metamorpherrat | ce82fef29fa9da5efe3620c33c1dff0c56fd3218867bc6ea8695372e9c6d610a

General

Target

ce82fef29fa9da5efe3620c33c1dff0c56fd3218867bc6ea8695372e9c6d610aN.exe
Size

78KB
MD5

daff4bf724f410117bbc12db0c86d210
SHA1

33b0b4a73ce307fcf39df0ba98ecf36dc73f958e
SHA256

ce82fef29fa9da5efe3620c33c1dff0c56fd3218867bc6ea8695372e9c6d610a
SHA512

0bf8f38aead2fbc33139dedd6ead8102336d014a6da5bb07b80e20fbc1aa24211ee9e91613e43d5d5825c48e9efc53f6402993e2234e8dd1fdf921292ef6ab00
SSDEEP

1536:Ny5jSIXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtC67R9/a1bj:Ny5jSQSyRxvY3md+dWWZyjR9/0

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	ce82fef29fa9da5efe3620c33c1dff0c56fd3218867bc6ea8695372e9c6d610aN.exe

Executes dropped EXE 1 IoCs

pid	Process
4592	tmp9961.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp9961.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ce82fef29fa9da5efe3620c33c1dff0c56fd3218867bc6ea8695372e9c6d610aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9961.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1324	ce82fef29fa9da5efe3620c33c1dff0c56fd3218867bc6ea8695372e9c6d610aN.exe
Token: SeDebugPrivilege	4592	tmp9961.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1324 wrote to memory of 3904	1324	ce82fef29fa9da5efe3620c33c1dff0c56fd3218867bc6ea8695372e9c6d610aN.exe	82
PID 1324 wrote to memory of 3904	1324	ce82fef29fa9da5efe3620c33c1dff0c56fd3218867bc6ea8695372e9c6d610aN.exe	82
PID 1324 wrote to memory of 3904	1324	ce82fef29fa9da5efe3620c33c1dff0c56fd3218867bc6ea8695372e9c6d610aN.exe	82
PID 3904 wrote to memory of 1272	3904	vbc.exe	84
PID 3904 wrote to memory of 1272	3904	vbc.exe	84
PID 3904 wrote to memory of 1272	3904	vbc.exe	84
PID 1324 wrote to memory of 4592	1324	ce82fef29fa9da5efe3620c33c1dff0c56fd3218867bc6ea8695372e9c6d610aN.exe	85
PID 1324 wrote to memory of 4592	1324	ce82fef29fa9da5efe3620c33c1dff0c56fd3218867bc6ea8695372e9c6d610aN.exe	85
PID 1324 wrote to memory of 4592	1324	ce82fef29fa9da5efe3620c33c1dff0c56fd3218867bc6ea8695372e9c6d610aN.exe	85

C:\Users\Admin\AppData\Local\Temp\ce82fef29fa9da5efe3620c33c1dff0c56fd3218867bc6ea8695372e9c6d610aN.exe
"C:\Users\Admin\AppData\Local\Temp\ce82fef29fa9da5efe3620c33c1dff0c56fd3218867bc6ea8695372e9c6d610aN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\k83s0v5v.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3904
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9B07.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc126E85441024795B8C077304AEAA7D.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1272
- C:\Users\Admin\AppData\Local\Temp\tmp9961.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9961.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ce82fef29fa9da5efe3620c33c1dff0c56fd3218867bc6ea8695372e9c6d610aN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9B07.tmp

Filesize
1KB

MD5
5cd2cc31faeb9aa5abbaeac44f00a392

SHA1
ce038fcafe0c6c8eb51234ad54fd8b8540b8391d

SHA256
2c85060ec6263a6ba96cc653c2b2e49f334bcf5cb98a63aeb5d6c597d6d1d9e9

SHA512
a32f9ecfe2bd56e92ca166564612d194f900fee40d30f142cf3e0960c0d8a33016245aed99e6f84e9e165a6e8b8fd54508e7c23b2699dd721a6c46013cb0bb25

Download Submit
C:\Users\Admin\AppData\Local\Temp\k83s0v5v.0.vb

Filesize
14KB

MD5
9f721888b801fbb167fb17391d30c564

SHA1
a4096ba15af99b514d971207ac0e6e236cc9f766

SHA256
028574957feb76958c11024002e6f6b323f8b119a75f2741a52b0b8b99fc3da0

SHA512
b7a1667e46c5765ae7e73b25b1eb5cdff8766f1a7fc472fb34fc293662ada3e0dc0e63b3d2b4fef1ef63c6fe6a96efba0fdb34fbf438a934ca5fc0bb23f33038

Download Submit
C:\Users\Admin\AppData\Local\Temp\k83s0v5v.cmdline

Filesize
266B

MD5
633aec5318d7323168847e1d21d0899e

SHA1
14e2a6ce0f3f72c1298b7e407f54eb3eeb3811fe

SHA256
b6827a1bd04e5bf41295030d95b2d2ec2b2ea47b490e9ead00948aa4c8f84871

SHA512
047b1546b3a860682048cbc0127b724d66e8ade6c36fb0728a3cb6036d0a605ad23b0127ea392f8f22b01a67ec4538b7450c35052e0861ccf08edd72bb99ceb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9961.tmp.exe

Filesize
78KB

MD5
4c6dd7a32364e32685535e32d1e6fadd

SHA1
1a1994352d73b0417372b94f453fdebc635cfdfe

SHA256
9c5e3ddd78dbc69c90ed01a2806783ad49a9f45c7b57c07ed4e5c06df64dad01

SHA512
108612b7f93e1fabab49f35d76c64b90587471d08b1123d7e964b2b6304b3df61e3a505fb73f8009a949e1dc0cb229c8038980707a3dc436ac204c6cd03427a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc126E85441024795B8C077304AEAA7D.TMP

Filesize
660B

MD5
a8e1192b9728b2326425b8095aeeaa57

SHA1
4a0bcd634d1a43cd0f496423c99fc5d481c3e6fd

SHA256
2071da3072b2b4ce1c058abb6f799aef36b42f17cfb4fdda1d3dba71ed6a1cad

SHA512
314ce2bd247b2b2cce43a81657cc275a2b8312035c777a5d6196f7d1bfca24a25390f9ccd232a8ed192f6b3693a2e848052a39914beb91e48e2b0732c8d8f308

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/1324-22-0x0000000075380000-0x0000000075931000-memory.dmp

Filesize
5.7MB

Download
memory/1324-2-0x0000000075380000-0x0000000075931000-memory.dmp

Filesize
5.7MB

Download
memory/1324-1-0x0000000075380000-0x0000000075931000-memory.dmp

Filesize
5.7MB

Download
memory/1324-0-0x0000000075382000-0x0000000075383000-memory.dmp

Filesize
4KB

Download
memory/3904-9-0x0000000075380000-0x0000000075931000-memory.dmp

Filesize
5.7MB

Download
memory/3904-18-0x0000000075380000-0x0000000075931000-memory.dmp

Filesize
5.7MB

Download
memory/4592-23-0x0000000075380000-0x0000000075931000-memory.dmp

Filesize
5.7MB

Download
memory/4592-24-0x0000000075380000-0x0000000075931000-memory.dmp

Filesize
5.7MB

Download
memory/4592-26-0x0000000075380000-0x0000000075931000-memory.dmp

Filesize
5.7MB

Download
memory/4592-27-0x0000000075380000-0x0000000075931000-memory.dmp

Filesize
5.7MB

Download
memory/4592-28-0x0000000075380000-0x0000000075931000-memory.dmp

Filesize
5.7MB

Download
memory/4592-29-0x0000000075380000-0x0000000075931000-memory.dmp

Filesize
5.7MB

Download
memory/4592-30-0x0000000075380000-0x0000000075931000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads