metamorpherrat | a47caa552620f9f02917e067a4f7933dc2c61b1ed06c0a283ef9e21fde4468e4

General

Target

a47caa552620f9f02917e067a4f7933dc2c61b1ed06c0a283ef9e21fde4468e4N.exe
Size

78KB
MD5

466d2169f14fd5f145bd6e3e26f48a50
SHA1

83c0c981a317df31ebb71f0ccc4774ab09dcfe38
SHA256

a47caa552620f9f02917e067a4f7933dc2c61b1ed06c0a283ef9e21fde4468e4
SHA512

a951fb4fbaefa838cd914fae6da8d6881848510b2e8dad4adf487e2d1aa9f6d126f6a17b2e1546c25c79661a47c222bf13350144c54f14dff64b382439cf812f
SSDEEP

1536:6CHHM3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtRk9/z11Pv:6CHs3xSyRxvY3md+dWWZyRk9/T

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	a47caa552620f9f02917e067a4f7933dc2c61b1ed06c0a283ef9e21fde4468e4N.exe

Executes dropped EXE 1 IoCs

pid	Process
2908	tmp73C8.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp73C8.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp73C8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a47caa552620f9f02917e067a4f7933dc2c61b1ed06c0a283ef9e21fde4468e4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3052	a47caa552620f9f02917e067a4f7933dc2c61b1ed06c0a283ef9e21fde4468e4N.exe
Token: SeDebugPrivilege	2908	tmp73C8.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 4820	3052	a47caa552620f9f02917e067a4f7933dc2c61b1ed06c0a283ef9e21fde4468e4N.exe	83
PID 3052 wrote to memory of 4820	3052	a47caa552620f9f02917e067a4f7933dc2c61b1ed06c0a283ef9e21fde4468e4N.exe	83
PID 3052 wrote to memory of 4820	3052	a47caa552620f9f02917e067a4f7933dc2c61b1ed06c0a283ef9e21fde4468e4N.exe	83
PID 4820 wrote to memory of 3008	4820	vbc.exe	86
PID 4820 wrote to memory of 3008	4820	vbc.exe	86
PID 4820 wrote to memory of 3008	4820	vbc.exe	86
PID 3052 wrote to memory of 2908	3052	a47caa552620f9f02917e067a4f7933dc2c61b1ed06c0a283ef9e21fde4468e4N.exe	89
PID 3052 wrote to memory of 2908	3052	a47caa552620f9f02917e067a4f7933dc2c61b1ed06c0a283ef9e21fde4468e4N.exe	89
PID 3052 wrote to memory of 2908	3052	a47caa552620f9f02917e067a4f7933dc2c61b1ed06c0a283ef9e21fde4468e4N.exe	89

C:\Users\Admin\AppData\Local\Temp\a47caa552620f9f02917e067a4f7933dc2c61b1ed06c0a283ef9e21fde4468e4N.exe
"C:\Users\Admin\AppData\Local\Temp\a47caa552620f9f02917e067a4f7933dc2c61b1ed06c0a283ef9e21fde4468e4N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mxn8p3xe.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4820
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7520.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD59BD1474F74C778A31D3292DADF27F.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3008
- C:\Users\Admin\AppData\Local\Temp\tmp73C8.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp73C8.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a47caa552620f9f02917e067a4f7933dc2c61b1ed06c0a283ef9e21fde4468e4N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7520.tmp

Filesize
1KB

MD5
f92072dc02eb50481f61fa5b53e8d7ed

SHA1
7b8be2a8ca55ca7956f299addcb1c74df6ffccf1

SHA256
172abe29f75830602a4acdb8a3a157ec93aab91c6329c3b8151c99a53d32cd6a

SHA512
8380180171913f3fafe62e280055ba74feaa0c1ac0563f6a1400d9a1e2e4e7978aaf50c5be35e0c5e323bdcd4c5f257286b52d08aa51a7d9b365471bdc2d3bdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\mxn8p3xe.0.vb

Filesize
15KB

MD5
69babe3ed656e084376b56d2d0e58b54

SHA1
6216c577d140c932a6cf2086491d436715a4dfa6

SHA256
ae65ec3afb322e2b9d438c155d3eda25c42cd9b922bd712351df68b40ba7dab8

SHA512
456d8b077af68454e93dab3c54bd2600b53736130fdb6883c4902079395e31f089fea73647981db9b278a2d30293c19189dba3cf65f834173404a99749129e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mxn8p3xe.cmdline

Filesize
266B

MD5
1b8d0b27eb524f01ae2deb4f3e8077c8

SHA1
a27eb74c06fdf207f18e8e2ae6f912bab172f0a2

SHA256
a9a50b2d284e3ee5164a0ca488f3ee6365aa6c681ec70df0b05612ce45b6016a

SHA512
7266d8b659076d06393ecb00934f9f91ea3d26315192dd98eaedb368fce3c6689ccdec200b406811209a3906d282839a794d4a225c951ec52f35b49a4dadf029

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp73C8.tmp.exe

Filesize
78KB

MD5
075c33b7cf21106f847e689d4b7704fb

SHA1
9fea7b3ab8ee710cf0444a574e68823d00e221bd

SHA256
478ecd8b3bee2c72d3fc61951c70c32d27e061352278fa488de6532fceb2f504

SHA512
6ce72a15f057e7081d2bf70c73bc9eeecf0db339ebbb571ff0a1b6b0bfecc53a33fc5ca41dfbdc4908e37de9cbbf81f65cb87dd24b35d135b703ac8c0a8c8f58

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD59BD1474F74C778A31D3292DADF27F.TMP

Filesize
660B

MD5
f150e197a9cf7ea89c755a9f96e405f7

SHA1
cd941346c3c65996764c41b651d541b11a7ca556

SHA256
740aa4fd03d773fac67cd00e8782e2877edc2b64060d738aa6fb77c50c9a3cf1

SHA512
11900e366f8f78068e0a632093125fc0350a4f0fc86559d8c22ace9ea9bc17cd44f2658671af573dd978c2ac9c3fbac8af43d9d1e737ecfe7634f1735a04e355

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/2908-23-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/2908-24-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/2908-26-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/2908-27-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/2908-28-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/2908-29-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/2908-30-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/3052-2-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/3052-1-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/3052-22-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/3052-0-0x00000000747C2000-0x00000000747C3000-memory.dmp

Filesize
4KB

Download
memory/4820-8-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/4820-18-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads