metamorpherrat | 86add3aec0b2b8e9ccfccc0580c3cc7072db041c5888a0f7bc4773af6beb6f2f

General

Target

86add3aec0b2b8e9ccfccc0580c3cc7072db041c5888a0f7bc4773af6beb6f2fN.exe
Size

78KB
MD5

eb26f7f2335a2239eaf496c42f0306f0
SHA1

e9debffb6f57de27d125c28f79aa552f635633b2
SHA256

86add3aec0b2b8e9ccfccc0580c3cc7072db041c5888a0f7bc4773af6beb6f2f
SHA512

b910ba53e668174a11f0b9a8bc49a5bcb6683751c95b46706fa352d417a093f5ea9a6f6d2d673162bdf38aae046327ab255c6ad13e9c915e46786cdba5c3bd11
SSDEEP

1536:chPWV5rXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQt96v9/Hm1ab:gPWV5rSyRxvY3md+dWWZyk9/X

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	86add3aec0b2b8e9ccfccc0580c3cc7072db041c5888a0f7bc4773af6beb6f2fN.exe

Deletes itself 1 IoCs

pid	Process
1196	tmp9F5D.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
1196	tmp9F5D.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp9F5D.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	86add3aec0b2b8e9ccfccc0580c3cc7072db041c5888a0f7bc4773af6beb6f2fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9F5D.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1896	86add3aec0b2b8e9ccfccc0580c3cc7072db041c5888a0f7bc4773af6beb6f2fN.exe
Token: SeDebugPrivilege	1196	tmp9F5D.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 2392	1896	86add3aec0b2b8e9ccfccc0580c3cc7072db041c5888a0f7bc4773af6beb6f2fN.exe	84
PID 1896 wrote to memory of 2392	1896	86add3aec0b2b8e9ccfccc0580c3cc7072db041c5888a0f7bc4773af6beb6f2fN.exe	84
PID 1896 wrote to memory of 2392	1896	86add3aec0b2b8e9ccfccc0580c3cc7072db041c5888a0f7bc4773af6beb6f2fN.exe	84
PID 2392 wrote to memory of 1360	2392	vbc.exe	87
PID 2392 wrote to memory of 1360	2392	vbc.exe	87
PID 2392 wrote to memory of 1360	2392	vbc.exe	87
PID 1896 wrote to memory of 1196	1896	86add3aec0b2b8e9ccfccc0580c3cc7072db041c5888a0f7bc4773af6beb6f2fN.exe	90
PID 1896 wrote to memory of 1196	1896	86add3aec0b2b8e9ccfccc0580c3cc7072db041c5888a0f7bc4773af6beb6f2fN.exe	90
PID 1896 wrote to memory of 1196	1896	86add3aec0b2b8e9ccfccc0580c3cc7072db041c5888a0f7bc4773af6beb6f2fN.exe	90

C:\Users\Admin\AppData\Local\Temp\86add3aec0b2b8e9ccfccc0580c3cc7072db041c5888a0f7bc4773af6beb6f2fN.exe
"C:\Users\Admin\AppData\Local\Temp\86add3aec0b2b8e9ccfccc0580c3cc7072db041c5888a0f7bc4773af6beb6f2fN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w36z0cxp.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA0D4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF364F2AFE0E47529242D533385ADAB1.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1360
- C:\Users\Admin\AppData\Local\Temp\tmp9F5D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9F5D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\86add3aec0b2b8e9ccfccc0580c3cc7072db041c5888a0f7bc4773af6beb6f2fN.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA0D4.tmp

Filesize
1KB

MD5
32a5f3d49ad2a3d314de57f40bff2818

SHA1
e6d26b6a1df8ec7c4802d81b2d6acc174ebec957

SHA256
09cef74147134e1c6db4dca1c4765e4e38d73607abe9f45640efec44231e815c

SHA512
9871032a06cf289bd790aee344b70cdf9d3a02e79bee7eb30491e3d7aff8f8d0a284386de5246d24ee72e6a9c8ef0d812656a977228f25eabc9efec8116b020c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9F5D.tmp.exe

Filesize
78KB

MD5
f2b5f06c56d399abd50160a38683d855

SHA1
5dd8003913c7e9cfd11c9e3a4a4bac98b372f476

SHA256
fb5b601cae3e96f783bdd02c245ddfcd6de1f9995fc3b2ac097d5f0f628e2993

SHA512
e7aedbc8ebfbb3b788cf732d722c9377bb5634ae9140da4a9ca71330f88cb36f8523d752b7bed98d5f2b57ebc786f958a7224ce442ade80a0a2c8a016a3ab7a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF364F2AFE0E47529242D533385ADAB1.TMP

Filesize
660B

MD5
03e2fe28cad72bb3af058d436987670b

SHA1
ba13ffb7fb43ac9e7617b50d3e82b173e4cc67e0

SHA256
87bfb46408b5e63ca0e481ce40c3f2b1b1043314583160f627ac9b08390e90a7

SHA512
46dc7140fb56dec403f43f847dc00ea73a81536d020927d94ca21d7523c6f7a0a1ede9ccd83f583106368b670f355ef4fc4f8d53be61c735e8f7d963eed268ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\w36z0cxp.0.vb

Filesize
14KB

MD5
9f721888b801fbb167fb17391d30c564

SHA1
a4096ba15af99b514d971207ac0e6e236cc9f766

SHA256
028574957feb76958c11024002e6f6b323f8b119a75f2741a52b0b8b99fc3da0

SHA512
b7a1667e46c5765ae7e73b25b1eb5cdff8766f1a7fc472fb34fc293662ada3e0dc0e63b3d2b4fef1ef63c6fe6a96efba0fdb34fbf438a934ca5fc0bb23f33038

Download Submit
C:\Users\Admin\AppData\Local\Temp\w36z0cxp.cmdline

Filesize
266B

MD5
2eb91bc4169d8331615f9c987e0c940f

SHA1
6c71f5fe618bd775f79eab15476dc1980b1a1bfb

SHA256
6973a3e8f0b25b0c73f53243192f900edf2e05b6eaa6d3d459d7cc62ea40ac85

SHA512
449a3ea25a02ee2dadd2df010a1528b0bda772b87fa7d970b2cb02700c32706f051d50ee810f7f6a05120b0ae3cf54b603b6787d3c888fee2193fce6c38d2645

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/1196-22-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/1196-24-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/1196-26-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/1196-27-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/1196-28-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/1896-2-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/1896-1-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/1896-23-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/1896-0-0x0000000074F12000-0x0000000074F13000-memory.dmp

Filesize
4KB

Download
memory/2392-8-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/2392-18-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads