metamorpherrat | 49d6e275a6e7055eb2049e7e558b5f33ee476f8cba3011b738b6b5eecceaefac

General

Target

49d6e275a6e7055eb2049e7e558b5f33ee476f8cba3011b738b6b5eecceaefacN.exe
Size

78KB
MD5

b9f95303e3af29e83ea3a63c9514c4b0
SHA1

da8899cd5066a6fd59468ba3f3344fe949343efd
SHA256

49d6e275a6e7055eb2049e7e558b5f33ee476f8cba3011b738b6b5eecceaefac
SHA512

1803cd8ea7ab1e2698e3c7f4037e945015227046329805414b263b31ad6493fa78a380612913455c9fc3612a73ddb2e7c265c06d824fb5695fcdeb335d7459bd
SSDEEP

1536:FWtHFo6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtRP9/B1cA:FWtHFon3xSyRxvY3md+dWWZyRP9/N

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	49d6e275a6e7055eb2049e7e558b5f33ee476f8cba3011b738b6b5eecceaefacN.exe

Executes dropped EXE 1 IoCs

pid	Process
1332	tmpB602.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpB602.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49d6e275a6e7055eb2049e7e558b5f33ee476f8cba3011b738b6b5eecceaefacN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB602.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4428	49d6e275a6e7055eb2049e7e558b5f33ee476f8cba3011b738b6b5eecceaefacN.exe
Token: SeDebugPrivilege	1332	tmpB602.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4428 wrote to memory of 4240	4428	49d6e275a6e7055eb2049e7e558b5f33ee476f8cba3011b738b6b5eecceaefacN.exe	84
PID 4428 wrote to memory of 4240	4428	49d6e275a6e7055eb2049e7e558b5f33ee476f8cba3011b738b6b5eecceaefacN.exe	84
PID 4428 wrote to memory of 4240	4428	49d6e275a6e7055eb2049e7e558b5f33ee476f8cba3011b738b6b5eecceaefacN.exe	84
PID 4240 wrote to memory of 2004	4240	vbc.exe	88
PID 4240 wrote to memory of 2004	4240	vbc.exe	88
PID 4240 wrote to memory of 2004	4240	vbc.exe	88
PID 4428 wrote to memory of 1332	4428	49d6e275a6e7055eb2049e7e558b5f33ee476f8cba3011b738b6b5eecceaefacN.exe	90
PID 4428 wrote to memory of 1332	4428	49d6e275a6e7055eb2049e7e558b5f33ee476f8cba3011b738b6b5eecceaefacN.exe	90
PID 4428 wrote to memory of 1332	4428	49d6e275a6e7055eb2049e7e558b5f33ee476f8cba3011b738b6b5eecceaefacN.exe	90

C:\Users\Admin\AppData\Local\Temp\49d6e275a6e7055eb2049e7e558b5f33ee476f8cba3011b738b6b5eecceaefacN.exe
"C:\Users\Admin\AppData\Local\Temp\49d6e275a6e7055eb2049e7e558b5f33ee476f8cba3011b738b6b5eecceaefacN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\005adaam.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4240
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB7D6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc609E529EEC416C94252BCFD44ECC0.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2004
- C:\Users\Admin\AppData\Local\Temp\tmpB602.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB602.tmp.exe" C:\Users\Admin\AppData\Local\Temp\49d6e275a6e7055eb2049e7e558b5f33ee476f8cba3011b738b6b5eecceaefacN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\005adaam.0.vb

Filesize
15KB

MD5
a62c0c6b59fd309d27d4b4cd196c4825

SHA1
edb570485c1e9407685b339f2d1fa0d0f084a760

SHA256
ddf7bab95ee5d680c84a1cd2aafbaf77a79022bcc02330f6c4f23a76f43438f8

SHA512
d515ddea61d00c8e56d92cf518a232e5828cd557b79ee68c2616ddf00edb775c10e8ef4536b7db0415c917da40616d7aedc6b1a57ea6b63ef9174fdccb33276c

Download Submit
C:\Users\Admin\AppData\Local\Temp\005adaam.cmdline

Filesize
266B

MD5
f98c37c2028c01515a8e793d9250db3f

SHA1
75673227493c14523d6fcf1d145b06c4436ce45c

SHA256
588d84b38e25364d28de444c73a13e4253e8eb1f636f080fdae206b61e29f753

SHA512
e446cf5f45f32b55ea9e5ede29f8cf862b0fc22a4a32a9f22b72f186b57a5c8783f90b08d357622215705b1f6af3180b83fff11464a19b33ba8184a18a49f65a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB7D6.tmp

Filesize
1KB

MD5
5acf11f7f33b1d42f322fac3d1e30212

SHA1
ed3eaf034b1b6b2598ffb3a33d11e5025728caf5

SHA256
511128d135e0e73c6c44cf46d684c8d4bec1936cf61f329448a2a16c3521eded

SHA512
7b070b126ccff2c9e717af877fe2e8e1f80e6d5934251414d15a0fc4aaedb445671a5cf516df9582cd1271a689afed80fb65c1b1e2302f191fb1727beefb01a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB602.tmp.exe

Filesize
78KB

MD5
f98cac65ae3ddea26f5b25302d9800a3

SHA1
d19d36d30f684ba818e613500963a4605d530be2

SHA256
4e46c48c8980e97cfdbe317f88522717d21c4587711a9139cacf857cdee1cd0c

SHA512
b80736839b2a724481d0cc9661632c04785b5afbf7906444f55ac2469fd5d10a2aabe4d6e699926241aec55f7da55750550d9052eaddb1dcd2351f2a1fe5c451

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc609E529EEC416C94252BCFD44ECC0.TMP

Filesize
660B

MD5
d9212cc5f8910334c87dda975ff43d91

SHA1
e0ab9465a5b1dc12512cfa7eb4052c2448a2ad02

SHA256
3734a9b6e7d70b91d55482bd21f1fbd4aca46fc5b3e9d680e09651a7aebb6550

SHA512
82dd247fd4dbe0e23b013fba31dff36e14c8ff7bf4744b6a2bf97d789c0855282e635eeb7135ee911fb378379ef25bc58c1b5920b72ae6724aae58c3dc0ed9af

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/1332-23-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/1332-24-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/1332-26-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/1332-27-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/1332-28-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/4240-8-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/4240-18-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/4428-2-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/4428-1-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/4428-22-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/4428-0-0x00000000750D2000-0x00000000750D3000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads