metamorpherrat | d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351

General

Target

d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe
Size

78KB
MD5

88bdc277be811cc4d1a6cdce3de630a0
SHA1

4430e568aea8bd2deef33dad79f35753d44ace2a
SHA256

d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351
SHA512

64c6252a6f2116073cbd40c603af35763ca265419c8c3fb9dd50eaa16af9dc05a0efe745404327831a24cf05440f9599d987f15702af2915c48959eddc2de023
SSDEEP

1536:6WtHFo6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtw9/F1kJ:6WtHFon3xSyRxvY3md+dWWZyw9/Y

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe

Deletes itself 1 IoCs

pid	Process
1632	tmp9A6B.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
1632	tmp9A6B.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp9A6B.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9A6B.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	812	d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe
Token: SeDebugPrivilege	1632	tmp9A6B.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 812 wrote to memory of 2904	812	d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe	84
PID 812 wrote to memory of 2904	812	d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe	84
PID 812 wrote to memory of 2904	812	d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe	84
PID 2904 wrote to memory of 3592	2904	vbc.exe	87
PID 2904 wrote to memory of 3592	2904	vbc.exe	87
PID 2904 wrote to memory of 3592	2904	vbc.exe	87
PID 812 wrote to memory of 1632	812	d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe	90
PID 812 wrote to memory of 1632	812	d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe	90
PID 812 wrote to memory of 1632	812	d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe	90

C:\Users\Admin\AppData\Local\Temp\d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe
"C:\Users\Admin\AppData\Local\Temp\d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3nl2ya_y.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9BE2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD15B3812BFE4471AA76977922EC5973.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3592
- C:\Users\Admin\AppData\Local\Temp\tmp9A6B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9A6B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3nl2ya_y.0.vb

Filesize
15KB

MD5
8d32e6068af2fda4b8c595b24d41b1f7

SHA1
2c49b4df39de95120ba4f0308c647bb47fc097fc

SHA256
42a5b469826ddfaca13a5080a2b035c12cff01e12b802e229be0ed7b7ad6d13d

SHA512
4dbfe23cf4f2b3f29de22c59da818d917e04f978d359d98e49017c6399c70ac7f5fa4d2e786fff548f676f616ad5dd9b307a53a6e263c983bbf401d479ac3938

Download Submit
C:\Users\Admin\AppData\Local\Temp\3nl2ya_y.cmdline

Filesize
266B

MD5
dc7ecf053515fad5268e3813740906c7

SHA1
cd0b58aded7bf2a7da74136a6a9d8ca5a7e49a2f

SHA256
f26770b94d87d785fd6fa81c211456b4aeb4bb979b19452916ae30062b447703

SHA512
9f1c19e9c061ff3f647b454be4e9ca2a831f11cabd57fd8635596116a5a950dfcb7105bba3a88164d8d53a394b7b29077fc27917cb0f6a67b1f1f26078d9cf2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9BE2.tmp

Filesize
1KB

MD5
36f6bc03539912d350e05c5ebba9df8a

SHA1
41b5000b054c4871c574f16446db00731ceffb82

SHA256
e629293ed39eeb477a1bfb2244fdb6349678a7d7ab8b9e75ea56a6ea3ddcf165

SHA512
9fed19a8f2aebc9cef8b4a260b999b97fa1ab759c752e12b646598f641694ec2d7372a2b98fe9b77230d29c61cffabfc71093d33ee59591ee2bc8aeb96399238

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9A6B.tmp.exe

Filesize
78KB

MD5
ba1f624fb2d17873c15a2efdec073717

SHA1
b2f6d9f4119074db715389aa9b2ded2b8ce740b2

SHA256
f8d6d380766674703d976035bbe6c583db80b4fbacc770d8893e8496c88487b5

SHA512
4d84514545621b58377932cc6adfaf351b0e9af21004eb14290b0864cebcfc9a93b7f638121f9a3ea59ed1319286800a9752358eb7c1e659badd0f8c9f04cc13

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD15B3812BFE4471AA76977922EC5973.TMP

Filesize
660B

MD5
a8709036168b115f666175a096c997f0

SHA1
4e1f27876030aeb9ba97a234cb9baa00aa653f34

SHA256
f5b17afcdc6d9bb6ee6b8149c077e6d8853957271eb5fb8ad2fc1545fcfccfbd

SHA512
26adabfadc119056b6fdf449ef3acdec6933eda134ef6648c4c37209d48dfdea09593ebfee153b8152967e2e54e464a8b976e8a721096c5bd8e620f86aa94342

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/812-22-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/812-0-0x0000000074F12000-0x0000000074F13000-memory.dmp

Filesize
4KB

Download
memory/812-1-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/812-2-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/1632-23-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/1632-24-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/1632-26-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/1632-27-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/1632-28-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/1632-29-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/1632-30-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/2904-9-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/2904-18-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads