metamorpherrat | 1cfc7bf36f0e17320f0fb8e6e49218683be2ba4780600ff93839eac8f3f8e98c

General

Target

1cfc7bf36f0e17320f0fb8e6e49218683be2ba4780600ff93839eac8f3f8e98c.exe
Size

78KB
MD5

6cb619b009a286f68dfce4171424e880
SHA1

312c3964ff0cf4291a2063a7a047f75fc723b26e
SHA256

1cfc7bf36f0e17320f0fb8e6e49218683be2ba4780600ff93839eac8f3f8e98c
SHA512

5a0398983458f7845197d805259327776a0f97e918243a0c94e2907e13a2574fd42807d4606131ba3326c9b91edf98965dd22fd2ea3a3786cee336c0c21a724d
SSDEEP

1536:dHHM3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtH9/813t:dHs3xSyRxvY3md+dWWZyH9/Y

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	1cfc7bf36f0e17320f0fb8e6e49218683be2ba4780600ff93839eac8f3f8e98c.exe

Executes dropped EXE 1 IoCs

pid	Process
4880	tmpBD64.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpBD64.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBD64.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1cfc7bf36f0e17320f0fb8e6e49218683be2ba4780600ff93839eac8f3f8e98c.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3704	1cfc7bf36f0e17320f0fb8e6e49218683be2ba4780600ff93839eac8f3f8e98c.exe
Token: SeDebugPrivilege	4880	tmpBD64.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3704 wrote to memory of 4336	3704	1cfc7bf36f0e17320f0fb8e6e49218683be2ba4780600ff93839eac8f3f8e98c.exe	85
PID 3704 wrote to memory of 4336	3704	1cfc7bf36f0e17320f0fb8e6e49218683be2ba4780600ff93839eac8f3f8e98c.exe	85
PID 3704 wrote to memory of 4336	3704	1cfc7bf36f0e17320f0fb8e6e49218683be2ba4780600ff93839eac8f3f8e98c.exe	85
PID 4336 wrote to memory of 4524	4336	vbc.exe	88
PID 4336 wrote to memory of 4524	4336	vbc.exe	88
PID 4336 wrote to memory of 4524	4336	vbc.exe	88
PID 3704 wrote to memory of 4880	3704	1cfc7bf36f0e17320f0fb8e6e49218683be2ba4780600ff93839eac8f3f8e98c.exe	89
PID 3704 wrote to memory of 4880	3704	1cfc7bf36f0e17320f0fb8e6e49218683be2ba4780600ff93839eac8f3f8e98c.exe	89
PID 3704 wrote to memory of 4880	3704	1cfc7bf36f0e17320f0fb8e6e49218683be2ba4780600ff93839eac8f3f8e98c.exe	89

C:\Users\Admin\AppData\Local\Temp\1cfc7bf36f0e17320f0fb8e6e49218683be2ba4780600ff93839eac8f3f8e98c.exe
"C:\Users\Admin\AppData\Local\Temp\1cfc7bf36f0e17320f0fb8e6e49218683be2ba4780600ff93839eac8f3f8e98c.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3704
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yd2ofy6e.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4336
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBE3F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA31C7DA191D242E58D73359E401F4581.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4524
- C:\Users\Admin\AppData\Local\Temp\tmpBD64.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpBD64.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1cfc7bf36f0e17320f0fb8e6e49218683be2ba4780600ff93839eac8f3f8e98c.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBE3F.tmp

Filesize
1KB

MD5
16fcda69151f80138080acc0d233c55d

SHA1
98a9ccde83d8fe2860715a4aad7a3e4d0858b4f7

SHA256
71c07373712d5133d2693212a04ce285c2e1cc6abde690fef8109ad5df92c9c0

SHA512
bf9bfc9a485e3db2461b4f7d3b9b26af020ccc684ec303108d617235689a1da6a79ea3847b711f795ac898de81817e65072790dceee4ecd367be1101a3778661

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBD64.tmp.exe

Filesize
78KB

MD5
61cd7f0d786e2dd13ec702a00222d1b1

SHA1
83419bfd3ef67a1c09a9856654625134405d940c

SHA256
4d5c1b7cbc832a3db162e4881837a6c6cf6a599ffc40a1a1247bbf672ea98ec6

SHA512
a425195f8ea34f2c17fb2358deefe6e5c944de2d31902d462811dc7fdc647e78f716a7e67c2f990c39e16ac60ce1d438e451c8a140d1374449d913b8ce9810bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA31C7DA191D242E58D73359E401F4581.TMP

Filesize
660B

MD5
ed133e5f84dd99ccfe03dd919f100d9d

SHA1
76e7750e67a87f02eae7ffb44a61369aeb65a0b2

SHA256
dace8ddfcf84d929632c08a93c3dae73ac4079dfa17776b3bae420d523578773

SHA512
bd97455721000f1bad3fc04e4cf60149030a8f8e0a50dd0a74b79333ecdb0d6eaad251327b7bac5229254254f5d22876defd0f7f56b1ca2aa0db0aa63d0ce789

Download Submit
C:\Users\Admin\AppData\Local\Temp\yd2ofy6e.0.vb

Filesize
15KB

MD5
0873c4d5ef68c961c8b15df3e3910fcb

SHA1
163f46ac5961337f2966e97cd75a5dcb4271e0a3

SHA256
4c8411bf61e9f03dc48a61438ddf1b8fa4cf0a1b4073227abfc63685c1c0bc9d

SHA512
dd3371720b33171d3cd1782ea5734cedb9f33ccbe52e560bf4335816c1d791f123cadceffb81fbc7c517ffe334ae7aba032be6410087dc7a3ae34d97a0f66fd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\yd2ofy6e.cmdline

Filesize
266B

MD5
01669909955ced75afe8157e2f6ab3fb

SHA1
8124f9ad0cffc8acf458e63a41f39eeb832b51de

SHA256
7c64faef452593cba23b02a15d03dd18136d8e5c239f211898355c0d6fbd5e55

SHA512
b3b539637132bb6fccfa0925544e843cdfb7906aee286cf292d6eedbebbece76262c485f970bdbefc7305324b57fa35aedbf3001287b4e342e488af15df29316

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/3704-1-0x0000000074B30000-0x00000000750E1000-memory.dmp

Filesize
5.7MB

Download
memory/3704-2-0x0000000074B30000-0x00000000750E1000-memory.dmp

Filesize
5.7MB

Download
memory/3704-0-0x0000000074B32000-0x0000000074B33000-memory.dmp

Filesize
4KB

Download
memory/3704-22-0x0000000074B30000-0x00000000750E1000-memory.dmp

Filesize
5.7MB

Download
memory/4336-9-0x0000000074B30000-0x00000000750E1000-memory.dmp

Filesize
5.7MB

Download
memory/4336-18-0x0000000074B30000-0x00000000750E1000-memory.dmp

Filesize
5.7MB

Download
memory/4880-23-0x0000000074B30000-0x00000000750E1000-memory.dmp

Filesize
5.7MB

Download
memory/4880-24-0x0000000074B30000-0x00000000750E1000-memory.dmp

Filesize
5.7MB

Download
memory/4880-26-0x0000000074B30000-0x00000000750E1000-memory.dmp

Filesize
5.7MB

Download
memory/4880-27-0x0000000074B30000-0x00000000750E1000-memory.dmp

Filesize
5.7MB

Download
memory/4880-28-0x0000000074B30000-0x00000000750E1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads