metamorpherrat | 694828280047bcab220a338eda3b12a9c9a0eb605559036eb93bf00ee0bf8004

General

Target

694828280047bcab220a338eda3b12a9c9a0eb605559036eb93bf00ee0bf8004.exe
Size

78KB
MD5

f38f16155e35c28c33fb7ce108438bfe
SHA1

aa8ed54feee96ac1a3a846251e3b8ab135bf1718
SHA256

694828280047bcab220a338eda3b12a9c9a0eb605559036eb93bf00ee0bf8004
SHA512

fe2038cd79e851786909c79cfc9ff38e1210c378bfd31ab0791563f8930d1b1ba28ff4f0501404a01753188f14db3637a35a2557935c8e850b56d6ab935ca7ff
SSDEEP

1536:We5hXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtN6g9/F1hnT:We5hSyRxvY3md+dWWZyP9/JT

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	694828280047bcab220a338eda3b12a9c9a0eb605559036eb93bf00ee0bf8004.exe

Executes dropped EXE 1 IoCs

pid	Process
4056	tmpB47B.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpB47B.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB47B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	694828280047bcab220a338eda3b12a9c9a0eb605559036eb93bf00ee0bf8004.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4636	694828280047bcab220a338eda3b12a9c9a0eb605559036eb93bf00ee0bf8004.exe
Token: SeDebugPrivilege	4056	tmpB47B.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4636 wrote to memory of 2984	4636	694828280047bcab220a338eda3b12a9c9a0eb605559036eb93bf00ee0bf8004.exe	82
PID 4636 wrote to memory of 2984	4636	694828280047bcab220a338eda3b12a9c9a0eb605559036eb93bf00ee0bf8004.exe	82
PID 4636 wrote to memory of 2984	4636	694828280047bcab220a338eda3b12a9c9a0eb605559036eb93bf00ee0bf8004.exe	82
PID 2984 wrote to memory of 516	2984	vbc.exe	84
PID 2984 wrote to memory of 516	2984	vbc.exe	84
PID 2984 wrote to memory of 516	2984	vbc.exe	84
PID 4636 wrote to memory of 4056	4636	694828280047bcab220a338eda3b12a9c9a0eb605559036eb93bf00ee0bf8004.exe	85
PID 4636 wrote to memory of 4056	4636	694828280047bcab220a338eda3b12a9c9a0eb605559036eb93bf00ee0bf8004.exe	85
PID 4636 wrote to memory of 4056	4636	694828280047bcab220a338eda3b12a9c9a0eb605559036eb93bf00ee0bf8004.exe	85

C:\Users\Admin\AppData\Local\Temp\694828280047bcab220a338eda3b12a9c9a0eb605559036eb93bf00ee0bf8004.exe
"C:\Users\Admin\AppData\Local\Temp\694828280047bcab220a338eda3b12a9c9a0eb605559036eb93bf00ee0bf8004.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nibfhblu.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB546.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc81B6941D12234FA591404D651F2D730.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:516
- C:\Users\Admin\AppData\Local\Temp\tmpB47B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB47B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\694828280047bcab220a338eda3b12a9c9a0eb605559036eb93bf00ee0bf8004.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB546.tmp

Filesize
1KB

MD5
81f8ca2ee1d9ec4f341ba728d29ec525

SHA1
fc69c9478c46e508a4bd941b1a44c6c29b668691

SHA256
d3bd959e170d17c051dc5c1cd34043c218f6d2f3022ec817815f27d64271fb5d

SHA512
c38e33c4917d22707887428d3a895f72e93d92939ad2c0db7951aff8a342332b3f2fd870a9f4530e9ebede3bb5db8f302280680c865d3475618ff158209007db

Download Submit
C:\Users\Admin\AppData\Local\Temp\nibfhblu.0.vb

Filesize
14KB

MD5
c36139eaafab88e631e6a0d2b855a260

SHA1
05391fa5c4da0f64a79a14620a2ef3d70f7f19ee

SHA256
cda3d6f24d7bfea83dddf1357703adf7fb5c1754908c33a849aa6deb27ab62d0

SHA512
f4c100ecabe9feaa923d0336a36789ddbdca90f984b5d2a86fa824ba7368367f3cd9087df173df2900b78726d65f9c8b07d7699664a1b318c4f0049fec14de5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nibfhblu.cmdline

Filesize
266B

MD5
8144b3632f10fb6940287000c584bf72

SHA1
ecc25cd015f4766f6075d506819e46211adc4936

SHA256
a649c0ecbd669e75d49686df3a7ccfa97913e4d7e28b36ede3933412abbff01f

SHA512
7f0a460a2dedf01a4626c82db2e547f4927445454680c45753fbab820c39d305ab6b5053bedc6f2f5896a9c8822a1af0b90ad1c5ff8047201a78aaae05edc759

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB47B.tmp.exe

Filesize
78KB

MD5
ef0cf736897b369afb4d3ca3584c7e7b

SHA1
f89b050a4a8bb1a562647f55d1e7d971216cf889

SHA256
96d61fc191caba112869b01fbf4accc0534407df8626b92d71517131d0750f74

SHA512
0846f7fad73ca4e1df236d6f5d82dc2bf938be200a1f6213bb53be3a0972104afce60de9154ae9c920f68f6e506863b72999881ed4b0f842f5d4e98c8b41e9ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc81B6941D12234FA591404D651F2D730.TMP

Filesize
660B

MD5
b39dd30198e28f06178a28990642b748

SHA1
f87b3a0a409b7c94320287a6c25dcc9262ad6a7c

SHA256
58d103ccda5aa6919db002b9754cc1c08cc209b0e02af5d10b7c776dc41f8ea0

SHA512
64cfaae081ffd5263267806bed6c30fad7169bf1ba843a4354f1e15402e922d20ff928b50e0e19109f9152d3e0e7e9c16f089029a75cc56b43c6d9a581b219fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/2984-8-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/2984-18-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/4056-23-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/4056-24-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/4056-25-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/4056-27-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/4056-28-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/4056-29-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/4636-22-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/4636-0-0x0000000075592000-0x0000000075593000-memory.dmp

Filesize
4KB

Download
memory/4636-2-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/4636-1-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads