metamorpherrat | a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11b

General

Target

a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe
Size

78KB
MD5

9b545f0c4b73fc1813e01414e50af4f0
SHA1

f7adb760241827c3011bb246d0bf5d2e7e0690ce
SHA256

a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11b
SHA512

fa2cdc9b8b7c93cd38119190162a2d822ca5aa0289cf6935e533b88473528451277c3115af4c2f930563effb1b12c013b0411c430bb6fe5eba2f80a7907299f1
SSDEEP

1536:eRy5jSxLT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtW6tn9/+1oE:eRy5jSJE2EwR4uY41HyvYd9/y

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe

Deletes itself 1 IoCs

pid	Process
2528	tmpB2F4.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2528	tmpB2F4.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmpB2F4.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB2F4.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1432	a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe
Token: SeDebugPrivilege	2528	tmpB2F4.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1432 wrote to memory of 1720	1432	a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe	84
PID 1432 wrote to memory of 1720	1432	a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe	84
PID 1432 wrote to memory of 1720	1432	a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe	84
PID 1720 wrote to memory of 1948	1720	vbc.exe	88
PID 1720 wrote to memory of 1948	1720	vbc.exe	88
PID 1720 wrote to memory of 1948	1720	vbc.exe	88
PID 1432 wrote to memory of 2528	1432	a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe	90
PID 1432 wrote to memory of 2528	1432	a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe	90
PID 1432 wrote to memory of 2528	1432	a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe	90

C:\Users\Admin\AppData\Local\Temp\a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe
"C:\Users\Admin\AppData\Local\Temp\a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1432
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wcfasus3.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB4E8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA2C6BEA59DD4E9C955C105A8A99122F.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1948
- C:\Users\Admin\AppData\Local\Temp\tmpB2F4.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB2F4.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB4E8.tmp

Filesize
1KB

MD5
e7e3f7268fb0f8e728430dc818989e61

SHA1
24b1f4314723a611e3987387f975ba921cdb646f

SHA256
e0b5b4d8535e98797d22a902eded20807ca51cff224ab9be02d4d323de0cc218

SHA512
75578a0fbab9d0af7f0d8012a7e4fa5baa5a1eb4a41ab1a363c90a269c580e6b5f9d95ff61d005a68971493261682715c20e241addbbe4d31ba6d4b43534ec03

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB2F4.tmp.exe

Filesize
78KB

MD5
df89014fc6765060fabef686e9cef8be

SHA1
a1735132012b6c137deea1d6c2010f9059e46546

SHA256
9fe7bf7dbbb105904210bcaa103d1bde391d4217146b524ed5b6d2cbb574dda8

SHA512
c462b502c15cbc9a1af0153c6766b44a036c5f315921b8df82f857060f5fb0a0e5a7e4e3ed55a2da0b47bd80e90ed49c1bc70b17d661550501768b4c53f75899

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA2C6BEA59DD4E9C955C105A8A99122F.TMP

Filesize
660B

MD5
90bff34a03d0f204a52820c73be12b8b

SHA1
bf132e2f730e17e0214894f5d83a6ff974d6583b

SHA256
1def159a41566d67bc67ce24e2d5ce5bddccaaaf35267b7b6b9867645ccf4085

SHA512
68ba2a5cc46b5940f34efbf41f08b93a9479132b9d46ff8ff27b956ff241604c413c28befd52ec9990195a0044efcee47bef843e8da77eb568cbbdec6e64f0ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcfasus3.0.vb

Filesize
14KB

MD5
8e0b1b272ca8db4952ec74039dc0f7cd

SHA1
44ba3aff536e55e7dec10106195dfbf0e8b56a2f

SHA256
a359ea8492efe7c7c096b70d8850a757cea6768d73f912944bc025b7f08e26ff

SHA512
3f632995a561ae29e13c6d329954f9ea5777df0616965a842986ea115e4c3cd9e157bc5220f172ee575282c3a7207de7ae883c1e06cfe493020d6076e90c65c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcfasus3.cmdline

Filesize
266B

MD5
bbad4dda17f34a05864d856981c1a2b8

SHA1
6259b9241f2386c7027afda6a49cdaa88e712971

SHA256
04f59c6aa6f2da190a8a72a849983bb37b34a30fd5472bd5b4a32901107da4c9

SHA512
bf8878b983b3f8d31696b6798cfb6deea2912fac1cc1100d7fe3bed8482952cd6603d768b4da50660de87a99ead38fa5b4e955038b003e142e4cce8d8a5929ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/1432-1-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/1432-2-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/1432-0-0x00000000754C2000-0x00000000754C3000-memory.dmp

Filesize
4KB

Download
memory/1432-22-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/1720-8-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/1720-18-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/2528-23-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/2528-24-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/2528-25-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/2528-27-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/2528-28-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/2528-29-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads