metamorpherrat | 5a45aefbc248a0f2c6d2f20d9dfc7fd675840688813a3e593ce7883fe9f4631d

General

Target

5a45aefbc248a0f2c6d2f20d9dfc7fd675840688813a3e593ce7883fe9f4631d.exe
Size

78KB
MD5

53149184b5d895d93c2ec1cbd51e8e11
SHA1

5b95fbb21e11950adc4a190a9a52a0536cfccbf7
SHA256

5a45aefbc248a0f2c6d2f20d9dfc7fd675840688813a3e593ce7883fe9f4631d
SHA512

9e037c03edb3c9383cbb97eb31c6d3fc277fa1afdb923ba5d51cc1e3f5f040a425be71b5d8cf2ee1cdb294b4ec5a26e810820780df0fa9e9b3cdb64facc7be15
SSDEEP

1536:/y5jIXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtC6m9/q1tVh:/y5jQSyRxvhTzXPvCbW2UO9/0h

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	5a45aefbc248a0f2c6d2f20d9dfc7fd675840688813a3e593ce7883fe9f4631d.exe

Executes dropped EXE 1 IoCs

pid	Process
4404	tmp8A10.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp8A10.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5a45aefbc248a0f2c6d2f20d9dfc7fd675840688813a3e593ce7883fe9f4631d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8A10.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2336	5a45aefbc248a0f2c6d2f20d9dfc7fd675840688813a3e593ce7883fe9f4631d.exe
Token: SeDebugPrivilege	4404	tmp8A10.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 3472	2336	5a45aefbc248a0f2c6d2f20d9dfc7fd675840688813a3e593ce7883fe9f4631d.exe	83
PID 2336 wrote to memory of 3472	2336	5a45aefbc248a0f2c6d2f20d9dfc7fd675840688813a3e593ce7883fe9f4631d.exe	83
PID 2336 wrote to memory of 3472	2336	5a45aefbc248a0f2c6d2f20d9dfc7fd675840688813a3e593ce7883fe9f4631d.exe	83
PID 3472 wrote to memory of 5112	3472	vbc.exe	85
PID 3472 wrote to memory of 5112	3472	vbc.exe	85
PID 3472 wrote to memory of 5112	3472	vbc.exe	85
PID 2336 wrote to memory of 4404	2336	5a45aefbc248a0f2c6d2f20d9dfc7fd675840688813a3e593ce7883fe9f4631d.exe	86
PID 2336 wrote to memory of 4404	2336	5a45aefbc248a0f2c6d2f20d9dfc7fd675840688813a3e593ce7883fe9f4631d.exe	86
PID 2336 wrote to memory of 4404	2336	5a45aefbc248a0f2c6d2f20d9dfc7fd675840688813a3e593ce7883fe9f4631d.exe	86

C:\Users\Admin\AppData\Local\Temp\5a45aefbc248a0f2c6d2f20d9dfc7fd675840688813a3e593ce7883fe9f4631d.exe
"C:\Users\Admin\AppData\Local\Temp\5a45aefbc248a0f2c6d2f20d9dfc7fd675840688813a3e593ce7883fe9f4631d.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6gbaudws.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3472
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8CBF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB481D8A522A34E829B14ADD1A63FEEF9.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5112
- C:\Users\Admin\AppData\Local\Temp\tmp8A10.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8A10.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5a45aefbc248a0f2c6d2f20d9dfc7fd675840688813a3e593ce7883fe9f4631d.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6gbaudws.0.vb

Filesize
14KB

MD5
78069054b8692c779989695ffde5abe4

SHA1
5a7dd2d2f3458c0e68cae2cfb06d7f00e20305b1

SHA256
9e4d40a9ada6eda6720201b7619d998f4805d2a23341900d213e5c37bce3ab98

SHA512
906a82655f35c35a8b9b70bda935256eca8ba07961601ab358c3cce74ead950fa6b2625dd18acace35660d4940519c7c1cfed06305b88b1c94f4569e77635313

Download Submit
C:\Users\Admin\AppData\Local\Temp\6gbaudws.cmdline

Filesize
266B

MD5
95567d426a6668bcaf211e3055157dd1

SHA1
7235c82c353652bfe750b8800b5d1740f94826d7

SHA256
860eddb1c0154071900aac188415fc522555eb43b5743ec57243be467577107f

SHA512
9898a3a1f210a16a620e319291eda3986def803f0912e0773255b197d94ba9224f31a4f14099d36f3b601eebb801e9b51658a6fc19630ce768a7daae35a6c431

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8CBF.tmp

Filesize
1KB

MD5
72ccc11f517001bfcc51cdf875d67b05

SHA1
174c735ba29ce88d731200b3b4281619ccb0c6b0

SHA256
b0651fe9396021c533584372d132b4233fa9324ac52a71a676b1314773455253

SHA512
26482a7d6a3077c93224ceb6cec70b1b5f177f8b7860ac1bdf6e4f16fe4d2aa845a3cbbce01d5ed98efd936315aaeb25193698de637c5c32fc6249ef6c1fec31

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8A10.tmp.exe

Filesize
78KB

MD5
cfe00a1f010b439f6e5fa524f10df677

SHA1
3cf597c73e263db81e1a3697a104641af0eca6e6

SHA256
01d0c669465ba824b099104888092953b805a374645280bedd11d17e857cd155

SHA512
4ac9db34c5b073f1ef397ab30ac7ec971c801166347b9a42462c3592122f93c8ae21dd6006f83493d813b10c5056d42d8cf3ad2ce01b226fc73d23d7a2b9edad

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB481D8A522A34E829B14ADD1A63FEEF9.TMP

Filesize
660B

MD5
2ba964ea21c0a206b42706851525fc14

SHA1
1adb694b8c0b2c9064e076b07bdd45b00519f091

SHA256
490e3c663c25efc0f52c5ad8fcee2a6c3aac884f77cdeb858d2f995888c6f62d

SHA512
8d4b7d8f9a89df65fdecde79ff35bfc1bc7ef12950a369d8c684372d1aa9cf6a1fe18d00f2579b5a7dc09965d569004cf5c54ddb3d37be14bbfca8cf5299bd32

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2336-1-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/2336-22-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/2336-0-0x00000000752A2000-0x00000000752A3000-memory.dmp

Filesize
4KB

Download
memory/2336-2-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/3472-18-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/3472-9-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/4404-23-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/4404-24-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/4404-25-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/4404-27-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/4404-28-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/4404-29-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads