metamorpherrat | e0da7cd6bdd8c04bdaab054fac3043330373e3f9fe9baa6ce1d36d5d59267eec

General

Target

e0da7cd6bdd8c04bdaab054fac3043330373e3f9fe9baa6ce1d36d5d59267eecN.exe
Size

78KB
MD5

3f162cce79e533c8bd8a0dad74046970
SHA1

6189fbb781d792187710d4b931dfe66af64b159f
SHA256

e0da7cd6bdd8c04bdaab054fac3043330373e3f9fe9baa6ce1d36d5d59267eec
SHA512

da87dbcf846d9f0d16b7c942fbbed3903c27f5b65e506002315597c08d4ad21c8bcfc63a0252b79cc04a61ea605e65c9576c077ae85f5b211a940f0fcb2aecee
SSDEEP

1536:gPCHY6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtz9/m1BU:gPCHYn3xSyRxvY3md+dWWZyz9/1

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	e0da7cd6bdd8c04bdaab054fac3043330373e3f9fe9baa6ce1d36d5d59267eecN.exe

Deletes itself 1 IoCs

pid	Process
4920	tmp8D2C.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4920	tmp8D2C.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp8D2C.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e0da7cd6bdd8c04bdaab054fac3043330373e3f9fe9baa6ce1d36d5d59267eecN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8D2C.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2772	e0da7cd6bdd8c04bdaab054fac3043330373e3f9fe9baa6ce1d36d5d59267eecN.exe
Token: SeDebugPrivilege	4920	tmp8D2C.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 3236	2772	e0da7cd6bdd8c04bdaab054fac3043330373e3f9fe9baa6ce1d36d5d59267eecN.exe	84
PID 2772 wrote to memory of 3236	2772	e0da7cd6bdd8c04bdaab054fac3043330373e3f9fe9baa6ce1d36d5d59267eecN.exe	84
PID 2772 wrote to memory of 3236	2772	e0da7cd6bdd8c04bdaab054fac3043330373e3f9fe9baa6ce1d36d5d59267eecN.exe	84
PID 3236 wrote to memory of 2952	3236	vbc.exe	88
PID 3236 wrote to memory of 2952	3236	vbc.exe	88
PID 3236 wrote to memory of 2952	3236	vbc.exe	88
PID 2772 wrote to memory of 4920	2772	e0da7cd6bdd8c04bdaab054fac3043330373e3f9fe9baa6ce1d36d5d59267eecN.exe	90
PID 2772 wrote to memory of 4920	2772	e0da7cd6bdd8c04bdaab054fac3043330373e3f9fe9baa6ce1d36d5d59267eecN.exe	90
PID 2772 wrote to memory of 4920	2772	e0da7cd6bdd8c04bdaab054fac3043330373e3f9fe9baa6ce1d36d5d59267eecN.exe	90

C:\Users\Admin\AppData\Local\Temp\e0da7cd6bdd8c04bdaab054fac3043330373e3f9fe9baa6ce1d36d5d59267eecN.exe
"C:\Users\Admin\AppData\Local\Temp\e0da7cd6bdd8c04bdaab054fac3043330373e3f9fe9baa6ce1d36d5d59267eecN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1x_gxx8f.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3236
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8E36.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1C6ED65D74144FD7A16CF8B99EE3F51.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2952
- C:\Users\Admin\AppData\Local\Temp\tmp8D2C.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8D2C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e0da7cd6bdd8c04bdaab054fac3043330373e3f9fe9baa6ce1d36d5d59267eecN.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1x_gxx8f.0.vb

Filesize
15KB

MD5
d46f94836e4a4e78d14db4e56a5ed6cc

SHA1
86c15fd6c2c7e416b1c63e9a924ab84f68b885d5

SHA256
14acd6eaf3a146011b856bdc4eea75843d755f9c7792caf62aefc01e8fff1483

SHA512
c4ba605f385e0d93a8930c6cfb2f51eec7a8ae360dc65daad454bbcb87294d2c4d967d8ef755aa358453422bca651a3db445a7ccac270be768ef04c377d49c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\1x_gxx8f.cmdline

Filesize
266B

MD5
f66fcb078eb7241bfde3fd13e923a2b0

SHA1
24f6404ebaae2067db3c455ec2a24a796a28d5d9

SHA256
0effdcf674100cd7dcfe31b6a8425a382c901e35df2ea9dcfad8c9ef7156016a

SHA512
416c15b122ba78348734ed223cc916110975e846927ea245ac44a29d4b681aca688d102e3c8a9120d7b52282ded27e7fc11289dcec235a2263528f39af98d7d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8E36.tmp

Filesize
1KB

MD5
cc543669894e6874692b6722d6f54a25

SHA1
a3581b971308712442884552f7c3f1be53a5a7dc

SHA256
c080368858bf61664393dd8b46d6e8ee1677b0fec3725367b0920ad151960930

SHA512
59b39f5cebad814763c26496e68e27eda663da69b37e69e068a1acb2ed1f3c1eff4e186547e24caf03966bbe2e05bc5d4dcae4291bece8ad4a09394fb5f063e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8D2C.tmp.exe

Filesize
78KB

MD5
2c53ddbf8082be833e6b83cb066e7c38

SHA1
780acaafdcbfa8a2b57a03d60b6d5113844ef7dd

SHA256
fdc207c9a8639ad598c596ff4a441eaa6de4fd47a8012df803fbce5e117e7e0d

SHA512
ce6513ddfc5ed45935aa8a90a01395bef3811364563ea49c493349c8b621d7a3359687ce51c66d52cd89b10a7c9bb4cfcb88fd3976499f1c27cc96ae495af968

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1C6ED65D74144FD7A16CF8B99EE3F51.TMP

Filesize
660B

MD5
a36738fc510ffe5443e9074b23dc34b0

SHA1
ea0f9b766aad1eb5a5db38eb59922b68cd6e7e85

SHA256
aa757f04dcd7e3caf2bf3c1dcd3c534d0d2d614e7d173376fc6bf800e1455746

SHA512
42498a1d1eac3385b77d7f39cdb9716b6e3bb5c70a567042478ac2b02c452e90d79132abe838343c8243d008c85de9b02e6878f158bc6cee37bd084e3c9c1c14

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/2772-22-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/2772-1-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/2772-0-0x0000000074E92000-0x0000000074E93000-memory.dmp

Filesize
4KB

Download
memory/2772-2-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/3236-9-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/3236-18-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/4920-23-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/4920-24-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/4920-26-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/4920-27-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/4920-28-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/4920-29-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/4920-30-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads