metamorpherrat | e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1

General

Target

e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1N.exe
Size

78KB
MD5

4e65fa07b5cfcd20bff532895591fde0
SHA1

485ad52859548efa90bf64b72ea5949734fd81e3
SHA256

e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1
SHA512

4c6943308d4e00498a53357ed2ce61e20fc40d5899afb7db7d9ee475f59cc4cb83273dd2ff9c4966de58150b5c03e917704c1ccabda84903e0694233a4befff3
SSDEEP

1536:nPy5jSwXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtC6p9/c1FO:nPy5jSoSyRxvY3md+dWWZyx9/9

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1N.exe

Executes dropped EXE 1 IoCs

pid	Process
3800	tmp8F8E.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp8F8E.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8F8E.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3344	e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1N.exe
Token: SeDebugPrivilege	3800	tmp8F8E.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3344 wrote to memory of 1408	3344	e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1N.exe	84
PID 3344 wrote to memory of 1408	3344	e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1N.exe	84
PID 3344 wrote to memory of 1408	3344	e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1N.exe	84
PID 1408 wrote to memory of 3180	1408	vbc.exe	86
PID 1408 wrote to memory of 3180	1408	vbc.exe	86
PID 1408 wrote to memory of 3180	1408	vbc.exe	86
PID 3344 wrote to memory of 3800	3344	e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1N.exe	88
PID 3344 wrote to memory of 3800	3344	e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1N.exe	88
PID 3344 wrote to memory of 3800	3344	e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1N.exe	88

C:\Users\Admin\AppData\Local\Temp\e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1N.exe
"C:\Users\Admin\AppData\Local\Temp\e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3344
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hxp7qu2c.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES90D6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA8E7D56CD9F7474882D15E2CC419BC5.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3180
- C:\Users\Admin\AppData\Local\Temp\tmp8F8E.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8F8E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES90D6.tmp

Filesize
1KB

MD5
384f2126ba0b6cca6b3223fc8f87a3e7

SHA1
d179ce1a6af105cd06f899ab41ffe4ad3d6e4362

SHA256
32f5e77277c1e04e9f38047ba055cd711d73e2c0ae02e87da2d163cbb543d67d

SHA512
3a0408a018f64586ee3d5b59cf11ab51aa6056b48f743dadd6a92159edffb2539c47b18bcc74f2e1a30fa45e41d69d3d6d8f267883f5a5c92af6595bed4be0e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\hxp7qu2c.0.vb

Filesize
14KB

MD5
acc3bc872ecaab08ec95638ddd2409f6

SHA1
9f7a578fb4cb1a9ba67b81d964985ec6985049fb

SHA256
55f952274abe0ed1eb2eab7ed9ad1836289f70a58c6dc68ec3e1771278b4828b

SHA512
a6df0b9407a0a239d26cee1ce252962a2487953098203fdd8921af495845500165270169fd036260f91ba844c5e5c1bc483cc8610c2017fcf003509a11cec157

Download Submit
C:\Users\Admin\AppData\Local\Temp\hxp7qu2c.cmdline

Filesize
266B

MD5
5bc6328b72df4a26c83f41c879f76a9e

SHA1
3ab88dbc542839072aef91374b55f6c58629309e

SHA256
30e1d432eaf969ead5924a18667948655ffa6f874d8b5208da139de9a4bbf9eb

SHA512
a6d6bed3a535091c4a4d790a741971e55b8ccdde2adf9d86974747a633d811dc7845d45845f9e3bae982cc9617351706ccdc00a3487942bc336454c3df006bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8F8E.tmp.exe

Filesize
78KB

MD5
ec9478bdbc6e3172631219924afd2d71

SHA1
6fdde0c2c5a50125111de7c26656149a6c749de1

SHA256
6860716edfc31bbadc89714c150b15dd5a909acd904818f56dbff286d161a7ab

SHA512
5732acbdae42b79e22d1eb3497000476fdd5b0f6a69865f4092a2e0ced4a3f7b29df3da29307363c5d63178ed51055f92696ff6a6b7c90eae022279768a151aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA8E7D56CD9F7474882D15E2CC419BC5.TMP

Filesize
660B

MD5
bd874e3fe8b41718617c818c60c152db

SHA1
bbf22fb6992805ec44e45f71bc381444e545b14a

SHA256
2255a1934fa793c5f0f1e867f15da27b997e40f7f0ff6921dd7df61b39cb02da

SHA512
3ca8868ddb3cadcc7622c5fc7d3908c099ad1976e81cef593605f113a1ceb1dedf321efd828ddc251a6adcffe48ea084337b5e598693b758892c473ada09d3e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/1408-9-0x0000000074980000-0x0000000074F31000-memory.dmp

Filesize
5.7MB

Download
memory/1408-18-0x0000000074980000-0x0000000074F31000-memory.dmp

Filesize
5.7MB

Download
memory/3344-0-0x0000000074982000-0x0000000074983000-memory.dmp

Filesize
4KB

Download
memory/3344-2-0x0000000074980000-0x0000000074F31000-memory.dmp

Filesize
5.7MB

Download
memory/3344-1-0x0000000074980000-0x0000000074F31000-memory.dmp

Filesize
5.7MB

Download
memory/3344-23-0x0000000074980000-0x0000000074F31000-memory.dmp

Filesize
5.7MB

Download
memory/3800-22-0x0000000074980000-0x0000000074F31000-memory.dmp

Filesize
5.7MB

Download
memory/3800-25-0x0000000074980000-0x0000000074F31000-memory.dmp

Filesize
5.7MB

Download
memory/3800-26-0x0000000074980000-0x0000000074F31000-memory.dmp

Filesize
5.7MB

Download
memory/3800-27-0x0000000074980000-0x0000000074F31000-memory.dmp

Filesize
5.7MB

Download
memory/3800-28-0x0000000074980000-0x0000000074F31000-memory.dmp

Filesize
5.7MB

Download
memory/3800-29-0x0000000074980000-0x0000000074F31000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads