metamorpherrat | 95c90dbc83481b9e51dd6a29388ab958ee460481992da874fe8212d445f83d5f

General

Target

95c90dbc83481b9e51dd6a29388ab958ee460481992da874fe8212d445f83d5fN.exe
Size

78KB
MD5

fb4a198b8f0f9c1e77432abbe4a17c50
SHA1

3c592ae6f00078f3454963af774d9084e3ed0790
SHA256

95c90dbc83481b9e51dd6a29388ab958ee460481992da874fe8212d445f83d5f
SHA512

6339262c1a74fca76d4a225f239afd2841f622d452ce6e5686d68eaea2e42a1871889473dd3b8b0c8c13424a512deb636ff8bcfb1d00598720b5199554e38d1c
SSDEEP

1536:+sHY6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQt59/l1JP:+sHYn3xSyRxvY3md+dWWZy59/F

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	95c90dbc83481b9e51dd6a29388ab958ee460481992da874fe8212d445f83d5fN.exe

Executes dropped EXE 1 IoCs

pid	Process
4976	tmp91B1.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp91B1.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95c90dbc83481b9e51dd6a29388ab958ee460481992da874fe8212d445f83d5fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp91B1.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2144	95c90dbc83481b9e51dd6a29388ab958ee460481992da874fe8212d445f83d5fN.exe
Token: SeDebugPrivilege	4976	tmp91B1.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 3968	2144	95c90dbc83481b9e51dd6a29388ab958ee460481992da874fe8212d445f83d5fN.exe	85
PID 2144 wrote to memory of 3968	2144	95c90dbc83481b9e51dd6a29388ab958ee460481992da874fe8212d445f83d5fN.exe	85
PID 2144 wrote to memory of 3968	2144	95c90dbc83481b9e51dd6a29388ab958ee460481992da874fe8212d445f83d5fN.exe	85
PID 3968 wrote to memory of 1672	3968	vbc.exe	88
PID 3968 wrote to memory of 1672	3968	vbc.exe	88
PID 3968 wrote to memory of 1672	3968	vbc.exe	88
PID 2144 wrote to memory of 4976	2144	95c90dbc83481b9e51dd6a29388ab958ee460481992da874fe8212d445f83d5fN.exe	90
PID 2144 wrote to memory of 4976	2144	95c90dbc83481b9e51dd6a29388ab958ee460481992da874fe8212d445f83d5fN.exe	90
PID 2144 wrote to memory of 4976	2144	95c90dbc83481b9e51dd6a29388ab958ee460481992da874fe8212d445f83d5fN.exe	90

C:\Users\Admin\AppData\Local\Temp\95c90dbc83481b9e51dd6a29388ab958ee460481992da874fe8212d445f83d5fN.exe
"C:\Users\Admin\AppData\Local\Temp\95c90dbc83481b9e51dd6a29388ab958ee460481992da874fe8212d445f83d5fN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dgdq1wym.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3968
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9451.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc96F4C521377D4E5D80C6FFACDE146994.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1672
- C:\Users\Admin\AppData\Local\Temp\tmp91B1.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp91B1.tmp.exe" C:\Users\Admin\AppData\Local\Temp\95c90dbc83481b9e51dd6a29388ab958ee460481992da874fe8212d445f83d5fN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9451.tmp

Filesize
1KB

MD5
b7c05621da5f69a6c1b8e428480d4c97

SHA1
7189bca5a5233c12d7a38f9ec3c618acf8213730

SHA256
240a100490d6c972bcc82c475a10faffb6f8583ca6ea29ff7c8568236c4df49d

SHA512
85b6d44c1fcdfb4e00d5ff2541d25c66621474c4ed4eecaf047c8082a14be7dbcd4ae2c3242f02f2f9d595102c74089314f8158aeefdd90f608c86239a0a2734

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgdq1wym.0.vb

Filesize
15KB

MD5
cc0fecf054ace824d841d4c187bbd863

SHA1
cc1bd19d94a9f9a9e295de757d03061d0607b398

SHA256
af05092c3c4a111ce5f482a66b4f2f5c24d7e88a7263ba131f6405794f916e05

SHA512
f5e868b35bd0a575afe0037132615c757bdae62f7afcbd5cfa9c8b71980f77b6671d104caae60ead630caa71183d3395719af1f0a582d5e736e1c129beb4d2a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgdq1wym.cmdline

Filesize
266B

MD5
7111dad887eea520d8b2b1b8587320ca

SHA1
cb7288a108efdc9b8416380bec5955168a943e5f

SHA256
dd2311ff34dbd5f45295a5bea5c2345177fbe586afa0e206364e82fab789883c

SHA512
4e38be5fbcbd82636cebdc56bf8202215cf50b5270b313e5c06f53ddb2af163288b619c536e64b718b9876a6e449d3238ff5743db47d739e766a869fcb56dca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp91B1.tmp.exe

Filesize
78KB

MD5
aa8cfaf689a677939b9214ee4b77300a

SHA1
9ab203ad7251b66e2b0a276242b6dc34e7dfc887

SHA256
91b9115b8b644a5797bb78596c210b6ec7a40ed40e128e3929a69444ed8b6d87

SHA512
2390fd1ae05cb26cf1c91de7b5955940f38a275cfa2a08178a2f7ac46a31f70f838ac5072663204716a99e1c1decf197aef35abbf6f8135fe602b2cf07797813

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc96F4C521377D4E5D80C6FFACDE146994.TMP

Filesize
660B

MD5
5a47c63137affcef1f4b42a759cbf788

SHA1
f34537c166094144bfca5b2bfcf41a8a5a9fc9b5

SHA256
c4ef17b3efbb6bd73e300877072fec08099605fc3ffe6fa338bee3d1bdd3bafc

SHA512
4ed6e23be19da0ad960b56a9c6fd0c1fc1f875555f807d4ae205e4504f85310685b9d956484d91e145839deb00bdec06213c10b70c58308e562a46bb341e9eab

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/2144-1-0x0000000074720000-0x0000000074CD1000-memory.dmp

Filesize
5.7MB

Download
memory/2144-2-0x0000000074720000-0x0000000074CD1000-memory.dmp

Filesize
5.7MB

Download
memory/2144-0-0x0000000074722000-0x0000000074723000-memory.dmp

Filesize
4KB

Download
memory/2144-22-0x0000000074720000-0x0000000074CD1000-memory.dmp

Filesize
5.7MB

Download
memory/3968-8-0x0000000074720000-0x0000000074CD1000-memory.dmp

Filesize
5.7MB

Download
memory/3968-18-0x0000000074720000-0x0000000074CD1000-memory.dmp

Filesize
5.7MB

Download
memory/4976-23-0x0000000074720000-0x0000000074CD1000-memory.dmp

Filesize
5.7MB

Download
memory/4976-24-0x0000000074720000-0x0000000074CD1000-memory.dmp

Filesize
5.7MB

Download
memory/4976-25-0x0000000074720000-0x0000000074CD1000-memory.dmp

Filesize
5.7MB

Download
memory/4976-27-0x0000000074720000-0x0000000074CD1000-memory.dmp

Filesize
5.7MB

Download
memory/4976-28-0x0000000074720000-0x0000000074CD1000-memory.dmp

Filesize
5.7MB

Download
memory/4976-29-0x0000000074720000-0x0000000074CD1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads