metamorpherrat | bac3ee291ecd9f6af92c7005c1bb25a5f8e9ec0c0b7d0d400d06112247e786d0

General

Target

bac3ee291ecd9f6af92c7005c1bb25a5f8e9ec0c0b7d0d400d06112247e786d0N.exe
Size

78KB
MD5

3bca59494733119c7da105bcf6926a90
SHA1

144dba8062069502fe3700802f752a4a7a4cd28e
SHA256

bac3ee291ecd9f6af92c7005c1bb25a5f8e9ec0c0b7d0d400d06112247e786d0
SHA512

5e7a454a7619a176bc7f08e952053270af392db32d36225c136a5a960c31d9c22f9919495daa607323fba1825e71e407c01dd08b08d9a528616cf48d89a44418
SSDEEP

1536:fCHF3M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQti9/N1Ag:fCHF8hASyRxvhTzXPvCbW2Ui9/F

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	bac3ee291ecd9f6af92c7005c1bb25a5f8e9ec0c0b7d0d400d06112247e786d0N.exe

Executes dropped EXE 1 IoCs

pid	Process
4528	tmpA3B2.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpA3B2.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA3B2.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bac3ee291ecd9f6af92c7005c1bb25a5f8e9ec0c0b7d0d400d06112247e786d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1312	bac3ee291ecd9f6af92c7005c1bb25a5f8e9ec0c0b7d0d400d06112247e786d0N.exe
Token: SeDebugPrivilege	4528	tmpA3B2.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 3584	1312	bac3ee291ecd9f6af92c7005c1bb25a5f8e9ec0c0b7d0d400d06112247e786d0N.exe	84
PID 1312 wrote to memory of 3584	1312	bac3ee291ecd9f6af92c7005c1bb25a5f8e9ec0c0b7d0d400d06112247e786d0N.exe	84
PID 1312 wrote to memory of 3584	1312	bac3ee291ecd9f6af92c7005c1bb25a5f8e9ec0c0b7d0d400d06112247e786d0N.exe	84
PID 3584 wrote to memory of 1868	3584	vbc.exe	86
PID 3584 wrote to memory of 1868	3584	vbc.exe	86
PID 3584 wrote to memory of 1868	3584	vbc.exe	86
PID 1312 wrote to memory of 4528	1312	bac3ee291ecd9f6af92c7005c1bb25a5f8e9ec0c0b7d0d400d06112247e786d0N.exe	87
PID 1312 wrote to memory of 4528	1312	bac3ee291ecd9f6af92c7005c1bb25a5f8e9ec0c0b7d0d400d06112247e786d0N.exe	87
PID 1312 wrote to memory of 4528	1312	bac3ee291ecd9f6af92c7005c1bb25a5f8e9ec0c0b7d0d400d06112247e786d0N.exe	87

C:\Users\Admin\AppData\Local\Temp\bac3ee291ecd9f6af92c7005c1bb25a5f8e9ec0c0b7d0d400d06112247e786d0N.exe
"C:\Users\Admin\AppData\Local\Temp\bac3ee291ecd9f6af92c7005c1bb25a5f8e9ec0c0b7d0d400d06112247e786d0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\akasju0_.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3584
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA49C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCCD07DB4693949B9ABB533EAE9447FB.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1868
- C:\Users\Admin\AppData\Local\Temp\tmpA3B2.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA3B2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\bac3ee291ecd9f6af92c7005c1bb25a5f8e9ec0c0b7d0d400d06112247e786d0N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA49C.tmp

Filesize
1KB

MD5
dbaeca339384cbe1744952a881ed44ec

SHA1
55d793a190f3720c43a6f63029718ccf467d6219

SHA256
31264e74c122465b63c7cd70bf4e1c0765728429888088914f3785e8dca1f6bc

SHA512
bf4003d6c28645ec1264ca544c1e45358c53e79d4f4c95d3d3af66564e43930baf033302b7b9db35d5c731d71a90e1e17a938f47c9d64016368909ae6f308111

Download Submit
C:\Users\Admin\AppData\Local\Temp\akasju0_.0.vb

Filesize
15KB

MD5
15d39b428c89f5de203e999a769db9c1

SHA1
78c34767669220e887a909a2f03535ab0ee8189c

SHA256
6ed9f9485ac75a4129665fb480599b6e993616f4852dde204cb6c675064a7dda

SHA512
34f1a41d060ccef64cbe379cb9033ce3bd71e34d35e4bf0bd5d798b32a3844819326ffb2e76f7dc7c70070c9330b0418ec69a3e6d1703aa60c0571361d4fda6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\akasju0_.cmdline

Filesize
266B

MD5
3506f880bf546bdbd71e31e118e21545

SHA1
17b334c6cd91ef2cb5ee037d52de92cd5084f340

SHA256
d394b108187c4f2cee807e218b642f5222a6ebf4c5c48657a76a1b72bac61564

SHA512
11e2f516783c71ee7dd79e8bd83a59b41d86a35eb45202e9cfe979e42984a277591d1327988e37debc93850ce6c4e13173828e6a0ca88e50aefa50e10d51b583

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA3B2.tmp.exe

Filesize
78KB

MD5
c800ff3d07e4286e9243c4995d858e54

SHA1
47905f2991810149118994cf0b5107e5433c09c7

SHA256
b8667f814689ebb004f504891b00ff8c58d55651dcb43422e7e54e512ecc6b50

SHA512
85bb0243a6a998580eaf6bca8400fceac0211a64263f41fb02d6afe5d2a0eb73c047e8a687b2b986a94c94ebd3fbf36f57d2678a5fe02345be5a8ac5ebc0f1b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCCD07DB4693949B9ABB533EAE9447FB.TMP

Filesize
660B

MD5
ae401872750f97bf37d7286e13754352

SHA1
b05a92bbe0e6f0ca20815d53877ff5449ff42298

SHA256
c43e7e547ed0f2adc07d5fdf1c169039aa718dc63e63b8f557814fe93ae58fc0

SHA512
83d6d87a124f86d12008182e8494dfa34c3acd0dcd12a96fc586462058d38debdb64d63b7c2974352952025ac4f640bd2de5ab75a39f0db2696a910fb4a817fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1312-1-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/1312-2-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/1312-0-0x00000000753B2000-0x00000000753B3000-memory.dmp

Filesize
4KB

Download
memory/1312-22-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/3584-8-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/3584-18-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/4528-23-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/4528-24-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/4528-26-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/4528-27-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/4528-28-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads