metamorpherrat | 8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63

General

Target

8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe
Size

78KB
MD5

7f7dd4f0729e7e99746f337f24a68bba
SHA1

ed2fc51c181adc1f915cf2b1ab0e607a46558735
SHA256

8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63
SHA512

fd756fde7a7c21e59ea20a4dab232868420260f682c48116cc1454c4669c8ddea50ad243e10df7d521e9050963246b5d72df2ebc734b577eb1d2fe19905b4a5a
SSDEEP

1536:CHFo6uaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtMK9/DC1OF:CHFoI3DJywQjDgTLopLwdCFJzMK9/J

Score

10^/10

metamorpherrat rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe

Executes dropped EXE 1 IoCs

Processes:

tmp7ED5.tmp.exe

pid process

3584 tmp7ED5.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3584	tmp7ED5.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exetmp7ED5.tmp.exe

description	pid	process
Token: SeDebugPrivilege	3524	8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe
Token: SeDebugPrivilege	3584	tmp7ED5.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exevbc.exe

description	pid	process	target process
PID 3524 wrote to memory of 4716	3524	8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe	vbc.exe
PID 3524 wrote to memory of 4716	3524	8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe	vbc.exe
PID 3524 wrote to memory of 4716	3524	8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe	vbc.exe
PID 4716 wrote to memory of 3532	4716	vbc.exe	cvtres.exe
PID 4716 wrote to memory of 3532	4716	vbc.exe	cvtres.exe
PID 4716 wrote to memory of 3532	4716	vbc.exe	cvtres.exe
PID 3524 wrote to memory of 3584	3524	8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe	tmp7ED5.tmp.exe
PID 3524 wrote to memory of 3584	3524	8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe	tmp7ED5.tmp.exe
PID 3524 wrote to memory of 3584	3524	8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe	tmp7ED5.tmp.exe

C:\Users\Admin\AppData\Local\Temp\8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe
"C:\Users\Admin\AppData\Local\Temp\8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3524

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p4m31srp.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4716

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7FBF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc927417E7424CB6967BC1AB90F770F2.TMP"
3⤵
PID:3532

C:\Users\Admin\AppData\Local\Temp\tmp7ED5.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp7ED5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3584

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7FBF.tmp
Filesize
1KB

MD5
baa6f20fd3d90b15e084da962d013f33

SHA1
b388dc1de95f73b91e6327c75d906a55a89492d4

SHA256
ee8edd2f1e2eb9aa586029b962ac9077ec89246af6d060656a1299c4b5b8a8e2

SHA512
d349d4a49e2d9dfab9c6bfe59efe4598e72f8e21c23d812bfe522ca74df46ee7b825cdf96679fa55142c00df5da0e9aced2d8694e21eecdaf4a06d19b1020362

Download Submit
C:\Users\Admin\AppData\Local\Temp\p4m31srp.0.vb
Filesize
15KB

MD5
0b6d9d7db126fa5d4cae186347e493b1

SHA1
5cebafe94274d0aadf1ef3c33a86c66dcda5f8b6

SHA256
03ff58a809ddf29074cbb7e1f5ca6b06350a2a842bb748caf6a6b0607f7fc503

SHA512
941a768d96f0ad1d76d4175029a304ea149eb61fdee0f23993fd9c130553528fd960b2c95f0d53fb0a7e8796873240ddbcd26e9e078ebe57122b9584b4b18062

Download Submit
C:\Users\Admin\AppData\Local\Temp\p4m31srp.cmdline
Filesize
266B

MD5
09ec2a846b5815cb122ec9e57e0bf11f

SHA1
553f42f5b72abbe4e0bb1f7e5af429b8ee3f4661

SHA256
437eff1b2b47166d4f1de7fcc5bd4e3fa6ba175fa38b775cf6c150d9b327e141

SHA512
8eee1c5eb6d646cebad586ce670b168b1574c431b5a793adc46cd6fcd54dbab9135ac3aa038b54437cb9f74a093c1783aa5ddbe88c2a0c8bc93cdbb035ab7852

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7ED5.tmp.exe
Filesize
78KB

MD5
67b17f326cfea571157ad1ae0d2f0431

SHA1
2fa3bdfd6b323e04e4071d4879947ddf96a5d6d0

SHA256
1fa299cda9719fb24f2782421e3043655ee71dfa87f6222debbf227d270763ec

SHA512
e26af8435afe6f8a7469ed200695ff66e51df702e521d65b3c45d6acb97f360452280e56322cc00f3fb7fae4f85acca8b045042e55b1de3f27edde095ce751a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc927417E7424CB6967BC1AB90F770F2.TMP
Filesize
660B

MD5
d180d1702b4a36e7cca42112c7c880dd

SHA1
51eb5f828bc7aaf1c4213347177add7e700c4d9e

SHA256
f677f2c70e96e0a1068a1eea815a70d47cf2c15e0a7c41200c0568cb1ff11f25

SHA512
608fed29566162a58a9572ea1c9a123708838a9fd299db52afb17b54fac3432e9331f0ae59a5249f052b10c0f26379553f9c055e94ef314f95febf7e5117cac1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/3524-0-0x0000000074732000-0x0000000074733000-memory.dmp

Filesize
4KB

Download
memory/3524-23-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/3524-2-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/3524-1-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/3584-22-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/3584-24-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/3584-25-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/3584-26-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/4716-18-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/4716-9-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads