metamorpherrat | 9ecc3caf5f3828e147ecf6093ac48bd8c84066501731b781b9c2499a16239648

General

Target

9ecc3caf5f3828e147ecf6093ac48bd8c84066501731b781b9c2499a16239648.exe
Size

78KB
MD5

bcf13ce78e5d7cd417e5f2ec023b41e9
SHA1

445259463805fd75f206b2bb6a3ad0d7024ba703
SHA256

9ecc3caf5f3828e147ecf6093ac48bd8c84066501731b781b9c2499a16239648
SHA512

508c45c3ef133a8caffce4c78ba8773524ac0ce42cb04c592ecb842aa9cb4e46565fc5158847d0ac082c4a69da70eb95994f74ac40b92e78fae42c6e560044a4
SSDEEP

1536:tCHF3M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQth9/C1xgk:tCHF83xSyRxvY3md+dWWZyh9/5k

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	9ecc3caf5f3828e147ecf6093ac48bd8c84066501731b781b9c2499a16239648.exe

Deletes itself 1 IoCs

pid	Process
4056	tmpA79A.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4056	tmpA79A.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpA79A.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA79A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9ecc3caf5f3828e147ecf6093ac48bd8c84066501731b781b9c2499a16239648.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3564	9ecc3caf5f3828e147ecf6093ac48bd8c84066501731b781b9c2499a16239648.exe
Token: SeDebugPrivilege	4056	tmpA79A.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3564 wrote to memory of 4856	3564	9ecc3caf5f3828e147ecf6093ac48bd8c84066501731b781b9c2499a16239648.exe	82
PID 3564 wrote to memory of 4856	3564	9ecc3caf5f3828e147ecf6093ac48bd8c84066501731b781b9c2499a16239648.exe	82
PID 3564 wrote to memory of 4856	3564	9ecc3caf5f3828e147ecf6093ac48bd8c84066501731b781b9c2499a16239648.exe	82
PID 4856 wrote to memory of 1744	4856	vbc.exe	84
PID 4856 wrote to memory of 1744	4856	vbc.exe	84
PID 4856 wrote to memory of 1744	4856	vbc.exe	84
PID 3564 wrote to memory of 4056	3564	9ecc3caf5f3828e147ecf6093ac48bd8c84066501731b781b9c2499a16239648.exe	85
PID 3564 wrote to memory of 4056	3564	9ecc3caf5f3828e147ecf6093ac48bd8c84066501731b781b9c2499a16239648.exe	85
PID 3564 wrote to memory of 4056	3564	9ecc3caf5f3828e147ecf6093ac48bd8c84066501731b781b9c2499a16239648.exe	85

C:\Users\Admin\AppData\Local\Temp\9ecc3caf5f3828e147ecf6093ac48bd8c84066501731b781b9c2499a16239648.exe
"C:\Users\Admin\AppData\Local\Temp\9ecc3caf5f3828e147ecf6093ac48bd8c84066501731b781b9c2499a16239648.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3564
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cmoohozf.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA8E2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC868C4D39FEA4AA7AA5E6888CE9C9F6.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1744
- C:\Users\Admin\AppData\Local\Temp\tmpA79A.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA79A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9ecc3caf5f3828e147ecf6093ac48bd8c84066501731b781b9c2499a16239648.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA8E2.tmp

Filesize
1KB

MD5
9380ab3ba7af1594b9223f0f299266ae

SHA1
50b51ab96ac890dcfbf54bcea7040ceeca83435f

SHA256
96824770fd8b27e27afd223e3ffdeb02d909e296da4fd471ec0700181aff0611

SHA512
b40d95555a9abecf7aa519b0719c1a276f60d501a0f53c4db8ccb9716bc2ec94de97e82377306870f241c32a6d68ca50289fa32a5679c03726f3e8d8e7c33e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmoohozf.0.vb

Filesize
15KB

MD5
065086a7604cd7e11824ad0fae3f5536

SHA1
655339a3f03aee9d8d6aa8243633d6dbe28ee4ee

SHA256
dfb7e812c4aae5842ae57a9f4db11b61615c5c579acd45c32da1cfbc73fdce25

SHA512
41ce2b7eb5cc7f2902ab29689c8bd7712266da721633275959ecd4f7c13a4b0c4c9b2b1a78e782eb3f82c0ca9db40e6f28a24aac0c2ad56c21fdb413834862cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmoohozf.cmdline

Filesize
266B

MD5
ebd413f7826566b9cdc27db9cea6c6ec

SHA1
2245c52364a8bf58c445b538262ad6b71d1b8d4c

SHA256
164c498416449b6807e6ae7f9b0ea5a0d9b7e6f849e5ffa68b68bff8e6af90ad

SHA512
06619a49f20215a99e56785efadc47d0e9f552ed4b5612a58d64eaa55e15c8b65af1d4ec4927717edc19b74337fcc5aa99b82dd19d854d245210955420511d5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA79A.tmp.exe

Filesize
78KB

MD5
af92aa34c4c4d74453022aaf968d24e7

SHA1
2dab1373d9b36ba752a6244e43252590b310ba26

SHA256
651db18b48bd14ea7c13bacc7fc78605b8161d40ec2c96976f90abc89c2064fd

SHA512
c74bedb0f3bf7bf2c176ac44414e27706ce5456b85cf78e121573acc22e4eebbb95eacb11604a27af37cf7d649e35ddd88b63bea6c796c8417a75c6cf41e7441

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC868C4D39FEA4AA7AA5E6888CE9C9F6.TMP

Filesize
660B

MD5
a35534e4006eed33b94144f7b9710c30

SHA1
8683b4b48fa05e77d1948fbaa781eeca422b3785

SHA256
f91bfd7716b72849895b63ed62a13e8b37686758e2a3dc54e0d584907d0bd7af

SHA512
d521bf87f184f0c95afa95fd0dc150cfdd943d82017162360f8ac52ce86698eda5df62d6fd027ed97639ac2e63061fd0d312667d796915b8093b9ca73a2d5495

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/3564-1-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/3564-2-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/3564-0-0x00000000753F2000-0x00000000753F3000-memory.dmp

Filesize
4KB

Download
memory/3564-22-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/4056-27-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/4056-23-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/4056-24-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/4056-25-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/4056-28-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/4056-29-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/4056-30-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/4056-31-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/4856-18-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/4856-8-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads