30563f2c08bcfbdb493b4850c9d1bf911e55a55ddf90e32

SHA512
e82f8af3a1d6dd584234e15d10cae4e2d174a520d2693c8f0fda6fec7aa20ba3ec21c7a06243b7275c99b8b802151434672a7d53a13e44a08f911d3a2bc3563c

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgvfbirh.cmdline

Filesize
266B

MD5
8a6de197e7198b4d75c43eaa872646a2

SHA1
ecc87031d698327587644af7647bba380d7814b8

SHA256
51bf4918fe630d4932b07604001f82704680f81b356cc39c57e6d63bb44407d2

SHA512
ba89a8ad6270e39cac7b9fdf41a2c07d6e7faca795557a0867bc5120b0d947a8546f8313c50869bee183f547faae348021e7756eef1bbb8dcf8bf2f12f480f6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8676.tmp.exe

Filesize
78KB

MD5
83a414b407e73e1934754080f46a2e31

SHA1
0562a52a5091b3f7d36e64e58ed5505c14ce3c12

SHA256
64f961dee83f2b942d9fc187c918b383dd61dd99ae4d3c4e875d3e761208267f

SHA512
d011ad0dec6f8c548c8f2210256c86f893e29295d94d319de96cac8643ceb8a2d51e2d979f1affbfee34b17b48694ef4f33d0601d64d2145116a67f5fe96e9e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8FD0AF3EE2964D278D8DAE454BCD3EA.TMP

Filesize
660B

MD5
fc11ea13424aa8429a24a022962ea6aa

SHA1
c9e3650897479214850263cb7b1fa9d7869d6a15

SHA256
1e65ce00f19c4c393a4b7b7fcecfdc96ce4c48c39ff4bcc40afc1e2f76d69dd7

SHA512
6bcf21de9bac68e5b27fc2ec6692e94327aab05e260251eb5c8fe6d9ac382b3b3fa468289f03ddd82c99463cf7f65eefac63a1c8dc4128f5042f7b286eed5598

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/324-22-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/324-2-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/324-1-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/324-0-0x00000000754D2000-0x00000000754D3000-memory.dmp

Filesize
4KB

Download
memory/3840-9-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/3840-18-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/4756-23-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/4756-24-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/4756-25-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/4756-27-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/4756-28-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/4756-29-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads