metamorpherrat | 8a79f33b9235dd641518e2d0e659ff43500c30bcce109283a179332d8e92d3b6

General

Target

8a79f33b9235dd641518e2d0e659ff43500c30bcce109283a179332d8e92d3b6N.exe
Size

78KB
MD5

600e83c24bad9a1299454e32daa605d0
SHA1

621deb0a82fbfe04370fbb8e96252d0dd453a7e2
SHA256

8a79f33b9235dd641518e2d0e659ff43500c30bcce109283a179332d8e92d3b6
SHA512

2a51608ec3415f36003be13f01724d6b8a6db604a819a0624852fecb2fa58594ea3c1be1134604c39d81c4ff3123d49b35a0007c5041fe7a5fba002699a1e0be
SSDEEP

1536:5CHFo6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtp9/I1vNn:5CHFo53Ln7N041Qqhgp9/2p

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	8a79f33b9235dd641518e2d0e659ff43500c30bcce109283a179332d8e92d3b6N.exe

Executes dropped EXE 1 IoCs

pid	Process
4648	tmp7FDE.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp7FDE.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8a79f33b9235dd641518e2d0e659ff43500c30bcce109283a179332d8e92d3b6N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7FDE.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5076	8a79f33b9235dd641518e2d0e659ff43500c30bcce109283a179332d8e92d3b6N.exe
Token: SeDebugPrivilege	4648	tmp7FDE.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 2360	5076	8a79f33b9235dd641518e2d0e659ff43500c30bcce109283a179332d8e92d3b6N.exe	83
PID 5076 wrote to memory of 2360	5076	8a79f33b9235dd641518e2d0e659ff43500c30bcce109283a179332d8e92d3b6N.exe	83
PID 5076 wrote to memory of 2360	5076	8a79f33b9235dd641518e2d0e659ff43500c30bcce109283a179332d8e92d3b6N.exe	83
PID 2360 wrote to memory of 2056	2360	vbc.exe	85
PID 2360 wrote to memory of 2056	2360	vbc.exe	85
PID 2360 wrote to memory of 2056	2360	vbc.exe	85
PID 5076 wrote to memory of 4648	5076	8a79f33b9235dd641518e2d0e659ff43500c30bcce109283a179332d8e92d3b6N.exe	86
PID 5076 wrote to memory of 4648	5076	8a79f33b9235dd641518e2d0e659ff43500c30bcce109283a179332d8e92d3b6N.exe	86
PID 5076 wrote to memory of 4648	5076	8a79f33b9235dd641518e2d0e659ff43500c30bcce109283a179332d8e92d3b6N.exe	86

C:\Users\Admin\AppData\Local\Temp\8a79f33b9235dd641518e2d0e659ff43500c30bcce109283a179332d8e92d3b6N.exe
"C:\Users\Admin\AppData\Local\Temp\8a79f33b9235dd641518e2d0e659ff43500c30bcce109283a179332d8e92d3b6N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p619ae4l.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8107.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2755536236E42F59846EEB1FFED1614.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2056
- C:\Users\Admin\AppData\Local\Temp\tmp7FDE.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7FDE.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8a79f33b9235dd641518e2d0e659ff43500c30bcce109283a179332d8e92d3b6N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8107.tmp

Filesize
1KB

MD5
056292ce29bac15d4e675573dc0b324a

SHA1
159e7c2c4e3c515048f2e4925ff129922d0972f1

SHA256
f784459669dd26ef124b96b31c4eec378d49395ddae6d45ec40b57413d1d555e

SHA512
2780141151f95551a60d9dc6fe9db5de220cfd72e87be8c06ffd8a0ce7acdb3a756d6fcd813bc2164be24fbf684b7225d62f7b8aaec2c1fb6393b4a569f5df28

Download Submit
C:\Users\Admin\AppData\Local\Temp\p619ae4l.0.vb

Filesize
15KB

MD5
0991f9f8d98e1c3216c432552ee82a44

SHA1
327c0eecaa36cb1ef8e661d799f2b3f58267b56a

SHA256
2f249fcd85a1621b4c1107e2655dcf2bda0a82c6a93fed1742da6ff58e0bb7f4

SHA512
11edc7f44fa8148d7c9080ca2f6e8984759cb7f5fcccf2c48d571b757afc3e112fc5f9f0861795c41cddf63dfcbb2afa6eda8d917b3194b333086d90e8028198

Download Submit
C:\Users\Admin\AppData\Local\Temp\p619ae4l.cmdline

Filesize
266B

MD5
6d6634a1252e5e2b6b7a37bc2aa4b93c

SHA1
56963f1148e9b60b2ec01bc2660cd1d7091f6a78

SHA256
8ef155b6d318b438c250e47d6922743b51f1c508f7ce6b67f1401e3683cfad30

SHA512
4f65eaee93d4fc27c9100928f79b6469bb191753d08be4209fd969fe12caee5d2449928ccc93b80feb71983e8251cfdc645b10cb6f7c3bf73828d8651a6a3976

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7FDE.tmp.exe

Filesize
78KB

MD5
eef180474b23294184781e9956fea532

SHA1
6350a2761f020caeb835fec2f44308336eb5f6c9

SHA256
64830861df0699d7c0f17466648530b4958739e905cdff9fc205b27b635618e4

SHA512
ecdcb684cce63830caeea0b699828ce865218431850bc917ee9a376f74f6f3ffd0713f002e4b57b169db8eba0b5279e7dc38e13fc02c2478c3c2566da1fc36be

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2755536236E42F59846EEB1FFED1614.TMP

Filesize
660B

MD5
81d26f25839a50eaef36a365ade2c760

SHA1
0cebdf0ac7a22201dd1b4bc7144829838dbabf90

SHA256
8fd0a26d9d0d248a470fe87adda2f1b710e2eed75acb25db5ae03ad6d2fa96a4

SHA512
23fe5d9693f4d7a1fc8d501709bd1af82dbec6b915843916d220fd9ccd33725f54e8bfb2fdd1102732d93972269d7ecd96bfbe1147dc64e6d948df14d42bb4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2360-18-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/2360-9-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/4648-22-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/4648-24-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/4648-26-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/4648-27-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/4648-28-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/5076-2-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/5076-1-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/5076-0-0x00000000750D2000-0x00000000750D3000-memory.dmp

Filesize
4KB

Download
memory/5076-23-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads