metamorpherrat | a5fcbd78a8ba8bc10583bb3f993ee3ec743e786773d2800a6f8cd6e871de6bb1

General

Target

a5fcbd78a8ba8bc10583bb3f993ee3ec743e786773d2800a6f8cd6e871de6bb1.exe
Size

78KB
MD5

28af51a35d70018df036bd9e2671d459
SHA1

db708249b254953514155377c61b322cb21886e8
SHA256

a5fcbd78a8ba8bc10583bb3f993ee3ec743e786773d2800a6f8cd6e871de6bb1
SHA512

82a3151d1d25825b89136aa72479f2d399ff583f19d97a278c8f9a26599408b3e961e39b1d856d7b0b6facb8a35607f4245920097b92533cb327fb91deb61f76
SSDEEP

1536:ZRWtHY6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQteY9/31Ek:ZRWtHYn3xSyRxvY3md+dWWZyeY9/r

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	a5fcbd78a8ba8bc10583bb3f993ee3ec743e786773d2800a6f8cd6e871de6bb1.exe

Deletes itself 1 IoCs

pid	Process
2332	tmp99DE.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2332	tmp99DE.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp99DE.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp99DE.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a5fcbd78a8ba8bc10583bb3f993ee3ec743e786773d2800a6f8cd6e871de6bb1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1096	a5fcbd78a8ba8bc10583bb3f993ee3ec743e786773d2800a6f8cd6e871de6bb1.exe
Token: SeDebugPrivilege	2332	tmp99DE.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 624	1096	a5fcbd78a8ba8bc10583bb3f993ee3ec743e786773d2800a6f8cd6e871de6bb1.exe	82
PID 1096 wrote to memory of 624	1096	a5fcbd78a8ba8bc10583bb3f993ee3ec743e786773d2800a6f8cd6e871de6bb1.exe	82
PID 1096 wrote to memory of 624	1096	a5fcbd78a8ba8bc10583bb3f993ee3ec743e786773d2800a6f8cd6e871de6bb1.exe	82
PID 624 wrote to memory of 4484	624	vbc.exe	84
PID 624 wrote to memory of 4484	624	vbc.exe	84
PID 624 wrote to memory of 4484	624	vbc.exe	84
PID 1096 wrote to memory of 2332	1096	a5fcbd78a8ba8bc10583bb3f993ee3ec743e786773d2800a6f8cd6e871de6bb1.exe	85
PID 1096 wrote to memory of 2332	1096	a5fcbd78a8ba8bc10583bb3f993ee3ec743e786773d2800a6f8cd6e871de6bb1.exe	85
PID 1096 wrote to memory of 2332	1096	a5fcbd78a8ba8bc10583bb3f993ee3ec743e786773d2800a6f8cd6e871de6bb1.exe	85

C:\Users\Admin\AppData\Local\Temp\a5fcbd78a8ba8bc10583bb3f993ee3ec743e786773d2800a6f8cd6e871de6bb1.exe
"C:\Users\Admin\AppData\Local\Temp\a5fcbd78a8ba8bc10583bb3f993ee3ec743e786773d2800a6f8cd6e871de6bb1.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ygxvsh4e.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:624
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9B46.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc55FB881463FA49A8B6D91454F065CE98.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4484
- C:\Users\Admin\AppData\Local\Temp\tmp99DE.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp99DE.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a5fcbd78a8ba8bc10583bb3f993ee3ec743e786773d2800a6f8cd6e871de6bb1.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9B46.tmp

Filesize
1KB

MD5
dff959860bcad354de813ff6910eacd8

SHA1
166994141b67adac40c2f05faf87a38c284115a0

SHA256
ed7cca8a27b98c7b7a4cfb36b5fe02f7e407c5630564c6726ffa81a34973e2e3

SHA512
997dd362a0e6b31b39d68d3cd1bea5dc1efc40036f80d375defe00dd795e38a119cf8929bc210ca759d57cdfc2732137997cbe76dd414700488465b474794ead

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp99DE.tmp.exe

Filesize
78KB

MD5
0be946e2336f195b4fa66c02152b9ba6

SHA1
49396d71f9077723867bd107213cbf44926c3e41

SHA256
07f36891bf21acd09e0296e2007cd75d881a14ccab2b52c548935a1925b4e774

SHA512
44f9db16df4d101f48930b5df00614c7706f2995286d97c56ecb55108778719b7ee4920982bdb00cafda1329357731cc2110a4f869323499dc5bd267d60a8d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc55FB881463FA49A8B6D91454F065CE98.TMP

Filesize
660B

MD5
41ad19e45e2ca74daef307071312e1f3

SHA1
3bcaf1fd19af2fe344c7c8d7b58aba770e528d30

SHA256
91ae2ed0fe98babb0df2a9e504f4b568363fd70c06b96a2358ea9cd2ce059744

SHA512
e622731b1e3b0ad860a818ca9ee38dd12c6aeb8fc6d899f4b58329268499d5dcac617e2c4c9ce4df9399f5c079df19dc87c544cb66d83f5879ecc25d2d7a27db

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygxvsh4e.0.vb

Filesize
15KB

MD5
9b51f3e15a1e23bf2383c3fd503a72f2

SHA1
b36e1527ead7c6c1c5926bb4ddf7e42f5ff1bed2

SHA256
c6263c8f50039b55e4870d82df04b3bb51141b1d8365e2f4d1d77444fbe46a61

SHA512
aed86fbc1625492ec784e0552eef2f10b2c2cc02a6ee6bb652a4d7804618f3bb7d45034ce7298218c4eabd71fbb6c397812e8747403a0adf854e739da49b20e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygxvsh4e.cmdline

Filesize
266B

MD5
042dc5b85ae450f30ec32ebc4497c1d2

SHA1
c44f7baecbdf132ff75d528adccc74bacceb7cc8

SHA256
365c9a2f51cc9b52bab68fa4f846aca899b69ae4f5cf6af8ef6a1788e5599116

SHA512
9d4712b4d70285077af5df93bc5c7e2887b56ff51f78aa8718473db6794b25b5bb5fe249bb6a7f3273a5f8b2dae9351950b0d2af8a681668ccf305a29be29805

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/624-8-0x0000000075380000-0x0000000075931000-memory.dmp

Filesize
5.7MB

Download
memory/624-18-0x0000000075380000-0x0000000075931000-memory.dmp

Filesize
5.7MB

Download
memory/1096-0-0x0000000075382000-0x0000000075383000-memory.dmp

Filesize
4KB

Download
memory/1096-2-0x0000000075380000-0x0000000075931000-memory.dmp

Filesize
5.7MB

Download
memory/1096-1-0x0000000075380000-0x0000000075931000-memory.dmp

Filesize
5.7MB

Download
memory/1096-22-0x0000000075380000-0x0000000075931000-memory.dmp

Filesize
5.7MB

Download
memory/2332-23-0x0000000075380000-0x0000000075931000-memory.dmp

Filesize
5.7MB

Download
memory/2332-24-0x0000000075380000-0x0000000075931000-memory.dmp

Filesize
5.7MB

Download
memory/2332-26-0x0000000075380000-0x0000000075931000-memory.dmp

Filesize
5.7MB

Download
memory/2332-27-0x0000000075380000-0x0000000075931000-memory.dmp

Filesize
5.7MB

Download
memory/2332-28-0x0000000075380000-0x0000000075931000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads