metamorpherrat | 8153087dbc258f47556148be5da4f5aab0c12ef0a884b6cdab6eff3a8cef45b3

General

Target

8153087dbc258f47556148be5da4f5aab0c12ef0a884b6cdab6eff3a8cef45b3.exe
Size

78KB
MD5

7bfbe9f42a7aa4e975f7946d44b3260f
SHA1

35b0151f326b99687a8344c5af9e3fb431499ec9
SHA256

8153087dbc258f47556148be5da4f5aab0c12ef0a884b6cdab6eff3a8cef45b3
SHA512

7b8d5113fc2642541da57bef8cc7f53eaab22dc0f7c25c93f274ebf9ee17395912e494ebe86b3804547f5677a9bcf2d493a4fdee2f6dbd5501c628d848ea89f1
SSDEEP

1536:9RWtHF3M7t/vZv0kH9gDDtWzYCnJPeoYrGQtRk9/O1GD:9RWtHF8h/l0Y9MDYrm7Rk9/H

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	8153087dbc258f47556148be5da4f5aab0c12ef0a884b6cdab6eff3a8cef45b3.exe

Executes dropped EXE 1 IoCs

pid	Process
2820	tmp5999.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmp5999.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8153087dbc258f47556148be5da4f5aab0c12ef0a884b6cdab6eff3a8cef45b3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5999.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2064	8153087dbc258f47556148be5da4f5aab0c12ef0a884b6cdab6eff3a8cef45b3.exe
Token: SeDebugPrivilege	2820	tmp5999.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 3484	2064	8153087dbc258f47556148be5da4f5aab0c12ef0a884b6cdab6eff3a8cef45b3.exe	84
PID 2064 wrote to memory of 3484	2064	8153087dbc258f47556148be5da4f5aab0c12ef0a884b6cdab6eff3a8cef45b3.exe	84
PID 2064 wrote to memory of 3484	2064	8153087dbc258f47556148be5da4f5aab0c12ef0a884b6cdab6eff3a8cef45b3.exe	84
PID 3484 wrote to memory of 1392	3484	vbc.exe	88
PID 3484 wrote to memory of 1392	3484	vbc.exe	88
PID 3484 wrote to memory of 1392	3484	vbc.exe	88
PID 2064 wrote to memory of 2820	2064	8153087dbc258f47556148be5da4f5aab0c12ef0a884b6cdab6eff3a8cef45b3.exe	89
PID 2064 wrote to memory of 2820	2064	8153087dbc258f47556148be5da4f5aab0c12ef0a884b6cdab6eff3a8cef45b3.exe	89
PID 2064 wrote to memory of 2820	2064	8153087dbc258f47556148be5da4f5aab0c12ef0a884b6cdab6eff3a8cef45b3.exe	89

C:\Users\Admin\AppData\Local\Temp\8153087dbc258f47556148be5da4f5aab0c12ef0a884b6cdab6eff3a8cef45b3.exe
"C:\Users\Admin\AppData\Local\Temp\8153087dbc258f47556148be5da4f5aab0c12ef0a884b6cdab6eff3a8cef45b3.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zzo5mzen.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3484
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5B5E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc56E40FD0613F42D8A37210732D26EED0.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1392
- C:\Users\Admin\AppData\Local\Temp\tmp5999.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp5999.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8153087dbc258f47556148be5da4f5aab0c12ef0a884b6cdab6eff3a8cef45b3.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5B5E.tmp

Filesize
1KB

MD5
1a45d6d62e276a01f65d96d613d32f38

SHA1
064a22541751f6b754a43f990a841e5b8a98819b

SHA256
9f83eb063289b19513d70974ebfb062fc3adfd3ea531c65414640e8fca62e166

SHA512
273e93e3c483a98b55ac33af6e78c90af90b072a89297cb7033f0af8088f0573f42565393d15d3e28c00a0a6940c8bda46b98813b7abd8321f1758760c9fecac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5999.tmp.exe

Filesize
78KB

MD5
1d4448a78a8b5c0e99bce5d6876cea6e

SHA1
d069479d23edf4efc7236a7b2989b0922ba76d35

SHA256
7cc8aa73725178812a42d076413cc9f3d94545b61a01067f180137366170602d

SHA512
3dbe43c6de72e1674323c0a582e6977cf40b9f7c8965aaefa78a291f5b1c65a1e60d6a07829c73db6b87723b2e07d59eea2fda158505b8c8c40990998b680395

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc56E40FD0613F42D8A37210732D26EED0.TMP

Filesize
660B

MD5
041b837c3e572e9412a72f984a61b94f

SHA1
dc86985ee4198753e286b00e1c3c6dd9f3078e83

SHA256
c5ea74f379f34d372bcb7ea92cb06b5c03aca903ee3c46fd62adaf8d50e57adf

SHA512
babcda4fd87100f5f6b7aba66d507589d6f9e1153a1acbbc71a1dfc794bf6fc90cf5d99b9b0fbfcce9fbcff31e55eeb55b892abca9dc833453bd7ceecb04354c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zzo5mzen.0.vb

Filesize
15KB

MD5
4b1687aab98be435894f9ee0b6b64ca5

SHA1
b44e326c3b21aba5540d7a8c0dc1a072b28efec3

SHA256
000a40ad49f3c23fa9db0db1c86574d73720dc2501763903a73f234fb5a2372b

SHA512
c1f3badb18cc3aae774a9f93e5440aee613eb6202b63b612da07fe91fca598f1f12160a7b931d5b02bff00ee957d4a119fcc17d078f1660c33572c9dfb8124c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zzo5mzen.cmdline

Filesize
266B

MD5
cbff65d4aa6ca5282212c6b58931998b

SHA1
c65da14cd0ca9d00291b015ff50921bf23cb1322

SHA256
68fa672c0cf7b818795a50d71ebcba386e3eb62b4fe68deb420f86c1967a90e3

SHA512
c3504e4d076e72fbb28c9e0c7ede2ccf9fd0399d470bfe67b0e0f09a6e1f903a4d6c6e09121ddc2536055df485139139cb0bccf22ab4648a41e3d8f93b76b261

Download Submit
memory/2064-0-0x0000000075562000-0x0000000075563000-memory.dmp

Filesize
4KB

Download
memory/2064-2-0x0000000075560000-0x0000000075B11000-memory.dmp

Filesize
5.7MB

Download
memory/2064-1-0x0000000075560000-0x0000000075B11000-memory.dmp

Filesize
5.7MB

Download
memory/2064-22-0x0000000075560000-0x0000000075B11000-memory.dmp

Filesize
5.7MB

Download
memory/2820-23-0x0000000075560000-0x0000000075B11000-memory.dmp

Filesize
5.7MB

Download
memory/2820-24-0x0000000075560000-0x0000000075B11000-memory.dmp

Filesize
5.7MB

Download
memory/2820-26-0x0000000075560000-0x0000000075B11000-memory.dmp

Filesize
5.7MB

Download
memory/2820-27-0x0000000075560000-0x0000000075B11000-memory.dmp

Filesize
5.7MB

Download
memory/2820-28-0x0000000075560000-0x0000000075B11000-memory.dmp

Filesize
5.7MB

Download
memory/3484-8-0x0000000075560000-0x0000000075B11000-memory.dmp

Filesize
5.7MB

Download
memory/3484-18-0x0000000075560000-0x0000000075B11000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads