metamorpherrat | 8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70

General

Target

8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe
Size

78KB
MD5

64d6e93324b0895e0b790c167a579393
SHA1

2f4d390f82feb9513e2decbd8b2165340e3a33f0
SHA256

8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70
SHA512

05328cf8d036b879b8e05e99b8347c306e8551ca9dde63b31eb2b1f02190de3308d179f8b46169e7e2489224dee78806d76165b4f5dfbef5a6af43045c96a552
SSDEEP

1536:SRWV5iXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtN6O9/I1mHd:SRWV5aSyRxvY3md+dWWZyl9/Vd

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe

Executes dropped EXE 1 IoCs

pid	Process
2896	tmp732C.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp732C.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp732C.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3216	8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe
Token: SeDebugPrivilege	2896	tmp732C.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3216 wrote to memory of 3960	3216	8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe	82
PID 3216 wrote to memory of 3960	3216	8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe	82
PID 3216 wrote to memory of 3960	3216	8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe	82
PID 3960 wrote to memory of 2880	3960	vbc.exe	84
PID 3960 wrote to memory of 2880	3960	vbc.exe	84
PID 3960 wrote to memory of 2880	3960	vbc.exe	84
PID 3216 wrote to memory of 2896	3216	8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe	85
PID 3216 wrote to memory of 2896	3216	8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe	85
PID 3216 wrote to memory of 2896	3216	8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe	85

C:\Users\Admin\AppData\Local\Temp\8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe
"C:\Users\Admin\AppData\Local\Temp\8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3216
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8bm0tase.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3960
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES75AD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD66FA52677654E0A8DB75590FAAC324.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2880
- C:\Users\Admin\AppData\Local\Temp\tmp732C.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp732C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8bm0tase.0.vb

Filesize
14KB

MD5
90dfa54f30ed1ca7ffca4d0cce1f56cd

SHA1
2efbc2967e28c2cc816ead4823f7449a65c7e6ab

SHA256
60774f6cc6136bfe86c8abd5cd45aa5905e766918e263c6c3e625eb6cc951873

SHA512
b8766014fb422726a904447f54d1545d57dffde9a64776cdf8be89c431f2b549372e44a906cd4e9f8bdf86968f49bf7fc162a59e989a8d4669a0fb418de10e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\8bm0tase.cmdline

Filesize
266B

MD5
986bcce039bd8746565916b94c935e3c

SHA1
dd3c746efa2eaeeac2433d5d055bc002c9921efd

SHA256
c28105f2aa4a540d7d94a13fcbeeb2aff581209e215c12c3288e673ceae2b56a

SHA512
ba1aa8e3b62eb6ded09ab176fdcc5202576de63b02e24964c920318325c442bbd63242389dac45b9480f7d42435a68ffb8ae6a836d26ca8466984faafa347b49

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES75AD.tmp

Filesize
1KB

MD5
fe5bd8327119cb959549d953faa93140

SHA1
31b5c124d988e1af3b0852c81ad2a6cbaf8ea077

SHA256
3ed81aae60124cb41ff4e5f808356808010d878a67365ac60664508057097b28

SHA512
2a8436bb47f1e722b733549f054eb64856ff2d8dd5f19b38b0577b5eed95dcb5333ab2a4f4b47fa14379bb97c358ed43e14a6b7c2a37b73d09f3a14a5ac5e237

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp732C.tmp.exe

Filesize
78KB

MD5
631af5829e07aa65981bd0adbccc7e73

SHA1
5f92acd30dd0f1f59195c0b41a77341552885f76

SHA256
187d04f325d2192e534b60e0f2aec543f8756f0311f6539ab96275357fd02bdf

SHA512
5dd6a1d8429771bcf870d63c9fa4ec8e2cd78a5509718742c9688cb313225dbbc3343b9a24865980570185480d4049ee1d9578726d4ed99201ef5c8ec3316d69

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD66FA52677654E0A8DB75590FAAC324.TMP

Filesize
660B

MD5
41c5571a86a694661033dcf89abacec2

SHA1
8686307fb0d718805bb011984a8601e35aa5bd6c

SHA256
3114dff7205f261d1b6113ba70eb0e32b52316bac089c56bf14a19de613fb2a6

SHA512
57bf2a5858deb33450de3352cd24518a1d8a8570044073d74aa489d6770fa4876dbb2df21e9563076a2592d5cff4a2ef27bd28eb45de61b95e29d44fab60371e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/2896-24-0x0000000075370000-0x0000000075921000-memory.dmp

Filesize
5.7MB

Download
memory/2896-23-0x0000000075370000-0x0000000075921000-memory.dmp

Filesize
5.7MB

Download
memory/2896-26-0x0000000075370000-0x0000000075921000-memory.dmp

Filesize
5.7MB

Download
memory/2896-27-0x0000000075370000-0x0000000075921000-memory.dmp

Filesize
5.7MB

Download
memory/2896-28-0x0000000075370000-0x0000000075921000-memory.dmp

Filesize
5.7MB

Download
memory/2896-29-0x0000000075370000-0x0000000075921000-memory.dmp

Filesize
5.7MB

Download
memory/2896-30-0x0000000075370000-0x0000000075921000-memory.dmp

Filesize
5.7MB

Download
memory/3216-2-0x0000000075370000-0x0000000075921000-memory.dmp

Filesize
5.7MB

Download
memory/3216-1-0x0000000075370000-0x0000000075921000-memory.dmp

Filesize
5.7MB

Download
memory/3216-22-0x0000000075370000-0x0000000075921000-memory.dmp

Filesize
5.7MB

Download
memory/3216-0-0x0000000075372000-0x0000000075373000-memory.dmp

Filesize
4KB

Download
memory/3960-9-0x0000000075370000-0x0000000075921000-memory.dmp

Filesize
5.7MB

Download
memory/3960-18-0x0000000075370000-0x0000000075921000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads