metamorpherrat | 8a6f43aa5873f0671f68bc3e4dbae09e9e1efd965dc40d3bf8069a95c3af55c1

General

Target

8a6f43aa5873f0671f68bc3e4dbae09e9e1efd965dc40d3bf8069a95c3af55c1N.exe
Size

78KB
MD5

dc987ae5e2bef281450f46164c01ece0
SHA1

21d2f2010744470718e76908d1ea06df7c3c8e91
SHA256

8a6f43aa5873f0671f68bc3e4dbae09e9e1efd965dc40d3bf8069a95c3af55c1
SHA512

ba65e6d7b6161843c3b2963aa960e89bb37560e770424f9e4c41c972314f9a02e5fece762fd7d37b43dc47ae220c71945aef3ddade200358227d8279a677023f
SSDEEP

1536:158Tdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6E9/Yx1eE:158yn7N041Qqhg89/m

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	8a6f43aa5873f0671f68bc3e4dbae09e9e1efd965dc40d3bf8069a95c3af55c1N.exe

Executes dropped EXE 1 IoCs

pid	Process
4468	tmp9A1D.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp9A1D.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9A1D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8a6f43aa5873f0671f68bc3e4dbae09e9e1efd965dc40d3bf8069a95c3af55c1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	912	8a6f43aa5873f0671f68bc3e4dbae09e9e1efd965dc40d3bf8069a95c3af55c1N.exe
Token: SeDebugPrivilege	4468	tmp9A1D.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 912 wrote to memory of 3904	912	8a6f43aa5873f0671f68bc3e4dbae09e9e1efd965dc40d3bf8069a95c3af55c1N.exe	82
PID 912 wrote to memory of 3904	912	8a6f43aa5873f0671f68bc3e4dbae09e9e1efd965dc40d3bf8069a95c3af55c1N.exe	82
PID 912 wrote to memory of 3904	912	8a6f43aa5873f0671f68bc3e4dbae09e9e1efd965dc40d3bf8069a95c3af55c1N.exe	82
PID 3904 wrote to memory of 4816	3904	vbc.exe	84
PID 3904 wrote to memory of 4816	3904	vbc.exe	84
PID 3904 wrote to memory of 4816	3904	vbc.exe	84
PID 912 wrote to memory of 4468	912	8a6f43aa5873f0671f68bc3e4dbae09e9e1efd965dc40d3bf8069a95c3af55c1N.exe	85
PID 912 wrote to memory of 4468	912	8a6f43aa5873f0671f68bc3e4dbae09e9e1efd965dc40d3bf8069a95c3af55c1N.exe	85
PID 912 wrote to memory of 4468	912	8a6f43aa5873f0671f68bc3e4dbae09e9e1efd965dc40d3bf8069a95c3af55c1N.exe	85

C:\Users\Admin\AppData\Local\Temp\8a6f43aa5873f0671f68bc3e4dbae09e9e1efd965dc40d3bf8069a95c3af55c1N.exe
"C:\Users\Admin\AppData\Local\Temp\8a6f43aa5873f0671f68bc3e4dbae09e9e1efd965dc40d3bf8069a95c3af55c1N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:912
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8zako0zw.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3904
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9AE8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFA58B5C51D404A5DBD9E82E1426AC0.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4816
- C:\Users\Admin\AppData\Local\Temp\tmp9A1D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9A1D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8a6f43aa5873f0671f68bc3e4dbae09e9e1efd965dc40d3bf8069a95c3af55c1N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8zako0zw.0.vb

Filesize
14KB

MD5
b026a8a1ddd1976d39cd13cb028eee85

SHA1
f5cec4c4fddfb3813c82655d1435cbd32800d225

SHA256
822acb58050492ef57581ba55c52b542d5b033821cfaadafd0e6654eaf7406ad

SHA512
eeddedbeb42dcee3bb99d8199c1216469ed5cb61b05b6c367174f2e3a28a32e54cd730df152423b87c04420e8504f69bf35d174a5a54f40dc5d794e12e4c5516

Download Submit
C:\Users\Admin\AppData\Local\Temp\8zako0zw.cmdline

Filesize
266B

MD5
c4c10ae5e23d18de60a8d60db0834f13

SHA1
d4b1a1016ab4594141e189ce230936c6cef76785

SHA256
37e18893f016aef78d132a2b2c7481fd37e4e71b335cf893e3702951ae27bece

SHA512
19b4963e946cdeca387adb234df82b1fdaf25587a6bec24b0d61e014fd6375f644dfcdad83a99f3f34a4eb81115808b437fac5237b3532cc713dd307fea64d6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9AE8.tmp

Filesize
1KB

MD5
15079e1a4becd75ae6adb953d4aa8c4b

SHA1
cf32a01e724249b08d750a7f4497eae13b8204e2

SHA256
7a8f6de881d1f59f844a70f6a87a2e57c45fc48354ffd723a49e07e349ef9621

SHA512
7da5d9c990781d8c14bb171a2f9e11c33f7a06039a7772c6743ba39b3404c3ae169ecf4dc4b41a036a795a527365d90fbef10587ed0c7910c0a2dc328523c71d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9A1D.tmp.exe

Filesize
78KB

MD5
b85eb4274c84527835588c84b9c8bf1b

SHA1
e3eef8797c59691652f240537ddfa8936c1b83f8

SHA256
cd126e0e853b9b468a2e2d7cc0253bec4e297b4664de2b5bfa662eec0f0081a0

SHA512
40feb204018f091a1660bacae16452b2379edf8c18967c12815fb09d4823de6a004b5b9bb8e40d163dc1ce81f9456e2f2f778d642b7f33fe12a9326ee373adfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFA58B5C51D404A5DBD9E82E1426AC0.TMP

Filesize
660B

MD5
d1e57e6671cb306aea9b7c7e34933594

SHA1
6d56a45f12e2a328f6ad500f71c6a871e8610db4

SHA256
631d090efa69bbd564177e2da02b8219afbe3256c7e70df7261218377dcc255c

SHA512
521d24c62e59e4a6829a9ad5d5e5d3fef8a32f43239b3e576da56c155663ddaeb5274289c0f9cdae9b26a322e0f4017c4806ed942e28b39960f10eba9161028b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/912-1-0x0000000075380000-0x0000000075931000-memory.dmp

Filesize
5.7MB

Download
memory/912-2-0x0000000075380000-0x0000000075931000-memory.dmp

Filesize
5.7MB

Download
memory/912-0-0x0000000075382000-0x0000000075383000-memory.dmp

Filesize
4KB

Download
memory/912-22-0x0000000075380000-0x0000000075931000-memory.dmp

Filesize
5.7MB

Download
memory/3904-8-0x0000000075380000-0x0000000075931000-memory.dmp

Filesize
5.7MB

Download
memory/3904-18-0x0000000075380000-0x0000000075931000-memory.dmp

Filesize
5.7MB

Download
memory/4468-23-0x0000000075380000-0x0000000075931000-memory.dmp

Filesize
5.7MB

Download
memory/4468-24-0x0000000075380000-0x0000000075931000-memory.dmp

Filesize
5.7MB

Download
memory/4468-25-0x0000000075380000-0x0000000075931000-memory.dmp

Filesize
5.7MB

Download
memory/4468-27-0x0000000075380000-0x0000000075931000-memory.dmp

Filesize
5.7MB

Download
memory/4468-28-0x0000000075380000-0x0000000075931000-memory.dmp

Filesize
5.7MB

Download
memory/4468-29-0x0000000075380000-0x0000000075931000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads