metamorpherrat | a32ee6a1016da3fa161567b7c6076f04349bbf68dd8d0121216dc87d945a8291

General

Target

86708573785c3eaff0a6a5295bdb2b61.exe
Size

78KB
MD5

86708573785c3eaff0a6a5295bdb2b61
SHA1

218eb32d41e4506c327c47e21e1ded982fc89db4
SHA256

a32ee6a1016da3fa161567b7c6076f04349bbf68dd8d0121216dc87d945a8291
SHA512

932e1ef0b38eebad4ecc355a52350c7f998262af132817c0a27833e961eeb6b6602cb6acedb0dd2cc4bca21d5bb6e0935a63ea2f7db7858db07176616b7f6c98
SSDEEP

1536:sCHFo6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQten9/S1/p:sCHFon3xSyRxvY3md+dWWZyen9/y

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	86708573785c3eaff0a6a5295bdb2b61.exe

Deletes itself 1 IoCs

pid	Process
4700	tmp43FE.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4700	tmp43FE.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp43FE.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4524	86708573785c3eaff0a6a5295bdb2b61.exe
Token: SeDebugPrivilege	4700	tmp43FE.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4524 wrote to memory of 2444	4524	86708573785c3eaff0a6a5295bdb2b61.exe	84
PID 4524 wrote to memory of 2444	4524	86708573785c3eaff0a6a5295bdb2b61.exe	84
PID 4524 wrote to memory of 2444	4524	86708573785c3eaff0a6a5295bdb2b61.exe	84
PID 2444 wrote to memory of 2908	2444	vbc.exe	86
PID 2444 wrote to memory of 2908	2444	vbc.exe	86
PID 2444 wrote to memory of 2908	2444	vbc.exe	86
PID 4524 wrote to memory of 4700	4524	86708573785c3eaff0a6a5295bdb2b61.exe	87
PID 4524 wrote to memory of 4700	4524	86708573785c3eaff0a6a5295bdb2b61.exe	87
PID 4524 wrote to memory of 4700	4524	86708573785c3eaff0a6a5295bdb2b61.exe	87

C:\Users\Admin\AppData\Local\Temp\86708573785c3eaff0a6a5295bdb2b61.exe
"C:\Users\Admin\AppData\Local\Temp\86708573785c3eaff0a6a5295bdb2b61.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jxlq9bol.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES448B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc53550D69623140D580B4D16B1DAB7636.TMP"
    3⤵
    PID:2908
- C:\Users\Admin\AppData\Local\Temp\tmp43FE.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp43FE.tmp.exe" C:\Users\Admin\AppData\Local\Temp\86708573785c3eaff0a6a5295bdb2b61.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:4700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES448B.tmp

Filesize
1KB

MD5
13b5a2dd2bbf427c30e365cf26cd3078

SHA1
f543e0bde9b72b14b8b88f6f0184985f5bb5f25a

SHA256
b4b47886a32ed55f8f23c043ac250fe449d4d474dd6a04de5a06d47f2738e343

SHA512
7343f1d7ad73918e8df1c1c9854ffc7ee81bb73b1716bd8075229231253f0af93f9ae22d0bd588341df3225c2241c78ebbc003ce7f2227d7d30fae24608a18dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\jxlq9bol.0.vb

Filesize
15KB

MD5
9bebf45d68ddb6b94c8d20eaf49ce3b8

SHA1
a484d102139ab20ddaedda8044f3a1151b68965d

SHA256
347653b0912c17c7c40d3201ead05c7dd31e1b88ba635a5525644b16f3e52d1c

SHA512
f5a4f4dd8ce4130d8a55e632e7020b4c6232f8be99446c5e376c7e6b6a3ea382f1b7d2ee3b4688dd9985ee4aabe8d1a7a184dddb3adb0c303b12467a119c63a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\jxlq9bol.cmdline

Filesize
266B

MD5
16e4be26230cfa24da75ccdc56345bd9

SHA1
c48d767337e7cb67d9a86673d8c28268bdb757a7

SHA256
d3df82df761531ad82d231095e92df1097a5fcf6aaabf6ec5b5a6aa78bf6eb1c

SHA512
acdd1c2ca7d42fba8c67cfe542b7d9fb26d6cbda5b042b2aa527474ed33e845ac5beb02a1ab679080c38d6f595910c4f5b559c53a279230d36ead532bc99a829

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp43FE.tmp.exe

Filesize
78KB

MD5
50eb353e91e24c969915a1f2c983c4b7

SHA1
37fa882048f55b365b3c51261a8c5393d659ba33

SHA256
0997e3f461654066d46504a04dafa1f1807ec5454df89d220e205db5c887213d

SHA512
e1694ec615612889daf5261234757067a617756e8278c328f9b40620a13bb493693fc77090c8b8a65a48373bfc1d9b9670db442e18259075a0871dd45666e74e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc53550D69623140D580B4D16B1DAB7636.TMP

Filesize
660B

MD5
cfea2429a8990af4d9b871e35cdfcdba

SHA1
73bb17aa55f106b0c60e31082b3b65be0da9a6e5

SHA256
48ac4a3d4fe68a01c4c86a414c0725ca27bfc571313ca32bc4d28d7acc310e6f

SHA512
ffc75a5eb0e8d686bb0c7f7dcdb322ded870a8470ba720a6472a387034ea57f42487eade4fc7f3bc9eeb7317d49551339caff0876d03f842610670de9a372e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/2444-8-0x0000000002360000-0x0000000002370000-memory.dmp

Filesize
64KB

Download
memory/4524-2-0x0000000075440000-0x00000000759F1000-memory.dmp

Filesize
5.7MB

Download
memory/4524-1-0x0000000000D00000-0x0000000000D10000-memory.dmp

Filesize
64KB

Download
memory/4524-0-0x0000000075440000-0x00000000759F1000-memory.dmp

Filesize
5.7MB

Download
memory/4524-21-0x0000000075440000-0x00000000759F1000-memory.dmp

Filesize
5.7MB

Download
memory/4700-22-0x0000000075440000-0x00000000759F1000-memory.dmp

Filesize
5.7MB

Download
memory/4700-23-0x0000000000C10000-0x0000000000C20000-memory.dmp

Filesize
64KB

Download
memory/4700-24-0x0000000075440000-0x00000000759F1000-memory.dmp

Filesize
5.7MB

Download
memory/4700-26-0x0000000000C10000-0x0000000000C20000-memory.dmp

Filesize
64KB

Download
memory/4700-27-0x0000000075440000-0x00000000759F1000-memory.dmp

Filesize
5.7MB

Download
memory/4700-28-0x0000000000C10000-0x0000000000C20000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads