metamorpherrat | 79c73037e0229bba52fc34e038d884e4af315b2082bab5665faf18dbc02b02d3

General

Target

79c73037e0229bba52fc34e038d884e4af315b2082bab5665faf18dbc02b02d3.exe
Size

78KB
MD5

338ac0cb49828be98b61335242bb79dc
SHA1

d9f6daa5a82eca26ff64d20428c693384cb90036
SHA256

79c73037e0229bba52fc34e038d884e4af315b2082bab5665faf18dbc02b02d3
SHA512

1f33e8b5f90d15436e8b6a7542ca8bc14e7cef9db8ecf0c591b0f4092d608e3e9dc27b2f39eb6fcdf8616a9f9d4f4d8eb63721d658a1c19d4445926e8aa63eb1
SSDEEP

1536:shRWV5j3XT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQt96159/eG1HQ:wRWV5jnSyRxvY3md+dWWZyG59/Q

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	79c73037e0229bba52fc34e038d884e4af315b2082bab5665faf18dbc02b02d3.exe

Executes dropped EXE 1 IoCs

pid	Process
1656	tmpAFF7.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpAFF7.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	79c73037e0229bba52fc34e038d884e4af315b2082bab5665faf18dbc02b02d3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpAFF7.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	468	79c73037e0229bba52fc34e038d884e4af315b2082bab5665faf18dbc02b02d3.exe
Token: SeDebugPrivilege	1656	tmpAFF7.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 468 wrote to memory of 528	468	79c73037e0229bba52fc34e038d884e4af315b2082bab5665faf18dbc02b02d3.exe	82
PID 468 wrote to memory of 528	468	79c73037e0229bba52fc34e038d884e4af315b2082bab5665faf18dbc02b02d3.exe	82
PID 468 wrote to memory of 528	468	79c73037e0229bba52fc34e038d884e4af315b2082bab5665faf18dbc02b02d3.exe	82
PID 528 wrote to memory of 3736	528	vbc.exe	84
PID 528 wrote to memory of 3736	528	vbc.exe	84
PID 528 wrote to memory of 3736	528	vbc.exe	84
PID 468 wrote to memory of 1656	468	79c73037e0229bba52fc34e038d884e4af315b2082bab5665faf18dbc02b02d3.exe	85
PID 468 wrote to memory of 1656	468	79c73037e0229bba52fc34e038d884e4af315b2082bab5665faf18dbc02b02d3.exe	85
PID 468 wrote to memory of 1656	468	79c73037e0229bba52fc34e038d884e4af315b2082bab5665faf18dbc02b02d3.exe	85

C:\Users\Admin\AppData\Local\Temp\79c73037e0229bba52fc34e038d884e4af315b2082bab5665faf18dbc02b02d3.exe
"C:\Users\Admin\AppData\Local\Temp\79c73037e0229bba52fc34e038d884e4af315b2082bab5665faf18dbc02b02d3.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:468
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y_ikuav9.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:528
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB0E1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc32551FFB64634585BE358F6A3E224059.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3736
- C:\Users\Admin\AppData\Local\Temp\tmpAFF7.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpAFF7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\79c73037e0229bba52fc34e038d884e4af315b2082bab5665faf18dbc02b02d3.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB0E1.tmp

Filesize
1KB

MD5
195cde44ace2929712996366b1e7cd09

SHA1
8e58fb9e0d223bb07aecd1a3661525363df395c8

SHA256
1f5dcbd0b4636add3f09f1d21cbf21611b2a986b35d6fc3d65fec07fda9d43c7

SHA512
a10c9575783e54241a11bac0673b7e7eec99a06d688a9c0ef94a80b510e72131609afd225f026d068d1b0d2b695f711819252f96731f1f09776c3ea431aab860

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAFF7.tmp.exe

Filesize
78KB

MD5
138e4fb2e6e804e9e34062cac2bf17f6

SHA1
15f3b5ad65b1fe7c7e5ba9e3bdfee6f421e07305

SHA256
710fa66a775d619262d08401bcfe64ac7b3f3a851d20b8d2ebaa0c475247a0a1

SHA512
724c9fe66221d98c56db95b709af9d51922fe4b68717e835baeacc8dcd6e63439c68bb2c1d5f23bd3826df1ce5d7f390fd382ffa490d663dbd97ee325bfd2a89

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc32551FFB64634585BE358F6A3E224059.TMP

Filesize
660B

MD5
e8ebb6656dd1155314dfeb21f1f2da6a

SHA1
e6efc86a051b1e9d03febfa6bfcd1ab3af58c60a

SHA256
1bf7141b67e993deb2101421dc3bfe8bbfc785f953871b81813df3095e8b0bf6

SHA512
1912a627e5c05ab4f3fa9767c1aad9c44211cde7d4dbcb28c502f383f63824e9a859f0cc35aed182ab198e68ed6b9654719a28eaf38d5bd1d4a87accad6ad455

Download Submit
C:\Users\Admin\AppData\Local\Temp\y_ikuav9.0.vb

Filesize
14KB

MD5
fbd93dec0ae4cf9b10455bdf3b8d9a98

SHA1
4c2fa5b49192b9ff0941f4b5b9d5eb321e13f533

SHA256
8d1772a31a9ea9b66afa541ac7334efc87b7d96e597cec1e7baa74297a330dea

SHA512
03605923f7a071f6c8e2003b7264a5f8af432f7b7feeb470fc641ee4705331118303a9e2f30ea60975e0678162f24870a54c1e633a79ddef9bdbe1548a09e250

Download Submit
C:\Users\Admin\AppData\Local\Temp\y_ikuav9.cmdline

Filesize
266B

MD5
3552b534ffc0e79b7744db59b23775e6

SHA1
170ce299d05850300a0ca0d4a4edb20dcbfbca80

SHA256
05344246840c4c5d72e13c6dc948ebcf97ec995610979ed081a3ee9aefcb0a64

SHA512
ae2a310857f8f3c0f5548a2ab2bb7ebf56a1eb50bc855f48c9d7476aeae1fd18f137888c6435ffbf1b121931eb96377a31ee8dd0c18617117a22afb2030dfeed

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/468-1-0x0000000074A40000-0x0000000074FF1000-memory.dmp

Filesize
5.7MB

Download
memory/468-2-0x0000000074A40000-0x0000000074FF1000-memory.dmp

Filesize
5.7MB

Download
memory/468-0-0x0000000074A42000-0x0000000074A43000-memory.dmp

Filesize
4KB

Download
memory/468-22-0x0000000074A40000-0x0000000074FF1000-memory.dmp

Filesize
5.7MB

Download
memory/528-8-0x0000000074A40000-0x0000000074FF1000-memory.dmp

Filesize
5.7MB

Download
memory/528-18-0x0000000074A40000-0x0000000074FF1000-memory.dmp

Filesize
5.7MB

Download
memory/1656-24-0x0000000074A40000-0x0000000074FF1000-memory.dmp

Filesize
5.7MB

Download
memory/1656-23-0x0000000074A40000-0x0000000074FF1000-memory.dmp

Filesize
5.7MB

Download
memory/1656-26-0x0000000074A40000-0x0000000074FF1000-memory.dmp

Filesize
5.7MB

Download
memory/1656-27-0x0000000074A40000-0x0000000074FF1000-memory.dmp

Filesize
5.7MB

Download
memory/1656-28-0x0000000074A40000-0x0000000074FF1000-memory.dmp

Filesize
5.7MB

Download
memory/1656-29-0x0000000074A40000-0x0000000074FF1000-memory.dmp

Filesize
5.7MB

Download
memory/1656-30-0x0000000074A40000-0x0000000074FF1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads