metamorpherrat | 288c043558e21bf8ab3cf3e14803a159675a38611f4ae8c3410b51f26a7ed4dc

General

Target

288c043558e21bf8ab3cf3e14803a159675a38611f4ae8c3410b51f26a7ed4dc.exe
Size

78KB
MD5

f8bb09157694e42a33a50598ba04fb6b
SHA1

0c0ac1cd86a8fa3873f25d8018d4fdfd43563a00
SHA256

288c043558e21bf8ab3cf3e14803a159675a38611f4ae8c3410b51f26a7ed4dc
SHA512

e92ddf32c7e3ca4cb0812d8b49c5e3a020aad30ae8fb2d73c2535f990f765afe2595d80b15740a94c827459855a994d4c11335c16d633164cab8e906ced20725
SSDEEP

1536:zhRWV5jLXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQt96p9/WRa160:lRWV5jLSyRxvY3md+dWWZye9/V

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	288c043558e21bf8ab3cf3e14803a159675a38611f4ae8c3410b51f26a7ed4dc.exe

Executes dropped EXE 1 IoCs

pid	Process
1308	tmpC16B.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpC16B.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	288c043558e21bf8ab3cf3e14803a159675a38611f4ae8c3410b51f26a7ed4dc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC16B.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	880	288c043558e21bf8ab3cf3e14803a159675a38611f4ae8c3410b51f26a7ed4dc.exe
Token: SeDebugPrivilege	1308	tmpC16B.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 4120	880	288c043558e21bf8ab3cf3e14803a159675a38611f4ae8c3410b51f26a7ed4dc.exe	84
PID 880 wrote to memory of 4120	880	288c043558e21bf8ab3cf3e14803a159675a38611f4ae8c3410b51f26a7ed4dc.exe	84
PID 880 wrote to memory of 4120	880	288c043558e21bf8ab3cf3e14803a159675a38611f4ae8c3410b51f26a7ed4dc.exe	84
PID 4120 wrote to memory of 2456	4120	vbc.exe	86
PID 4120 wrote to memory of 2456	4120	vbc.exe	86
PID 4120 wrote to memory of 2456	4120	vbc.exe	86
PID 880 wrote to memory of 1308	880	288c043558e21bf8ab3cf3e14803a159675a38611f4ae8c3410b51f26a7ed4dc.exe	87
PID 880 wrote to memory of 1308	880	288c043558e21bf8ab3cf3e14803a159675a38611f4ae8c3410b51f26a7ed4dc.exe	87
PID 880 wrote to memory of 1308	880	288c043558e21bf8ab3cf3e14803a159675a38611f4ae8c3410b51f26a7ed4dc.exe	87

C:\Users\Admin\AppData\Local\Temp\288c043558e21bf8ab3cf3e14803a159675a38611f4ae8c3410b51f26a7ed4dc.exe
"C:\Users\Admin\AppData\Local\Temp\288c043558e21bf8ab3cf3e14803a159675a38611f4ae8c3410b51f26a7ed4dc.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:880
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7j4itj1a.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4120
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC227.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4C9E20B937344E209B49AF17C09181.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2456
- C:\Users\Admin\AppData\Local\Temp\tmpC16B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpC16B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\288c043558e21bf8ab3cf3e14803a159675a38611f4ae8c3410b51f26a7ed4dc.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7j4itj1a.0.vb

Filesize
14KB

MD5
142448d6aeeb7a5603ddf14a5100bbf3

SHA1
f33547f7552c0036daa5e844b77445976f3f73bd

SHA256
7a96ced19e7e44ba732faa7c32dc96301d2f4fd624c3ef04ae62f1862b159a4a

SHA512
2c7c0cff0eba7dc8cbd947856349c1d916b72917d9efb5552bb3b40ae5f3c561727c804c53692fbdb11ce35dbc0d72a7086c0a31c1e5b63a4a6910ef11f34b8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7j4itj1a.cmdline

Filesize
266B

MD5
f80088f49253bc4e9c4c546a3ddf54a8

SHA1
f9a846b94e0dba9b5cb1c23d3b6caa8f941b18c9

SHA256
97483e63f34f1b56be97dc33e439a21d54a270377c87869465ee1db2e42c79f2

SHA512
7fc5265135e344388738ce5cba91587dc5f0fa62dd488e7d7b16db8f898ed53b5a6b26bcfaa442a2c2f0c146d0d751042d4518d9d14d5e438d28edfb361f0679

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC227.tmp

Filesize
1KB

MD5
536aa9f0913e75112c1c20949738f8b1

SHA1
43e06b357091897730e4af70fe16f5ea6b5a23f4

SHA256
78ca69c1a16d3eb30508c7a5823b7ba6d22446269535813fdb317cce0a7e3c17

SHA512
d75212db08c83b9c2cf0463e2aa249ba0f0ac250feae020b666e3d89da1e571d10e57bbfa9667ffcecda7b72f98d498a26548838e3b47840fb5a33234e05162b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC16B.tmp.exe

Filesize
78KB

MD5
274f9895a6b31b5e1dc411d47262892e

SHA1
19f08cdea336620a0f689ac46b90002a2b9bbd28

SHA256
3e5787d9b064d89cd40d8c5b9faa7057abb1f51232c0ec0edecdf517aee92e06

SHA512
38321393ac83007c56080207a05618e276706641ed9ffe436a391a33e90b39a083ac77c7db2c50ab561b42c00fff3957f45fda5bce72f6033d466502b7d39d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4C9E20B937344E209B49AF17C09181.TMP

Filesize
660B

MD5
77947395634dfbce36efbf278e1ebae5

SHA1
af1d09dd069efa92fd202820120827ec7e718d56

SHA256
8861282f4326cc12da3eadaad5f343ff0be1dd0daf0769f0f7dc5983ef3949d1

SHA512
8b483edc5a3c6609c1901b00e9a43dff66e5e1593c20b2ceadf0c9a2e7599374c7363725924e18f9d630b1429dbb475e7cfa43be8bd3ff35fe04c6cc62b16792

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/880-1-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/880-2-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/880-0-0x00000000751D2000-0x00000000751D3000-memory.dmp

Filesize
4KB

Download
memory/880-22-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/1308-27-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/1308-23-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/1308-24-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/1308-25-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/1308-28-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/1308-29-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/1308-30-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/1308-31-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/4120-18-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/4120-8-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads