metamorpherrat | d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff

General

Target

d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe
Size

78KB
MD5

429b87cd41d4e67b43010fbd651e2cd2
SHA1

8862545b217e67c7a037b2aa1c20e74d85cb8b57
SHA256

d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff
SHA512

84ed16a0031c02a93b0d188f09619bb0428c7d068af9161c2372b5a9f7b7c34ed784acbb5fdd2ed20ba0510ac87ada68a7e86ef4e500e59edbb19a16c19a09da
SSDEEP

1536:XuHFo6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtRK9/nM1GyG:XuHFon3xSyRxvY3md+dWWZyRK9/nIG

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe

Executes dropped EXE 1 IoCs

pid	Process
968	tmpA901.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpA901.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA901.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1964	d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe
Token: SeDebugPrivilege	968	tmpA901.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 3508	1964	d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe	83
PID 1964 wrote to memory of 3508	1964	d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe	83
PID 1964 wrote to memory of 3508	1964	d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe	83
PID 3508 wrote to memory of 1820	3508	vbc.exe	85
PID 3508 wrote to memory of 1820	3508	vbc.exe	85
PID 3508 wrote to memory of 1820	3508	vbc.exe	85
PID 1964 wrote to memory of 968	1964	d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe	86
PID 1964 wrote to memory of 968	1964	d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe	86
PID 1964 wrote to memory of 968	1964	d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe	86

C:\Users\Admin\AppData\Local\Temp\d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe
"C:\Users\Admin\AppData\Local\Temp\d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l1nuo5ue.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3508
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB72.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF85AE368B264C599D1C6755CA10287.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1820
- C:\Users\Admin\AppData\Local\Temp\tmpA901.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA901.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESAB72.tmp

Filesize
1KB

MD5
48186e5a7fd89d04907653762b8dcdbc

SHA1
9ef68f77f9c89cc8dae02f6103b959b833f64c0e

SHA256
4ebf30b28cc91a5fd5f7b049043acdb75860a4754d15f7e6af944822e7fbd2e8

SHA512
85c82b6161098a26c1d3c72aac097f0e9573e60b673707ee92b7bc0c40eb9738f7c30b3594042091e167ec0ad99cb4ad1a44063de66da486219586fb66625aaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\l1nuo5ue.0.vb

Filesize
15KB

MD5
bf91b37282a4f8e3f7cefb804004dd96

SHA1
17df42cb2d378a1ecacfb6dd6dbbe398e1190739

SHA256
a721ce36e84705c64db0db3e2f9896d12f58d5a483a4dbd154853a133ffdda91

SHA512
79f8013664a5a53b68310c02bd67671aa6040b8e415a87b03d807dd8134a337f9b20af5a5ec26403178bf7c5a8c2df7fd29348213a32f8cf6da35a7a244ed9d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\l1nuo5ue.cmdline

Filesize
266B

MD5
a5c66907d5a339f0dfad9f3268ba5010

SHA1
3dfba1b702eb975888d6a8720d39227e4f33853b

SHA256
a0439f0d37b742f34f11ff772537369ee3f384bc233ab5cd2e91e638baefe112

SHA512
8a2316a7ec238c0f500c701f8a64b34b6eeccd494219e599f2c90c57b0ddae03ea6cb15856eee86ed8e9bd6527ebf1cc3a36c8703b283998526e7375760b9c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA901.tmp.exe

Filesize
78KB

MD5
e4aba5c5a1b44793517634232c43b624

SHA1
7afe505df56966fe2549c39edc1ecdc40cbdfa48

SHA256
1737d457581c6f0283506938a82a6c2b72acaed309baec274b00fe1ed9dc8e72

SHA512
5585b4503e26abe1fdd33f4bc3a6ac7c51da52a6d5c4091464b43e9f95bd33e09d92c4384f1400081be2b2080cd18bf516733483c07de79baa2ec3957e455a39

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF85AE368B264C599D1C6755CA10287.TMP

Filesize
660B

MD5
d0babd548c7c2d1f1e1a80f0168849f6

SHA1
ef0f1852deffabc4cc654f4097d2c8045d485a3b

SHA256
cfcb3640e20bc2c7d4164ee98f33dacf6deb78b5531602e5f075c5cb4a83a67f

SHA512
2384e2e220789a89bc93f5337571d02303d648fd0f289f0371f1b3085a4b96841ad64da8efdca01670e9adc494c7dfc7e66025ebbbca095cdd5115819a87bec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/968-23-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/968-24-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/968-26-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/968-27-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/968-28-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/968-29-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/968-30-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/1964-2-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/1964-1-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/1964-22-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/1964-0-0x00000000745F2000-0x00000000745F3000-memory.dmp

Filesize
4KB

Download
memory/3508-8-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/3508-18-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads