metamorpherrat | 5f8edc075487dfd96e87c39edeb7565c9d61b5f2ce1449018b27f0e63f854f34

General

Target

5f8edc075487dfd96e87c39edeb7565c9d61b5f2ce1449018b27f0e63f854f34N.exe
Size

78KB
MD5

b2a5489877f58a7ee049569cff6e3270
SHA1

f60d1d08fa723a3d24b4b87414cca62dd82a0437
SHA256

5f8edc075487dfd96e87c39edeb7565c9d61b5f2ce1449018b27f0e63f854f34
SHA512

5ea40c1c1c173bff711523979836057a27076dcdc715806937fccb2a56b9e702e6213e27939d18f3225b643fba35bce33a8c99f3ea2df40c08069f27bc77eee1
SSDEEP

1536:psHY6JJteVdv5wyFppaVs+aYTCgtWzYXxxiMrBnP5oYZNQtP9/91Tc:psHYO3e/vqyA11XYUBxprBPjcP9/4

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	5f8edc075487dfd96e87c39edeb7565c9d61b5f2ce1449018b27f0e63f854f34N.exe

Executes dropped EXE 1 IoCs

pid	Process
4164	tmp9078.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System.Management = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sbscmp20_mscorlib.exe\""	tmp9078.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5f8edc075487dfd96e87c39edeb7565c9d61b5f2ce1449018b27f0e63f854f34N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9078.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2376	5f8edc075487dfd96e87c39edeb7565c9d61b5f2ce1449018b27f0e63f854f34N.exe
Token: SeDebugPrivilege	4164	tmp9078.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 4504	2376	5f8edc075487dfd96e87c39edeb7565c9d61b5f2ce1449018b27f0e63f854f34N.exe	84
PID 2376 wrote to memory of 4504	2376	5f8edc075487dfd96e87c39edeb7565c9d61b5f2ce1449018b27f0e63f854f34N.exe	84
PID 2376 wrote to memory of 4504	2376	5f8edc075487dfd96e87c39edeb7565c9d61b5f2ce1449018b27f0e63f854f34N.exe	84
PID 4504 wrote to memory of 2016	4504	vbc.exe	88
PID 4504 wrote to memory of 2016	4504	vbc.exe	88
PID 4504 wrote to memory of 2016	4504	vbc.exe	88
PID 2376 wrote to memory of 4164	2376	5f8edc075487dfd96e87c39edeb7565c9d61b5f2ce1449018b27f0e63f854f34N.exe	90
PID 2376 wrote to memory of 4164	2376	5f8edc075487dfd96e87c39edeb7565c9d61b5f2ce1449018b27f0e63f854f34N.exe	90
PID 2376 wrote to memory of 4164	2376	5f8edc075487dfd96e87c39edeb7565c9d61b5f2ce1449018b27f0e63f854f34N.exe	90

C:\Users\Admin\AppData\Local\Temp\5f8edc075487dfd96e87c39edeb7565c9d61b5f2ce1449018b27f0e63f854f34N.exe
"C:\Users\Admin\AppData\Local\Temp\5f8edc075487dfd96e87c39edeb7565c9d61b5f2ce1449018b27f0e63f854f34N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mkahaczx.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4504
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9182.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEEA394C01AD144E7917AF2D9142A4C.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2016
- C:\Users\Admin\AppData\Local\Temp\tmp9078.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9078.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5f8edc075487dfd96e87c39edeb7565c9d61b5f2ce1449018b27f0e63f854f34N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9182.tmp

Filesize
1KB

MD5
0788d037173c9a3825ce8cb6cdc96230

SHA1
4ffc50dbd387d3703bc200efc1ec78005251558b

SHA256
1530bb7203e8a12246180756d9ef2d03e1b43932d6cf9e6cfe941b248cd4c94b

SHA512
a22991df6f00694b5212461161f6e30b1a1dcd3c37db2fb149bfd823288cbd90e1d73dd72f2c8a45904bdc5c710eebf771801352c5f308ff52aff63b762014ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkahaczx.0.vb

Filesize
15KB

MD5
7ce1580329770cc142cd3b2a441d9100

SHA1
2c649f203444d3c66dbab0811ce1764b2242bc21

SHA256
700a3867ad09ae9d67e46d4b443dff3596c4db37f49d19945ff18be7cc401187

SHA512
8140acffaf11a623039b09c9d062f8f6d0069e921a1d564e69e1faee0937c601eb76a0c9aa4f95973e7062ce8de898f6921d1d4514a739bdd8648958c7df1ffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkahaczx.cmdline

Filesize
266B

MD5
3df247cb93faf59afe899361015517d1

SHA1
ce334579efeeb7618d91892b478847542edc76b0

SHA256
7b0903cad20172b4119493070cd7f0c8e27edb2308eaa06c07dada5a35aff632

SHA512
589bb95258d9dd28d2d4d8d4510b5338c225d1c1a642e4822a1fdf37f8f6e4d45c8ba60f9cee40c4d17b4882cc59d5789fb645111ebb4171c9db8f00106d6916

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9078.tmp.exe

Filesize
78KB

MD5
05b0573e3e992b21a60cce9d6b79ad47

SHA1
f34012ea8fb7b7472b1b84b35b470731509e2b38

SHA256
df6338661a98d5ec5e101dd1cfec9e84bd6757f88bdc6147787be18ec275752f

SHA512
5aaf2b1a505f162f57b58b754f7d09b1986e02307e1dbab7790141b504f1c5b99fbe1578e64888c577da8996b5002659004fb60f409fda8749bec15006d6331e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEEA394C01AD144E7917AF2D9142A4C.TMP

Filesize
660B

MD5
32741ea970ff307cb5cfa6b1ba6b031e

SHA1
cd75d1ac56a265e509f28f65398506b922122ee9

SHA256
fbd1341dd8e9c6f33664588b30f831a674345a548124679ead921aab6d4035d8

SHA512
95174c0b88e4b17f767044ec65996576afc4607256ce647b0fb22f508a62b92ca2dcf0b66848d286e30885526694ead9f920ce643363a3214326ecbe1c2e1da8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8481b7e4924c14743ffc0d34075e2ce3

SHA1
e8e7ef480499ba85190b8d5f8e43f761850b0ef3

SHA256
6110931ed1cb1b1a141d4a12044a062646f14be3566a286106e5f59ceaddc4ac

SHA512
3c4ee8221c5238aed57e4fdbcd74833edcf46d5ed602840b5265438538405b4378a1966e9cd0c34a5ce52d0afe7bd7e0d9aac6b420e515fe1ea52477f957a7e1

Download Submit
memory/2376-1-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/2376-2-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/2376-0-0x0000000074F42000-0x0000000074F43000-memory.dmp

Filesize
4KB

Download
memory/2376-22-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/4164-24-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/4164-23-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/4164-25-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/4164-27-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/4164-28-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/4164-29-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/4504-18-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/4504-8-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads