metamorpherrat | 852d540647024f1aad414aa4a0e9cf041ef24efc7702ff4f770389cba77a532b

General

Target

852d540647024f1aad414aa4a0e9cf041ef24efc7702ff4f770389cba77a532bN.exe
Size

78KB
MD5

b742de9bc496dd534ff7c724b89d60e0
SHA1

01d90fccfe45eb41f4320b7bee05c4607b0881b8
SHA256

852d540647024f1aad414aa4a0e9cf041ef24efc7702ff4f770389cba77a532b
SHA512

277b505a44ae2f4ae6db9a50ff88087656ca6afe65bd1841bf3e83d7e7ec15c486e4cbdc2daadc4e4a2c45fa86913e512585c85f82f6ea4bcdbe6510f6e43edb
SSDEEP

1536:VHY6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtv9/wW1u+:VHYn3xSyRxvY3md+dWWZyv9/wO

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	852d540647024f1aad414aa4a0e9cf041ef24efc7702ff4f770389cba77a532bN.exe

Executes dropped EXE 1 IoCs

pid	Process
3376	tmp8F6F.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp8F6F.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	852d540647024f1aad414aa4a0e9cf041ef24efc7702ff4f770389cba77a532bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8F6F.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4048	852d540647024f1aad414aa4a0e9cf041ef24efc7702ff4f770389cba77a532bN.exe
Token: SeDebugPrivilege	3376	tmp8F6F.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4048 wrote to memory of 3332	4048	852d540647024f1aad414aa4a0e9cf041ef24efc7702ff4f770389cba77a532bN.exe	83
PID 4048 wrote to memory of 3332	4048	852d540647024f1aad414aa4a0e9cf041ef24efc7702ff4f770389cba77a532bN.exe	83
PID 4048 wrote to memory of 3332	4048	852d540647024f1aad414aa4a0e9cf041ef24efc7702ff4f770389cba77a532bN.exe	83
PID 3332 wrote to memory of 3968	3332	vbc.exe	85
PID 3332 wrote to memory of 3968	3332	vbc.exe	85
PID 3332 wrote to memory of 3968	3332	vbc.exe	85
PID 4048 wrote to memory of 3376	4048	852d540647024f1aad414aa4a0e9cf041ef24efc7702ff4f770389cba77a532bN.exe	86
PID 4048 wrote to memory of 3376	4048	852d540647024f1aad414aa4a0e9cf041ef24efc7702ff4f770389cba77a532bN.exe	86
PID 4048 wrote to memory of 3376	4048	852d540647024f1aad414aa4a0e9cf041ef24efc7702ff4f770389cba77a532bN.exe	86

C:\Users\Admin\AppData\Local\Temp\852d540647024f1aad414aa4a0e9cf041ef24efc7702ff4f770389cba77a532bN.exe
"C:\Users\Admin\AppData\Local\Temp\852d540647024f1aad414aa4a0e9cf041ef24efc7702ff4f770389cba77a532bN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4048
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ghmsvkwb.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3332
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES902A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDE70064AF7BF4E65996EDB050DE5840.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3968
- C:\Users\Admin\AppData\Local\Temp\tmp8F6F.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8F6F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\852d540647024f1aad414aa4a0e9cf041ef24efc7702ff4f770389cba77a532bN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES902A.tmp

Filesize
1KB

MD5
8ff69622092334e39800a381b8b7498f

SHA1
0fe2719ff3af3af39383694856bbc719d5e6cb21

SHA256
f8918df7c81d3d4630995e41283e92124bfcb6a34560777dd3166d180afc610d

SHA512
d7b16bcd76604e1edc9436e0db5f403ed96cf3a3e3327bf906e54319220c8c84428bd31b4ea03ae0030a73f0b4bf74f6f5f2f5ec0f41d7faad7b9e2f14dd7ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghmsvkwb.0.vb

Filesize
15KB

MD5
a060082c8ede52d46c9117eeb6781918

SHA1
613e6f168239d1142f170e9e2256927ec3aca7bd

SHA256
541840f3876dc19e323ba9b965842d0f4c88ec41b6f3c9452c3215e8fef283ec

SHA512
0452d27bce885e4b974369ee9f7fb8cc35aef049ed5f9c7d25e228ceb21e3c5d29892fea70abff055c9016800a19cfb65433f1bb777b79ecd8ba50ca458a4350

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghmsvkwb.cmdline

Filesize
266B

MD5
c678edf70ceb271ef54695bcc4fc1b20

SHA1
209cc9f072c6d6c1c7c4a08784c187ae574f45d0

SHA256
22cc95269c5505d2bea758b5539e07e46b728ecc858355580936158fa8a84b63

SHA512
269176e4283b43296be4dc09aaaab8f31a0b6da4f49b78eaa2ef6289fb38f3233e7e2982260e3b64deb576e3de4629ca0a67c11cc57188123f1d5d5abe9424b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8F6F.tmp.exe

Filesize
78KB

MD5
08c0a9bf6b7661eac9f3b7b48bb70300

SHA1
a5a69664617c0e5083fd460111e235b7eab0ff75

SHA256
20050a6232990ebe048b75daa5f58943448d729186c8d822bedb554ba140c406

SHA512
d1c052d1526d118c733630b441a9d385b4089f9353a3925b758aba168500711ff7813638446390faabec153231b87148bc3e6046891fc0bd61bcb3c9c6c47450

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDE70064AF7BF4E65996EDB050DE5840.TMP

Filesize
660B

MD5
bf7b737b6b11c2ae4789bc2e1e4801f6

SHA1
f5b8f4c1ab17f12139beed65eefe7e6d56441aa0

SHA256
c71dc7c3d16f5e775715f040a4ab33536bae9d9d25983a7c63bf457e76b7c043

SHA512
e51f694fc443682a59fb2ef056e2621f055ca8724e92165e24ebeaf425481255c91266f469d8bbbd9a146b71bdc70c13a07bea5506e4fbde473e02634dbe819d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/3332-8-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/3332-18-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/3376-23-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/3376-24-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/3376-25-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/3376-27-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/3376-28-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/3376-29-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/4048-0-0x0000000074BF2000-0x0000000074BF3000-memory.dmp

Filesize
4KB

Download
memory/4048-2-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/4048-1-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/4048-22-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads