metamorpherrat | a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11b

General

Target

a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe
Size

78KB
MD5

9b545f0c4b73fc1813e01414e50af4f0
SHA1

f7adb760241827c3011bb246d0bf5d2e7e0690ce
SHA256

a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11b
SHA512

fa2cdc9b8b7c93cd38119190162a2d822ca5aa0289cf6935e533b88473528451277c3115af4c2f930563effb1b12c013b0411c430bb6fe5eba2f80a7907299f1
SSDEEP

1536:eRy5jSxLT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtW6tn9/+1oE:eRy5jSJE2EwR4uY41HyvYd9/y

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe

Executes dropped EXE 1 IoCs

pid	Process
3124	tmp83D6.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmp83D6.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp83D6.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3500	a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe
Token: SeDebugPrivilege	3124	tmp83D6.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3500 wrote to memory of 4672	3500	a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe	84
PID 3500 wrote to memory of 4672	3500	a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe	84
PID 3500 wrote to memory of 4672	3500	a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe	84
PID 4672 wrote to memory of 3188	4672	vbc.exe	86
PID 4672 wrote to memory of 3188	4672	vbc.exe	86
PID 4672 wrote to memory of 3188	4672	vbc.exe	86
PID 3500 wrote to memory of 3124	3500	a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe	89
PID 3500 wrote to memory of 3124	3500	a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe	89
PID 3500 wrote to memory of 3124	3500	a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe	89

C:\Users\Admin\AppData\Local\Temp\a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe
"C:\Users\Admin\AppData\Local\Temp\a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3500
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bobig7hb.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4672
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES855C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc35633A14134B4FB5B2EAFA2D7746641E.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3188
- C:\Users\Admin\AppData\Local\Temp\tmp83D6.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp83D6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES855C.tmp

Filesize
1KB

MD5
adbefe98a1f949132b03ebfe9dba9d65

SHA1
1539aba89d6cd221594f1d939160b17fa97dc207

SHA256
73802edf7a42c75f3325c7b9091085feae45f51b4c3845b84eace8b0841ab5da

SHA512
a386684ee08ffff3efef9ba60d80d647b042ee4b313135025cf22ac9bf804517ff58ff585a3526b8a05896d17f572ca2e73d43b1e805f67a4a884791cb5e23e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\bobig7hb.0.vb

Filesize
14KB

MD5
9053ac34db72f18339635a2970ed1304

SHA1
dd6bd66d77bc811533ebcdf5f74e64870d2d293f

SHA256
563165d9f035d89c7e374db32f66bf0985b22919c72a0de331433a9cf86c2cad

SHA512
80aa4edaf42a8ee4c0c6502c9468f515c9cec140ce2762cc6a94208c8a7cf2b28d4cd0f40303a9011725bca6dbe51a65c83d96d8ec7c938e0178b1083678e23d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bobig7hb.cmdline

Filesize
266B

MD5
014bf2162f6cf627fee819d0e225c923

SHA1
a833d71fd1d9a224ce77ac94d8612520f47e9535

SHA256
deacb455e9bdbda9570cfdb37a028422b553bed7f07a42b619a5358966a96562

SHA512
2919f77843d740644ebe3c4479c31e16905f62f8eb09ec56739aff4aaa3725a532e50e62109f487b34f717c9e56268434169cfde410afb4023b38b99942808a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp83D6.tmp.exe

Filesize
78KB

MD5
db880ac16d82535f4a69beb653fdec77

SHA1
e32144749562eee45470634484accba9e652ef00

SHA256
cb1843a5e0b412f60cce3b479295adcfe2f56930d83076a4d2cc73caca8e6f9a

SHA512
a76f9ffa8800853c6f4f9c16d3bbe51649e7dcd8788b12bb21b151acf6a3e2e0f760aa7a8bc7efd97326feed82e27c4c891dda3897e01a4afc51e3c5c395b975

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc35633A14134B4FB5B2EAFA2D7746641E.TMP

Filesize
660B

MD5
e2f14df390b49941224d9239028dde8b

SHA1
5d2d2581a7d5fc0cc276b67ac1fbe6c3c8c20e17

SHA256
ffc44bcd0231c50eb0f93666abe330c1f77a8689cc3637a63d30fe631efb9477

SHA512
8c19c2a170a4178d73e6080d72fd2a6a94c63f95786284fd43fb7f3033cc27021d543e47253a18d491fa5b1c00014fca3c4273e88a09909e32026a595bd7bfca

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/3124-23-0x00000000754B0000-0x0000000075A61000-memory.dmp

Filesize
5.7MB

Download
memory/3124-28-0x00000000754B0000-0x0000000075A61000-memory.dmp

Filesize
5.7MB

Download
memory/3124-27-0x00000000754B0000-0x0000000075A61000-memory.dmp

Filesize
5.7MB

Download
memory/3124-26-0x00000000754B0000-0x0000000075A61000-memory.dmp

Filesize
5.7MB

Download
memory/3124-24-0x00000000754B0000-0x0000000075A61000-memory.dmp

Filesize
5.7MB

Download
memory/3500-22-0x00000000754B0000-0x0000000075A61000-memory.dmp

Filesize
5.7MB

Download
memory/3500-1-0x00000000754B0000-0x0000000075A61000-memory.dmp

Filesize
5.7MB

Download
memory/3500-2-0x00000000754B0000-0x0000000075A61000-memory.dmp

Filesize
5.7MB

Download
memory/3500-0-0x00000000754B2000-0x00000000754B3000-memory.dmp

Filesize
4KB

Download
memory/4672-9-0x00000000754B0000-0x0000000075A61000-memory.dmp

Filesize
5.7MB

Download
memory/4672-18-0x00000000754B0000-0x0000000075A61000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads