metamorpherrat | 8f107893b9c1dfc6d089d51fe2c384c6789214a3bda87b1f6a710177a0faaaeb

General

Target

8f107893b9c1dfc6d089d51fe2c384c6789214a3bda87b1f6a710177a0faaaebN.exe
Size

78KB
MD5

fbaeb298a868ea3384010e805d3e4130
SHA1

1376a5e582e6d256f7d9f1243bffb84bed14cd5a
SHA256

8f107893b9c1dfc6d089d51fe2c384c6789214a3bda87b1f6a710177a0faaaeb
SHA512

86d72b1c5b60f8ab6cb19092180e4945ba75334d1c8b91132d809933412fb5c3286ac88a7bb541b36372e39c89638c7c9d23a8a0533240bc8b71f76eecbd837b
SSDEEP

1536:LCHY6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtB9/G1dJ:LCHYn3xSyRxvY3md+dWWZyB9/U

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	8f107893b9c1dfc6d089d51fe2c384c6789214a3bda87b1f6a710177a0faaaebN.exe

Deletes itself 1 IoCs

pid	Process
2224	tmp6C27.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2224	tmp6C27.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp6C27.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6C27.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8f107893b9c1dfc6d089d51fe2c384c6789214a3bda87b1f6a710177a0faaaebN.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1856	8f107893b9c1dfc6d089d51fe2c384c6789214a3bda87b1f6a710177a0faaaebN.exe
Token: SeDebugPrivilege	2224	tmp6C27.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 3840	1856	8f107893b9c1dfc6d089d51fe2c384c6789214a3bda87b1f6a710177a0faaaebN.exe	83
PID 1856 wrote to memory of 3840	1856	8f107893b9c1dfc6d089d51fe2c384c6789214a3bda87b1f6a710177a0faaaebN.exe	83
PID 1856 wrote to memory of 3840	1856	8f107893b9c1dfc6d089d51fe2c384c6789214a3bda87b1f6a710177a0faaaebN.exe	83
PID 3840 wrote to memory of 4176	3840	vbc.exe	85
PID 3840 wrote to memory of 4176	3840	vbc.exe	85
PID 3840 wrote to memory of 4176	3840	vbc.exe	85
PID 1856 wrote to memory of 2224	1856	8f107893b9c1dfc6d089d51fe2c384c6789214a3bda87b1f6a710177a0faaaebN.exe	86
PID 1856 wrote to memory of 2224	1856	8f107893b9c1dfc6d089d51fe2c384c6789214a3bda87b1f6a710177a0faaaebN.exe	86
PID 1856 wrote to memory of 2224	1856	8f107893b9c1dfc6d089d51fe2c384c6789214a3bda87b1f6a710177a0faaaebN.exe	86

C:\Users\Admin\AppData\Local\Temp\8f107893b9c1dfc6d089d51fe2c384c6789214a3bda87b1f6a710177a0faaaebN.exe
"C:\Users\Admin\AppData\Local\Temp\8f107893b9c1dfc6d089d51fe2c384c6789214a3bda87b1f6a710177a0faaaebN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p_zvztys.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3840
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6F35.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8239BDC3C71441989A6583F4567048A9.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4176
- C:\Users\Admin\AppData\Local\Temp\tmp6C27.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp6C27.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8f107893b9c1dfc6d089d51fe2c384c6789214a3bda87b1f6a710177a0faaaebN.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6F35.tmp

Filesize
1KB

MD5
fe41acc302367cd618ef93909f79e32f

SHA1
8841c4300f457e98a1f4060b49ac455527e2515d

SHA256
09d9be6f44117bcbdf32d3ba8964fa4d703c80863653e7b6e8f3961b88e07758

SHA512
e3ee2bdae086cb9e9223217a627a91d9eb7085592d803b4fa9071933ddd09d5e584593e10eea68dd9c68818756df3d83372238ce9633349fa303efb532758c6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\p_zvztys.0.vb

Filesize
15KB

MD5
8cfaa2b7ab92a9211e82008e6c419140

SHA1
214793e2bf82af55d6bbf82674e4d686fe528132

SHA256
99d24be756e95e70f5b379c5cbbe9aac2e956a5bdf958abd36cfaafab8d2d1a6

SHA512
4040f3086c24717dfc14235405dba7f742129db7fc12919580e15f356d827724750324a7adc3443167b6b3b2f5f550e3fb2a48e10e93b86a776cb67c35f6fc8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\p_zvztys.cmdline

Filesize
266B

MD5
444217fb50d846dd3c670f219d2df6bf

SHA1
b375158867a65ec37ff264fa5e188175f9424cc1

SHA256
dc72172861c4b4baeec1c19702718b1d8974bb0e374d9ba6f6c19189b3a04c0c

SHA512
d92ae7a39ec12a1119f971b252852b3f9221ff20e7d96b2eeefec09e9105e6664b7e974f496a8fad9dc37666424db218de0d48c3371a1049b083b6410de0ead5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6C27.tmp.exe

Filesize
78KB

MD5
e4d24749c7ffa0e7d0d95ba330bf1859

SHA1
da57428d954e5b6eaf57ae0167df0b9dbcba908e

SHA256
24891db1e9e6c195c2ae72f243b83038ce2f3ef8e2c97f97b253c0b9b6f596bb

SHA512
03f2d1f42f46a68af947fb0866e42ff83ee3f6ae6af84e03541b63e7fe199538cd23f10eef4eae345d94b07d6f328ecb04b20a5d2c305221f1e2b652b06c7c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8239BDC3C71441989A6583F4567048A9.TMP

Filesize
660B

MD5
fdafbbc606a604b36cc24ba24f75a804

SHA1
4931a9836bcb44ff733dba6648cb39ff8d4174a1

SHA256
8f56cc5bd4a85b3d2b1d78e045ee93c9a2bd6dd41b728fca9f9ea4a090c4d31d

SHA512
ebf09fa7ebf37db7b3022b41a72bb5bb9ca77c5d25ca60e55e3f648c1ac3ea40d97933d382c3782d01b9bbc8af07c1e6a9449eb7f2400520b23e8b42c5034066

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/1856-1-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/1856-2-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/1856-0-0x0000000074892000-0x0000000074893000-memory.dmp

Filesize
4KB

Download
memory/1856-22-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/2224-23-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/2224-24-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/2224-26-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/2224-27-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/2224-28-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/2224-29-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/2224-30-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/3840-18-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/3840-9-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads