metamorpherrat | 30467a898e671d1d3a27a3c16c8647ebe8de3dc43b17e4234d6ae56251190ecb

General

Target

30467a898e671d1d3a27a3c16c8647ebe8de3dc43b17e4234d6ae56251190ecb.exe
Size

78KB
MD5

93c7a8b8044657becec13b3fa7afc61b
SHA1

e04d9bcdc3196b0eafdb7a056fc1a8982de47935
SHA256

30467a898e671d1d3a27a3c16c8647ebe8de3dc43b17e4234d6ae56251190ecb
SHA512

8fce401ad3e906f1ce0963829903316d0523b63f860df35e1921d4785f37028808012948585c4038dbab8349ccf427a69460faaf9ba46ccb98e79f62a87e6f28
SSDEEP

1536:LCHY6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtB9/G1dJ1:LCHYn3xSyRxvY3md+dWWZyB9/U1

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	30467a898e671d1d3a27a3c16c8647ebe8de3dc43b17e4234d6ae56251190ecb.exe

Executes dropped EXE 1 IoCs

pid	Process
1472	tmpC498.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpC498.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30467a898e671d1d3a27a3c16c8647ebe8de3dc43b17e4234d6ae56251190ecb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC498.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3988	30467a898e671d1d3a27a3c16c8647ebe8de3dc43b17e4234d6ae56251190ecb.exe
Token: SeDebugPrivilege	1472	tmpC498.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3988 wrote to memory of 1080	3988	30467a898e671d1d3a27a3c16c8647ebe8de3dc43b17e4234d6ae56251190ecb.exe	84
PID 3988 wrote to memory of 1080	3988	30467a898e671d1d3a27a3c16c8647ebe8de3dc43b17e4234d6ae56251190ecb.exe	84
PID 3988 wrote to memory of 1080	3988	30467a898e671d1d3a27a3c16c8647ebe8de3dc43b17e4234d6ae56251190ecb.exe	84
PID 1080 wrote to memory of 2308	1080	vbc.exe	86
PID 1080 wrote to memory of 2308	1080	vbc.exe	86
PID 1080 wrote to memory of 2308	1080	vbc.exe	86
PID 3988 wrote to memory of 1472	3988	30467a898e671d1d3a27a3c16c8647ebe8de3dc43b17e4234d6ae56251190ecb.exe	87
PID 3988 wrote to memory of 1472	3988	30467a898e671d1d3a27a3c16c8647ebe8de3dc43b17e4234d6ae56251190ecb.exe	87
PID 3988 wrote to memory of 1472	3988	30467a898e671d1d3a27a3c16c8647ebe8de3dc43b17e4234d6ae56251190ecb.exe	87

C:\Users\Admin\AppData\Local\Temp\30467a898e671d1d3a27a3c16c8647ebe8de3dc43b17e4234d6ae56251190ecb.exe
"C:\Users\Admin\AppData\Local\Temp\30467a898e671d1d3a27a3c16c8647ebe8de3dc43b17e4234d6ae56251190ecb.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3988
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\31ooxmrb.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC60F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC0A47AF0960A425DAC2E63A2AFF62F27.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2308
- C:\Users\Admin\AppData\Local\Temp\tmpC498.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpC498.tmp.exe" C:\Users\Admin\AppData\Local\Temp\30467a898e671d1d3a27a3c16c8647ebe8de3dc43b17e4234d6ae56251190ecb.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\31ooxmrb.0.vb

Filesize
15KB

MD5
e050e1a4f5e9b662857453600c73a202

SHA1
54c04792b51c4a6ade147c486f573eef853155e4

SHA256
76fde53990b33db73190fd11ae3aa362ef02467bcda2c2660c208065a41b07df

SHA512
c7e19ee7fe87772199f348d0a27d815dac5b118370c187b740e305d77921e55b28898fcbdb7fcbb92917e4dbaf3b9f42d620520f91784103743345eee210a82a

Download Submit
C:\Users\Admin\AppData\Local\Temp\31ooxmrb.cmdline

Filesize
266B

MD5
5cb900207e493d2e3a3323d3da5e1603

SHA1
787428d4022e785027a42b10ef3e5690d2a18224

SHA256
3ca8f549aecc4f9a437f89ea593d08086a2e6287254ad9314c20cb2fcf7fea7d

SHA512
7ff409e0e548e68770b9d0ba5df6222cdb9506d62c8bb18df58858ffef73c910dd1d39e9b07b8e833bb0372059e07af3b4469dd165b35ef8d36555f11bdf8eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC60F.tmp

Filesize
1KB

MD5
cc046f40e0cfcb8c90c74a740472b7f1

SHA1
d0c38e7b5a19d67c87832806e183dc7c597fac33

SHA256
e44584dd5ed706d0ef88754c86c1e1287739bbdc7573d0577ac3d18a999ea271

SHA512
e87d1977764f2767e5bf2753883d6400fd6cc5a4075f3369cc5dfc4ba89084d01f74d9f3ba25c29778596cc07ab48330660b0222c255b26f345f1d3e50c9ecbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC498.tmp.exe

Filesize
78KB

MD5
649cd8053f49cda710c98561e4ed2ad7

SHA1
29b379cd81f8602a65a3de193ae7a65b7b493d42

SHA256
18d8d497854a099d3f9d085d762c86b43ad913ecb0f7683d76e878f05d5a2438

SHA512
d7e6854e3f74b4dd9883e0b8239748ac3bf5a1d2c35a20ffad4e29595ef3d6015c9e8030a2b270a1f3330c19874ab616b24fb725058621b4cb1b8589e0b37416

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC0A47AF0960A425DAC2E63A2AFF62F27.TMP

Filesize
660B

MD5
f5d4b342dbab484b1574141456a030f4

SHA1
1fab145ef6365853157b83e3e4215ee5298bdbda

SHA256
14d491b5b1e902d1dd50e44a6eaf63f7be4a3d9fc47d7434494db1a2eb4c7d49

SHA512
62e0cdbc90b7bd50b54ec5a47c1e074cb1a6ddedd9ef0dead1239800c2f94eff9160883b4e939a6f8e614bada93876586eb39b2edd1c33a4840daa27c15f2f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/1080-18-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/1080-9-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/1472-23-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/1472-24-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/1472-25-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/1472-27-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/1472-28-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/1472-29-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/3988-0-0x0000000074732000-0x0000000074733000-memory.dmp

Filesize
4KB

Download
memory/3988-2-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/3988-1-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/3988-22-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads