metamorpherrat | cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267

General

Target

cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267.exe
Size

78KB
MD5

0a2ce31e8654f4c3ba6d81bf7ac51e00
SHA1

a0844a42d36b88b78074e967f3f946761b48ad28
SHA256

cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267
SHA512

f8d20f0e97e3bc01c4480682f961378338a8d26f16a4b071eb572033ee0028920d006d5b78887c572b29eccdc2e491ee3dd87dc86ebf139dded1b9330ae0fe7c
SSDEEP

1536:OHFo6rdELT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtLQ9/hg1Kz:OHFo8dSE2EwR4uY41HyvYLQ9//

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267.exe

Deletes itself 1 IoCs

pid	Process
2844	tmp74A3.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2844	tmp74A3.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmp74A3.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp74A3.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2988	cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267.exe
Token: SeDebugPrivilege	2844	tmp74A3.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 1664	2988	cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267.exe	85
PID 2988 wrote to memory of 1664	2988	cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267.exe	85
PID 2988 wrote to memory of 1664	2988	cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267.exe	85
PID 1664 wrote to memory of 1848	1664	vbc.exe	87
PID 1664 wrote to memory of 1848	1664	vbc.exe	87
PID 1664 wrote to memory of 1848	1664	vbc.exe	87
PID 2988 wrote to memory of 2844	2988	cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267.exe	91
PID 2988 wrote to memory of 2844	2988	cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267.exe	91
PID 2988 wrote to memory of 2844	2988	cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267.exe	91

C:\Users\Admin\AppData\Local\Temp\cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267.exe
"C:\Users\Admin\AppData\Local\Temp\cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yzlcoyni.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES758E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc43F37C65E8DC428B9A9B2F2940195FD7.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1848
- C:\Users\Admin\AppData\Local\Temp\tmp74A3.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp74A3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES758E.tmp

Filesize
1KB

MD5
eeaa868e5f32eb16e6d95bc9c756ce78

SHA1
50fa92dbd0e46a4e4a30a09013c6563515068cee

SHA256
3195973ed556230e113180e1022b2e530f18303fb2451cfd1b392afcc5c777d6

SHA512
e26388e49d7eef4bdc5d9efdecced8ce091eeeaff509fc94576af024c7d42cbc9fc5516b56454f2f30687a7a7dd0ae1ee326ce6bbbf098da81e0c2e74dd0476e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp74A3.tmp.exe

Filesize
78KB

MD5
9a62ac86c7b9ed46026948c8deca1857

SHA1
4d66877d4e32fc748b09fc4c7f06090c0c0aeb3b

SHA256
65e8a9b2b2933f397acf9dab52ffb8237ae425db083393dff9522f9fbab0d7a3

SHA512
4c87c5a32bf0e76cc3f54f1fa536dc00e9ddc3beb2d5a3d8763b9fb4f27480a196eb0235b770d00c53b13a1071c0b272349f0368e7839aa09a5e9629eecff46b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc43F37C65E8DC428B9A9B2F2940195FD7.TMP

Filesize
660B

MD5
962ae2c136f70946baadde34c07d78f2

SHA1
67bff3b55bc40e593c722e863b908efc51e5950a

SHA256
856127689bb47c94cc836f133275ae88a725fb8fe8adf88b87ed7f5f0cca5cfc

SHA512
e067cae774820e75fc3a48ae73b7252a66894ca3ad4739ee40504f7afaa524525574c376127b22df14781f6d91d66d9e4bccf536b8535f80af597c8b28f6765d

Download Submit
C:\Users\Admin\AppData\Local\Temp\yzlcoyni.0.vb

Filesize
15KB

MD5
52f2ee82ca83b01adb1a615d4f6d64d0

SHA1
0b138f7e3dd8d99f473d77b50a1f74e1406715ca

SHA256
7f45b606d946243077f09b767d238f82fc8be71ee1e9f646c3b186d5862fe43f

SHA512
10c1aa36938666cdcf09e6b14071bf8e5013e1ba4605f44c86241c34a4ca83066055c03f0f24d558c8a84bfbec623955b0f749d4bb66b31cbbcce1423d3baf07

Download Submit
C:\Users\Admin\AppData\Local\Temp\yzlcoyni.cmdline

Filesize
266B

MD5
f53a52861e69f1089b054aeacc276c7e

SHA1
8f73e3bd48bb154b6d0993d058a8f9954c09c63b

SHA256
5ff4b86c310ec198d65aa797687921753dc9a55c63595265dc7a61d3e38aa64b

SHA512
e4d46eb976ba8128ef5ceebfb0389a601069825ca30473474544d20fc96383410c5e4efa76f2153005761f4cc551861a469742531ace4e8817dca4f8a85066e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/1664-18-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/1664-9-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/2844-24-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/2844-23-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/2844-26-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/2844-27-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/2844-28-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/2988-2-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/2988-1-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/2988-22-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/2988-0-0x00000000753B2000-0x00000000753B3000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads