metamorpherrat | df46bca6b125e370d13301f6d84db007bb36d98a4638645aa009ae8c0615ece0

General

Target

df46bca6b125e370d13301f6d84db007bb36d98a4638645aa009ae8c0615ece0N.exe
Size

78KB
MD5

88a7a14c8c93cf34ffd73a50824c1860
SHA1

eef0d848ef15bfa46bde60be3b35aa1f10c0159f
SHA256

df46bca6b125e370d13301f6d84db007bb36d98a4638645aa009ae8c0615ece0
SHA512

52183a7d1d803644b81d12279c521799ef10dd1542fa501a9cc39420297a5f2e95987e220f9d16642e8537d51bcfef5f311672a016838f203251e6a869a429fa
SSDEEP

1536:qsHHM3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtD9/+1i7:qsHs3xSyRxvY3md+dWWZyD9/b

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	df46bca6b125e370d13301f6d84db007bb36d98a4638645aa009ae8c0615ece0N.exe

Executes dropped EXE 1 IoCs

pid	Process
1928	tmp8FAD.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp8FAD.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8FAD.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df46bca6b125e370d13301f6d84db007bb36d98a4638645aa009ae8c0615ece0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3228	df46bca6b125e370d13301f6d84db007bb36d98a4638645aa009ae8c0615ece0N.exe
Token: SeDebugPrivilege	1928	tmp8FAD.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3228 wrote to memory of 1924	3228	df46bca6b125e370d13301f6d84db007bb36d98a4638645aa009ae8c0615ece0N.exe	86
PID 3228 wrote to memory of 1924	3228	df46bca6b125e370d13301f6d84db007bb36d98a4638645aa009ae8c0615ece0N.exe	86
PID 3228 wrote to memory of 1924	3228	df46bca6b125e370d13301f6d84db007bb36d98a4638645aa009ae8c0615ece0N.exe	86
PID 1924 wrote to memory of 1964	1924	vbc.exe	88
PID 1924 wrote to memory of 1964	1924	vbc.exe	88
PID 1924 wrote to memory of 1964	1924	vbc.exe	88
PID 3228 wrote to memory of 1928	3228	df46bca6b125e370d13301f6d84db007bb36d98a4638645aa009ae8c0615ece0N.exe	89
PID 3228 wrote to memory of 1928	3228	df46bca6b125e370d13301f6d84db007bb36d98a4638645aa009ae8c0615ece0N.exe	89
PID 3228 wrote to memory of 1928	3228	df46bca6b125e370d13301f6d84db007bb36d98a4638645aa009ae8c0615ece0N.exe	89

C:\Users\Admin\AppData\Local\Temp\df46bca6b125e370d13301f6d84db007bb36d98a4638645aa009ae8c0615ece0N.exe
"C:\Users\Admin\AppData\Local\Temp\df46bca6b125e370d13301f6d84db007bb36d98a4638645aa009ae8c0615ece0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wmhfkrlk.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E05.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9BE13D291032478DB1E4D13116D54E37.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1964
- C:\Users\Admin\AppData\Local\Temp\tmp8FAD.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8FAD.tmp.exe" C:\Users\Admin\AppData\Local\Temp\df46bca6b125e370d13301f6d84db007bb36d98a4638645aa009ae8c0615ece0N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9E05.tmp

Filesize
1KB

MD5
8887fce970892044de0563e6537a4b09

SHA1
33bb9b9d91da7bcfc1cf5384f77ee980243392b7

SHA256
06ebe8e65902494465c68f02543241437b5070db2120180679d25bb781e85318

SHA512
e2c6a9e73ec7eef2a3c09886fb31e6e6623ee1cd92af607078dafb039f3d82791367e0de8617d97c54cede8455d3e3258f44bea64dcf5d96dd944b42030292b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8FAD.tmp.exe

Filesize
78KB

MD5
3e5b3b7dd0ba1951eb237425f14db543

SHA1
58d7076156af3899d97daecdb247cf94d5162266

SHA256
64409f0ae88777a7b2086111bb6c18059d40e5e78da0d18414af4c1355df1df2

SHA512
6f4b16d144749a3222ca704422f3364e453a10366bfa6adcf7ebc8c70a3f4eaba0c2c7f8538d49725d50317ef493de8bc7c01fbd624d36c0cfb05c2e687b5697

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9BE13D291032478DB1E4D13116D54E37.TMP

Filesize
660B

MD5
b9f4ea0c3f8efd8007f6da7bd2d661d7

SHA1
b2e1d9d6949fc7620c43bb172bcdffa2c64ba125

SHA256
c2f980f93455389c7290efe906362148933003201674dee8db02f0609d4c0c61

SHA512
1b09dce69428fc308c045c815ab3884853d45a322d89c1d3b5ca02fb5a038db4320439482d9cb99b3fa6451d53e7a43ea1487210a8e9f421adbfa2973476828d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmhfkrlk.0.vb

Filesize
15KB

MD5
da17ce5d3c2d847e68dc9f8c803ebb35

SHA1
f88f3b781341c7739457aed01ec16e304681d97f

SHA256
0abd7c599bc35fae95b5df35e1fe5357900e5b62b5a342b6e33c2808f09152ee

SHA512
2f32a418f3b5788ed96d43d6c6753b10bfd0fe5cecaff3697126d04a7505d378450a313af29d8117b11b7ec02dbd14cfd1eed67a6ba13b99e5719c7dcb58bc31

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmhfkrlk.cmdline

Filesize
266B

MD5
9460698350920ba556b5c0f939cab29c

SHA1
202c567fb93a6b856c2ba1a050ebcd9ef7f2ec42

SHA256
4625b24d9f8474c4f35979489be25a077caa6f879623071443f682739aaf3dd7

SHA512
6b63e9d584d0a8e5073da576dc9e32cae3bc555c7646930f029f01a7e3a83aaa0db02d9efe383682479ff41b8e65ffbd4044b5a3419da4e7724c1f80c49d7e2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/1924-8-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/1924-18-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/1928-25-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/1928-31-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/1928-30-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/1928-29-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/1928-27-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/1928-26-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/3228-2-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/3228-24-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/3228-23-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/3228-22-0x0000000075212000-0x0000000075213000-memory.dmp

Filesize
4KB

Download
memory/3228-1-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/3228-0-0x0000000075212000-0x0000000075213000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads