metamorpherrat | 8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28

General

Target

8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28N.exe
Size

78KB
MD5

83b27d364390c72c4e2e7f40987a6fc0
SHA1

3513ba5080ad679d18aa7c390d88e143da07890a
SHA256

8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28
SHA512

43c4529f562df253bbfa31fdf5436c5b0f60e1e9bd9c5243a4f2bf1641e4e394f3f28cd21d651ac2c7cda8f97afe23121edcda78e029002e510636bfee78d59e
SSDEEP

1536:PuHY6M7t/vZv0kH9gDDtWzYCnJPeoYrGQtRd9/U19K:PuHYnh/l0Y9MDYrm7Rd9/B

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28N.exe

Deletes itself 1 IoCs

pid	Process
3956	tmp901A.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3956	tmp901A.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmp901A.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp901A.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1876	8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28N.exe
Token: SeDebugPrivilege	3956	tmp901A.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 3320	1876	8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28N.exe	83
PID 1876 wrote to memory of 3320	1876	8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28N.exe	83
PID 1876 wrote to memory of 3320	1876	8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28N.exe	83
PID 3320 wrote to memory of 3480	3320	vbc.exe	85
PID 3320 wrote to memory of 3480	3320	vbc.exe	85
PID 3320 wrote to memory of 3480	3320	vbc.exe	85
PID 1876 wrote to memory of 3956	1876	8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28N.exe	86
PID 1876 wrote to memory of 3956	1876	8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28N.exe	86
PID 1876 wrote to memory of 3956	1876	8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28N.exe	86

C:\Users\Admin\AppData\Local\Temp\8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28N.exe
"C:\Users\Admin\AppData\Local\Temp\8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cberiwc1.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3320
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9143.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc74DB9FCC96714890ACAE4FDB92BB31CA.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3480
- C:\Users\Admin\AppData\Local\Temp\tmp901A.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp901A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8a5cd9e4083c753eb3e0f2deb6c11776b7539e6b50b0c75db022a06adb048b28N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9143.tmp

Filesize
1KB

MD5
b7885bbca7c984a8cd2a0edd8651215e

SHA1
cc48a783d54daa405b8bac5a0c4877e3be8fc206

SHA256
85aba5b3a9a74fe05e174168692726bbdc511382ca4250d690a0fd8d9e014103

SHA512
2722fcbba0a121f2d6b9154947f9f692aceced6eb1b4b4b9d447bf1c9d2ffe7b735b50e962770d6251b45425301778c04e415ad19adb522726f12b3fef709d99

Download Submit
C:\Users\Admin\AppData\Local\Temp\cberiwc1.0.vb

Filesize
15KB

MD5
9e5f375030fdec0f8fb50276038c7e68

SHA1
1d63eb419038b295e45896a6913e2552dd08edf8

SHA256
b905d04ad08c7233c158c67d182cae8d7e6aa4742da8dd39c2d60374540a170f

SHA512
634b48d84dc4a428f2a5407830f8e7bc6c0ffe407777bbd93cbedf190ad45ebc6bdff36b31aeb68d393b79576b88c7482a4b6e130683716dd71ca12c9bf81b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\cberiwc1.cmdline

Filesize
266B

MD5
fe342ce6f88601e4c4a62334bf2a70ac

SHA1
2324bf1add43fbbfd1f50c36723dbd1d11366c2c

SHA256
00bf7e584b1e2ea841d6807f6704c0ea47e8ff34b76311879e13be4530eae7cc

SHA512
e9226b34715f6bc57fb6c62850cbe8abb280afaeb489e70bfe67c6a0f67dd85660a0c7fe1829dfc8f343fc53afc41968d3bbfbc691e995aafd4276b0d17e4114

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp901A.tmp.exe

Filesize
78KB

MD5
f530a160f50e7430bdb6ff1abf4d26d8

SHA1
675cd21e1b989a9ae61a1911aec19b0d848f4704

SHA256
5baeb09de0f6ac4c0e40b80dc141933a9fd46b2c7b2d3edbf1f3955153b6024c

SHA512
45f84fc02579d138da174ad6596a6812f358c32e85aeff71d3e88a8a479762767249a6ec42e597404b05d66dddc507343339cd9864674dc0e036cfb1f53209c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc74DB9FCC96714890ACAE4FDB92BB31CA.TMP

Filesize
660B

MD5
af1f8b64e3a3c34f3713a16b683cbc77

SHA1
38daac14a3b97d631fb54dfc8a64ad3c7c6ad545

SHA256
b3cc8017e1c5ff245a93103fa3205eee15c3e5231d5f2d755887068d8387dc3a

SHA512
38bf4571cbb8ed71af3b4cb3e897023334a99d30f2cfb86815c8a21805fd6b7fa8648ca4a9a09989dd671ffeaf4cb553a400c9549a3f331c017e1af60156f31d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/1876-1-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/1876-2-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/1876-0-0x0000000074F52000-0x0000000074F53000-memory.dmp

Filesize
4KB

Download
memory/1876-22-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/3320-8-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/3320-18-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/3956-23-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/3956-24-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/3956-26-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/3956-27-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/3956-28-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/3956-29-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/3956-30-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads