metamorpherrat | 9d564c22ef9dcdfdbe360bdede6bf86d15d68eb84c4d6f5958ae9a25d30d1abf

General

Target

9d564c22ef9dcdfdbe360bdede6bf86d15d68eb84c4d6f5958ae9a25d30d1abfN.exe
Size

78KB
MD5

6d2be046fee10eb0a836e8caf932fcc0
SHA1

b4e7945d5eeabfa378d23b5c3457da6495ac0767
SHA256

9d564c22ef9dcdfdbe360bdede6bf86d15d68eb84c4d6f5958ae9a25d30d1abf
SHA512

e35746cb5d865364b2a22d53d92de2a0b6226fe72a379e81889aeaae0b21927d05fb7f708f4b2585eb95fd89d0c7ad04708bd8e640560a2209461e2ef6c49e22
SSDEEP

1536:J5jSLLT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQti6F9/HZ1D5:J5jS3E2EwR4uY41HyvYd9/J

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	9d564c22ef9dcdfdbe360bdede6bf86d15d68eb84c4d6f5958ae9a25d30d1abfN.exe

Deletes itself 1 IoCs

pid	Process
1300	tmpA410.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
1300	tmpA410.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmpA410.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9d564c22ef9dcdfdbe360bdede6bf86d15d68eb84c4d6f5958ae9a25d30d1abfN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA410.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	296	9d564c22ef9dcdfdbe360bdede6bf86d15d68eb84c4d6f5958ae9a25d30d1abfN.exe
Token: SeDebugPrivilege	1300	tmpA410.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 296 wrote to memory of 2028	296	9d564c22ef9dcdfdbe360bdede6bf86d15d68eb84c4d6f5958ae9a25d30d1abfN.exe	87
PID 296 wrote to memory of 2028	296	9d564c22ef9dcdfdbe360bdede6bf86d15d68eb84c4d6f5958ae9a25d30d1abfN.exe	87
PID 296 wrote to memory of 2028	296	9d564c22ef9dcdfdbe360bdede6bf86d15d68eb84c4d6f5958ae9a25d30d1abfN.exe	87
PID 2028 wrote to memory of 4344	2028	vbc.exe	90
PID 2028 wrote to memory of 4344	2028	vbc.exe	90
PID 2028 wrote to memory of 4344	2028	vbc.exe	90
PID 296 wrote to memory of 1300	296	9d564c22ef9dcdfdbe360bdede6bf86d15d68eb84c4d6f5958ae9a25d30d1abfN.exe	92
PID 296 wrote to memory of 1300	296	9d564c22ef9dcdfdbe360bdede6bf86d15d68eb84c4d6f5958ae9a25d30d1abfN.exe	92
PID 296 wrote to memory of 1300	296	9d564c22ef9dcdfdbe360bdede6bf86d15d68eb84c4d6f5958ae9a25d30d1abfN.exe	92

C:\Users\Admin\AppData\Local\Temp\9d564c22ef9dcdfdbe360bdede6bf86d15d68eb84c4d6f5958ae9a25d30d1abfN.exe
"C:\Users\Admin\AppData\Local\Temp\9d564c22ef9dcdfdbe360bdede6bf86d15d68eb84c4d6f5958ae9a25d30d1abfN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:296
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\i0dwxaow.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA5E5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE52B79BCBAAD4A30ADCF76DDBE18B928.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4344
- C:\Users\Admin\AppData\Local\Temp\tmpA410.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA410.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9d564c22ef9dcdfdbe360bdede6bf86d15d68eb84c4d6f5958ae9a25d30d1abfN.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA5E5.tmp

Filesize
1KB

MD5
b556adabac8a6cd786ab3e25a9b8d0c9

SHA1
cb38d9b81c04441cffca22dc9bfa696f6f9ba788

SHA256
87294cf0c95147d3bfa5424e173e3470e1bf2222606bbf922906e578046c24b5

SHA512
28a7ea89aca1de32f265030c0dd759c417e803751177ffe7fe8fc73788adafc5620e4ed527b09b4919be9397432fb96cbcdca3c92ccfdc2b44d6887d5d7c2ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\i0dwxaow.0.vb

Filesize
14KB

MD5
2faa6bdd6a191b5ddbec50adf45782af

SHA1
24685939c941ad441f5d1915401c4ca2e48d4ddf

SHA256
c05f33e33f435b2d9d527c39a5c604567fdc3f44ed01445d65ed523541c342c9

SHA512
c4111a1a0cd53cd0acd91238c570569cbbc5abfb28698b25af551d2c2a3c114cc7dc42184a9b9f2eecb9b5cdcdc0d90bb137f5216f31d28f6e20b63111372201

Download Submit
C:\Users\Admin\AppData\Local\Temp\i0dwxaow.cmdline

Filesize
266B

MD5
478b4f85e662486d388bb2297af8964a

SHA1
04e227e8658589dc6a253754eda401d1d148aa43

SHA256
bc5dbf7b80e7b649e92b3b71294ee0a5da354cbf15c8e2dca9995e6a2525bd07

SHA512
b5ab67b2e3666fe93385eec5d3bce1605810d869a523b82debde64ed165230609d34f31f7f8acbe59fea3d83fc3a84001bcddb5886a4190adc47cb376f4bf819

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA410.tmp.exe

Filesize
78KB

MD5
5102fd69f83cd4ff5addb19b8bb65a5f

SHA1
c4d05d0defcd7778e6a06fbffc50acf83d068414

SHA256
1a02e192f81ee46582d8366a398f0d2fd80be6fdfc60c895fb34396fd4902450

SHA512
b6e839bdc9fdb7f0cafe22b1c7c772a402d15e43e55985dca3af4a6c5a102dbf752b415d41802f6b8c065a69770b5beafbd76522c679c0e2546a4c73d7c88c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE52B79BCBAAD4A30ADCF76DDBE18B928.TMP

Filesize
660B

MD5
d1e2366c8612c6d86a28170aeca6a95f

SHA1
d26611ef597c0bceb6b5aa3a3a137e27ae7f822d

SHA256
e60ffa0a9ab003d6c27d880abb2e75e364f79b4a55e3e3f32014e988d30385a8

SHA512
185814bf9e9f57f0e5f193b400a2b85308b922f1c6f1c8f8a067b5b781b3887f3a10482e5b9032d7f7be7cb6b65f24a4d28bc3e94b0f71d2cabc54a4e550a2f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/296-1-0x0000000074E00000-0x00000000753B1000-memory.dmp

Filesize
5.7MB

Download
memory/296-2-0x0000000074E00000-0x00000000753B1000-memory.dmp

Filesize
5.7MB

Download
memory/296-0-0x0000000074E02000-0x0000000074E03000-memory.dmp

Filesize
4KB

Download
memory/296-22-0x0000000074E00000-0x00000000753B1000-memory.dmp

Filesize
5.7MB

Download
memory/1300-23-0x0000000074E00000-0x00000000753B1000-memory.dmp

Filesize
5.7MB

Download
memory/1300-24-0x0000000074E00000-0x00000000753B1000-memory.dmp

Filesize
5.7MB

Download
memory/1300-25-0x0000000074E00000-0x00000000753B1000-memory.dmp

Filesize
5.7MB

Download
memory/1300-27-0x0000000074E00000-0x00000000753B1000-memory.dmp

Filesize
5.7MB

Download
memory/1300-28-0x0000000074E00000-0x00000000753B1000-memory.dmp

Filesize
5.7MB

Download
memory/1300-29-0x0000000074E00000-0x00000000753B1000-memory.dmp

Filesize
5.7MB

Download
memory/2028-18-0x0000000074E00000-0x00000000753B1000-memory.dmp

Filesize
5.7MB

Download
memory/2028-8-0x0000000074E00000-0x00000000753B1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads