metamorpherrat | 2a946bd4bc274b95d75bc57fbb23fa1296518022358dc7312fe95d30e81b9553

General

Target

2a946bd4bc274b95d75bc57fbb23fa1296518022358dc7312fe95d30e81b9553N.exe
Size

78KB
MD5

6b709ad2185c3c7fc61787f7c57461b0
SHA1

4e61434781c9ed46da9ba52fd297c036cbe418a4
SHA256

2a946bd4bc274b95d75bc57fbb23fa1296518022358dc7312fe95d30e81b9553
SHA512

0170f9e1ecb27311e0955af2080fd5793f2656c1f72de7faaf71bc10abd08dd565c23e5a89e85c88fdfceba1405b7a3ceda697142b2bed75cda41c608fbfc116
SSDEEP

1536:PStHF3M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQteC9/jX10l:PStHF83xSyRxvY3md+dWWZyeC9/O

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	2a946bd4bc274b95d75bc57fbb23fa1296518022358dc7312fe95d30e81b9553N.exe

Executes dropped EXE 1 IoCs

pid	Process
4200	tmp9F6C.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp9F6C.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9F6C.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2a946bd4bc274b95d75bc57fbb23fa1296518022358dc7312fe95d30e81b9553N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4508	2a946bd4bc274b95d75bc57fbb23fa1296518022358dc7312fe95d30e81b9553N.exe
Token: SeDebugPrivilege	4200	tmp9F6C.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4508 wrote to memory of 4316	4508	2a946bd4bc274b95d75bc57fbb23fa1296518022358dc7312fe95d30e81b9553N.exe	82
PID 4508 wrote to memory of 4316	4508	2a946bd4bc274b95d75bc57fbb23fa1296518022358dc7312fe95d30e81b9553N.exe	82
PID 4508 wrote to memory of 4316	4508	2a946bd4bc274b95d75bc57fbb23fa1296518022358dc7312fe95d30e81b9553N.exe	82
PID 4316 wrote to memory of 1156	4316	vbc.exe	84
PID 4316 wrote to memory of 1156	4316	vbc.exe	84
PID 4316 wrote to memory of 1156	4316	vbc.exe	84
PID 4508 wrote to memory of 4200	4508	2a946bd4bc274b95d75bc57fbb23fa1296518022358dc7312fe95d30e81b9553N.exe	85
PID 4508 wrote to memory of 4200	4508	2a946bd4bc274b95d75bc57fbb23fa1296518022358dc7312fe95d30e81b9553N.exe	85
PID 4508 wrote to memory of 4200	4508	2a946bd4bc274b95d75bc57fbb23fa1296518022358dc7312fe95d30e81b9553N.exe	85

C:\Users\Admin\AppData\Local\Temp\2a946bd4bc274b95d75bc57fbb23fa1296518022358dc7312fe95d30e81b9553N.exe
"C:\Users\Admin\AppData\Local\Temp\2a946bd4bc274b95d75bc57fbb23fa1296518022358dc7312fe95d30e81b9553N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4508
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\raadymud.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4316
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA076.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4A8D1C4C6CA84E0FAF36E7A044E73E6.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1156
- C:\Users\Admin\AppData\Local\Temp\tmp9F6C.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9F6C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2a946bd4bc274b95d75bc57fbb23fa1296518022358dc7312fe95d30e81b9553N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA076.tmp

Filesize
1KB

MD5
8d7f7d472ced8aeb358f6d46b59e753c

SHA1
052ead6909d073a2237bc0bde60dff4eb8faae82

SHA256
5776628ef381063f3ab0b006d8412b6c296ef612ad57700aa5ed56195114fe93

SHA512
396b601f5faab8781878093d9a56638ee399648872f34a32b5f13c7696a550a74d55bbfe40255f72ec3fff33c615aaa5ac100126454b657c8c215659f17228fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\raadymud.0.vb

Filesize
15KB

MD5
8e258db47d15f3a21f7e9183f589ef9f

SHA1
3e2e1ac6f54a7c62fedc289213eb9d6ea44501af

SHA256
a05ec98c24ec88188d5efe7a1b85acd9d5c3935dcc84ba36b1bb7f3858d8c0c8

SHA512
e9c2fdb866fa6aebc098b46b7d9f05d62b7be75a6e8c5e3bd676eb85b9605fcf8b3e8c8bca4a360706b425d11f0a47ad8e09ca1e962ca70aaa053cb5afbc92f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\raadymud.cmdline

Filesize
266B

MD5
d59aa2c56abc9267faf236cbf8c0d901

SHA1
d6d24b908611ed0b40402f0c676e7d12fe420901

SHA256
778c15d7aa455ef4a24632d05047c46345422ba94fda649fe50551834cc79153

SHA512
4898db6e7320d13f228290df27cc95bd5efe0b4e447755878b1f699abbe61d8d2c0c9dc163029146d66f8bbbc83f7b48a582e85d13187a38cbdbeddc1b7d425b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9F6C.tmp.exe

Filesize
78KB

MD5
d4e1984b00eb49408f035dca408fc5c9

SHA1
3ecf166912326dae917975c4d8ad9cc9d225eb92

SHA256
d8508e83fea63b15907c621100964445f7ba305b5f3dcf7b004319e0cf0fecff

SHA512
0cd788b3e9baae1a56d90c6d6d36f9a9948ccb92914bae2a8ba6dd2bee01fca7ba017e1eb6689de2f7835ecb4deb7e821368d5166659bda2615fba07fe69cbb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4A8D1C4C6CA84E0FAF36E7A044E73E6.TMP

Filesize
660B

MD5
579d9b05e9298c20a749f05be0e43e1a

SHA1
1d52b2c907e7665399373eb4d3e4569435c0dba1

SHA256
24994b25553185b9ecb8ee03978631321eca49896fba5c3fc03f5faafe79d0a1

SHA512
2b18f07cabc4892b072f9d381abb58e1ccab0b409c6e058916becad3241c0c740846436295c143eb64882c467db6fc3011c7ce84900f300cb4436f39dd3dae45

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/4200-28-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/4200-31-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/4200-30-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/4200-23-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/4200-29-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/4200-24-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/4200-25-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/4200-27-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/4316-8-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/4316-18-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/4508-1-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/4508-22-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/4508-0-0x00000000750B2000-0x00000000750B3000-memory.dmp

Filesize
4KB

Download
memory/4508-2-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads