metamorpherrat | 5a104524b7b9bf321f6469665fd8182f49f3adf004ebd11e2a2f9f2ae1b4876a

General

Target

5a104524b7b9bf321f6469665fd8182f49f3adf004ebd11e2a2f9f2ae1b4876a.exe
Size

78KB
MD5

5c6d7e3cf605e022d8abc27d32563ebd
SHA1

ee759c776d2c9609bb9831b83ea23b11179d06e5
SHA256

5a104524b7b9bf321f6469665fd8182f49f3adf004ebd11e2a2f9f2ae1b4876a
SHA512

34102b479dc871db5595fb3422f0e2da8a950db4385f0c3bd9a0ce531075a4593c84b83ec7fafddc3e84208f208910cabeeb23072b4ad0a3e39eb404fc1f516d
SSDEEP

1536:zHFo6M7t/vZv0kH9gDDtWzYCnJPeoYrGQtn9/YCE1BJ:zHFonh/l0Y9MDYrm7n9/YCu

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	5a104524b7b9bf321f6469665fd8182f49f3adf004ebd11e2a2f9f2ae1b4876a.exe

Executes dropped EXE 1 IoCs

pid	Process
1216	tmp903A.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmp903A.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5a104524b7b9bf321f6469665fd8182f49f3adf004ebd11e2a2f9f2ae1b4876a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp903A.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3820	5a104524b7b9bf321f6469665fd8182f49f3adf004ebd11e2a2f9f2ae1b4876a.exe
Token: SeDebugPrivilege	1216	tmp903A.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3820 wrote to memory of 2076	3820	5a104524b7b9bf321f6469665fd8182f49f3adf004ebd11e2a2f9f2ae1b4876a.exe	84
PID 3820 wrote to memory of 2076	3820	5a104524b7b9bf321f6469665fd8182f49f3adf004ebd11e2a2f9f2ae1b4876a.exe	84
PID 3820 wrote to memory of 2076	3820	5a104524b7b9bf321f6469665fd8182f49f3adf004ebd11e2a2f9f2ae1b4876a.exe	84
PID 2076 wrote to memory of 1964	2076	vbc.exe	87
PID 2076 wrote to memory of 1964	2076	vbc.exe	87
PID 2076 wrote to memory of 1964	2076	vbc.exe	87
PID 3820 wrote to memory of 1216	3820	5a104524b7b9bf321f6469665fd8182f49f3adf004ebd11e2a2f9f2ae1b4876a.exe	90
PID 3820 wrote to memory of 1216	3820	5a104524b7b9bf321f6469665fd8182f49f3adf004ebd11e2a2f9f2ae1b4876a.exe	90
PID 3820 wrote to memory of 1216	3820	5a104524b7b9bf321f6469665fd8182f49f3adf004ebd11e2a2f9f2ae1b4876a.exe	90

C:\Users\Admin\AppData\Local\Temp\5a104524b7b9bf321f6469665fd8182f49f3adf004ebd11e2a2f9f2ae1b4876a.exe
"C:\Users\Admin\AppData\Local\Temp\5a104524b7b9bf321f6469665fd8182f49f3adf004ebd11e2a2f9f2ae1b4876a.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3820
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zhvsso4e.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9172.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA843D674D761459789B034D6DBEB6D30.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1964
- C:\Users\Admin\AppData\Local\Temp\tmp903A.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp903A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5a104524b7b9bf321f6469665fd8182f49f3adf004ebd11e2a2f9f2ae1b4876a.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9172.tmp

Filesize
1KB

MD5
d16ad8e81905c787754b8b44aff3e658

SHA1
f5d54ea98c0376a32f6203b46feab9ddcecde869

SHA256
635b297409199bc1bf647d3aeeb4fb4248dcc02873ecfa7642679ec5b67440ce

SHA512
6811e2bda05a9edc3852670734a97e7f7fd1840ae81cec8ae71c0f785696d3819f33058e40877d7bf255fb1d844daabfebfb7a806aa9def0d23414abf4cc319b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp903A.tmp.exe

Filesize
78KB

MD5
407cd3ac75641e6b83091c90e2d9f7a8

SHA1
11daca2dea5e7f99d56b8e619ba3e55fa7796ff7

SHA256
26749626716f3aa7ec9aa70c82128735b0071c48ca4d0a554a8bc878dc3ea617

SHA512
d56fb73aefaa9f4e529b24cad37289429b07260958d98d60ff3e663585487f825211ee67b5a291e5fe1c4b941e7f4ee158be32de83ff399db1b6873d56410966

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA843D674D761459789B034D6DBEB6D30.TMP

Filesize
660B

MD5
3c6b1f6ff1bd0c7c710f1b5883b601f5

SHA1
b4ff91f52ea39a19a27b42d8756921beed95c6b4

SHA256
708c2ce320182ff64fee1ec9e5430297a1efac9672ec9fd74dd3b4f0f6b89425

SHA512
13bc116efa9d81b5d3569d9100ad638515385afb1a0402ab350b571b125a15de929a08dcf4aa196f2d9863674f14ef77174aef6ee485617c7a98934f346778c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zhvsso4e.0.vb

Filesize
15KB

MD5
efb53dd22efe1bc8c458b9ba13567c5f

SHA1
9883c46d1da2029b01cfb42f6b44e31beaf59687

SHA256
9a16cfa6fdbce12bed0964ec436d2b7827dc819f780e5e5f0ecabc6b26fb1b13

SHA512
6e38a1a4e4da61daa1e8bca76bc1ec7a280eaf7bbcc02bd259d569819d410eba0817d899ea31a54a624a640f65ceaa72e6b655de914a40ff5efcab37aee77292

Download Submit
C:\Users\Admin\AppData\Local\Temp\zhvsso4e.cmdline

Filesize
266B

MD5
8fbeb2ccfb6b51ea1b6f3567766269fd

SHA1
ec7c6582afc034ac5f6c11b1f32fba831fdf0d69

SHA256
c8979ccf2096147d443553c5b2c309f4c2bdc50073cbaa41cd63360ce7832c9c

SHA512
36552ac22ccf3e65cc6cbc5efaa51abfc345d888e7b91e172a9e03a72591fc816e0461128be444449f91d513db75e8c9438afd773b5e97b4e4812729aede48a2

Download Submit
memory/1216-23-0x0000000074980000-0x0000000074F31000-memory.dmp

Filesize
5.7MB

Download
memory/1216-24-0x0000000074980000-0x0000000074F31000-memory.dmp

Filesize
5.7MB

Download
memory/1216-26-0x0000000074980000-0x0000000074F31000-memory.dmp

Filesize
5.7MB

Download
memory/1216-27-0x0000000074980000-0x0000000074F31000-memory.dmp

Filesize
5.7MB

Download
memory/1216-28-0x0000000074980000-0x0000000074F31000-memory.dmp

Filesize
5.7MB

Download
memory/2076-9-0x0000000074980000-0x0000000074F31000-memory.dmp

Filesize
5.7MB

Download
memory/2076-18-0x0000000074980000-0x0000000074F31000-memory.dmp

Filesize
5.7MB

Download
memory/3820-0-0x0000000074982000-0x0000000074983000-memory.dmp

Filesize
4KB

Download
memory/3820-2-0x0000000074980000-0x0000000074F31000-memory.dmp

Filesize
5.7MB

Download
memory/3820-1-0x0000000074980000-0x0000000074F31000-memory.dmp

Filesize
5.7MB

Download
memory/3820-22-0x0000000074980000-0x0000000074F31000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads