metamorpherrat | 308a9960c21c9c9e088603bd1725ae0f9f31768d0406f80227fc0d04e2ce33dc

General

Target

308a9960c21c9c9e088603bd1725ae0f9f31768d0406f80227fc0d04e2ce33dc.exe
Size

78KB
MD5

8d5b46456adfa1aab109260e6a7c207f
SHA1

60b58d42035e08189a4a83ea10b4636dba6eb160
SHA256

308a9960c21c9c9e088603bd1725ae0f9f31768d0406f80227fc0d04e2ce33dc
SHA512

1ea2107ca9664f9f4958b8122b59c889ebd4cd21e4ee90da67cf8e2be1e3042fdfdefec588f4a14a430a7751a87e80fefa73f726451917af0f154b7d0ac9f24c
SSDEEP

1536:tWtHF3M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtR+9/P1DH:tWtHF83xSyRxvY3md+dWWZyR+9/l

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	308a9960c21c9c9e088603bd1725ae0f9f31768d0406f80227fc0d04e2ce33dc.exe

Executes dropped EXE 1 IoCs

pid	Process
3124	tmpB3B0.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpB3B0.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	308a9960c21c9c9e088603bd1725ae0f9f31768d0406f80227fc0d04e2ce33dc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB3B0.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2128	308a9960c21c9c9e088603bd1725ae0f9f31768d0406f80227fc0d04e2ce33dc.exe
Token: SeDebugPrivilege	3124	tmpB3B0.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 4616	2128	308a9960c21c9c9e088603bd1725ae0f9f31768d0406f80227fc0d04e2ce33dc.exe	84
PID 2128 wrote to memory of 4616	2128	308a9960c21c9c9e088603bd1725ae0f9f31768d0406f80227fc0d04e2ce33dc.exe	84
PID 2128 wrote to memory of 4616	2128	308a9960c21c9c9e088603bd1725ae0f9f31768d0406f80227fc0d04e2ce33dc.exe	84
PID 4616 wrote to memory of 4244	4616	vbc.exe	86
PID 4616 wrote to memory of 4244	4616	vbc.exe	86
PID 4616 wrote to memory of 4244	4616	vbc.exe	86
PID 2128 wrote to memory of 3124	2128	308a9960c21c9c9e088603bd1725ae0f9f31768d0406f80227fc0d04e2ce33dc.exe	88
PID 2128 wrote to memory of 3124	2128	308a9960c21c9c9e088603bd1725ae0f9f31768d0406f80227fc0d04e2ce33dc.exe	88
PID 2128 wrote to memory of 3124	2128	308a9960c21c9c9e088603bd1725ae0f9f31768d0406f80227fc0d04e2ce33dc.exe	88

C:\Users\Admin\AppData\Local\Temp\308a9960c21c9c9e088603bd1725ae0f9f31768d0406f80227fc0d04e2ce33dc.exe
"C:\Users\Admin\AppData\Local\Temp\308a9960c21c9c9e088603bd1725ae0f9f31768d0406f80227fc0d04e2ce33dc.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qhpwdzzw.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4616
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB4D9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc99A6420CA7DE491F9B53CB52ECEBF47F.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4244
- C:\Users\Admin\AppData\Local\Temp\tmpB3B0.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB3B0.tmp.exe" C:\Users\Admin\AppData\Local\Temp\308a9960c21c9c9e088603bd1725ae0f9f31768d0406f80227fc0d04e2ce33dc.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB4D9.tmp

Filesize
1KB

MD5
57bdefdea1a7dd5c54943d7f43bfa35f

SHA1
65d45d57a5bcd9d477227fbf30027b80372ec514

SHA256
357c054ad8d8b6b1c4f715b6c6ca5c31ac591870eb236e9bce4be59bcca00e92

SHA512
8789d9f99ea1f1c139125983521d7e458b28f33b5983c5add073e20504c187212765f85020890a5310f2f59050211ec0678bae33bcd1005a1166cb92abceab3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qhpwdzzw.0.vb

Filesize
15KB

MD5
4d52bc7ebb60d60e8731a4946d5a5c9c

SHA1
a5daed61e3ea76edebf2cf275b130522bb871922

SHA256
809bcc5beb4b3f3412417e7cb490fb9fa3314c1b21ab857651c7aaeb61b885ab

SHA512
f3873a181167fd36b3e773236052481f87aef0cc0a9e0962720a21c041b19543b9fbe60933ec4fbbf1cfa0ed3b98d8fae32b90627a6166ae4252e9796e7574ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\qhpwdzzw.cmdline

Filesize
266B

MD5
e9aca5098e381b810194b91d3f3e0374

SHA1
86611c9c5c23cb9252c2e50077349de83345d970

SHA256
6f2cef24b0fd45019481b9cb216394494d9ef312d59d90af2c0e48a7f7b869ad

SHA512
1c32dfd0d96e6d74e2c48bcc4df9b2fb4f5d7384da475dd80dea7d49557d31e619a20349bc5a7db7d91c8f6c3bf127ed00bf0ff9621006e37bd6bdc14f8aa8cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB3B0.tmp.exe

Filesize
78KB

MD5
a656c19bb162bc755bf79a96111ec951

SHA1
faf03e5f8bf607b43007dccccebdbb5b5ef29004

SHA256
3d826a0b61951d18323336885495c558389b310247e2e8b2ead240495d016f12

SHA512
43c265bf8d4af079d9159d9583a83150612a315c848066a6123e0ba4f5328a41e687d131101356b9c9e2b183ba727611dd438e0519c07c417d9f91dd00fc23a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc99A6420CA7DE491F9B53CB52ECEBF47F.TMP

Filesize
660B

MD5
79fbaabdb61f72d2ccbebe18885b6c8d

SHA1
686abadffb272775ec2e2af5bca45c976abecc2b

SHA256
7c8dc42e3ee76870c9dbcdca4d8e42ce4f19d1a677af06308364e7a1338f59b3

SHA512
e85238789e5453adbea776720170bdac3c84fd76f92a2acf03df804b686fab118f07511ca9cb125c02c4a54f8d33e058233eef26fbfb984261acfbf66ce9a932

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/2128-1-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/2128-2-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/2128-0-0x00000000749B2000-0x00000000749B3000-memory.dmp

Filesize
4KB

Download
memory/2128-23-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/3124-22-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/3124-24-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/3124-26-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/3124-27-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/3124-28-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/3124-29-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/3124-30-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/4616-18-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/4616-8-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads