metamorpherrat | 83f11f506adc459ebfd8a62192534f1f715c9ea57d55c93862c8d616050237c0

General

Target

83f11f506adc459ebfd8a62192534f1f715c9ea57d55c93862c8d616050237c0.exe
Size

78KB
MD5

5a796d7b24648dbdc222397fd0652e9b
SHA1

e61f76d4be3a988508565e1d7d012fd3978d998a
SHA256

83f11f506adc459ebfd8a62192534f1f715c9ea57d55c93862c8d616050237c0
SHA512

60818a41df65b37323263fe052830e115251fc218d87533568dd730496c3b9c1b5fdb18811a2ee36750c032ba23a5bff02e04daa0a7c15772336d5b05fbd71a4
SSDEEP

1536:8StHHM7t/vZv0kH9gDDtWzYCnJPeoYrGQte79/x1qwS:8StHsh/l0Y9MDYrm7e79/DS

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	83f11f506adc459ebfd8a62192534f1f715c9ea57d55c93862c8d616050237c0.exe

Executes dropped EXE 1 IoCs

pid	Process
4884	tmp8CA0.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmp8CA0.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	83f11f506adc459ebfd8a62192534f1f715c9ea57d55c93862c8d616050237c0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8CA0.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2832	83f11f506adc459ebfd8a62192534f1f715c9ea57d55c93862c8d616050237c0.exe
Token: SeDebugPrivilege	4884	tmp8CA0.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 5064	2832	83f11f506adc459ebfd8a62192534f1f715c9ea57d55c93862c8d616050237c0.exe	82
PID 2832 wrote to memory of 5064	2832	83f11f506adc459ebfd8a62192534f1f715c9ea57d55c93862c8d616050237c0.exe	82
PID 2832 wrote to memory of 5064	2832	83f11f506adc459ebfd8a62192534f1f715c9ea57d55c93862c8d616050237c0.exe	82
PID 5064 wrote to memory of 3924	5064	vbc.exe	84
PID 5064 wrote to memory of 3924	5064	vbc.exe	84
PID 5064 wrote to memory of 3924	5064	vbc.exe	84
PID 2832 wrote to memory of 4884	2832	83f11f506adc459ebfd8a62192534f1f715c9ea57d55c93862c8d616050237c0.exe	85
PID 2832 wrote to memory of 4884	2832	83f11f506adc459ebfd8a62192534f1f715c9ea57d55c93862c8d616050237c0.exe	85
PID 2832 wrote to memory of 4884	2832	83f11f506adc459ebfd8a62192534f1f715c9ea57d55c93862c8d616050237c0.exe	85

C:\Users\Admin\AppData\Local\Temp\83f11f506adc459ebfd8a62192534f1f715c9ea57d55c93862c8d616050237c0.exe
"C:\Users\Admin\AppData\Local\Temp\83f11f506adc459ebfd8a62192534f1f715c9ea57d55c93862c8d616050237c0.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3cpemjdu.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5064
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8DB9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD197C1C8459F4793B55B50C933DCA745.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3924
- C:\Users\Admin\AppData\Local\Temp\tmp8CA0.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8CA0.tmp.exe" C:\Users\Admin\AppData\Local\Temp\83f11f506adc459ebfd8a62192534f1f715c9ea57d55c93862c8d616050237c0.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3cpemjdu.0.vb

Filesize
15KB

MD5
e850d7e43a8430523bc532cb1f30873a

SHA1
f9a3889b1567c4a34dd7ab78b4323fa6dfba8e38

SHA256
ee41aad7cbb4d876f86a95c843b2826565800ebcaf57702175d0fdfa15a72618

SHA512
b1d84727ddc716e177432e11df21011d341f369a938fd9b1080f8c91a57b0b7c241ae842c8be5e6da1c33bb22b9dc0fa94696ef799260c03e2932a8676ec2bee

Download Submit
C:\Users\Admin\AppData\Local\Temp\3cpemjdu.cmdline

Filesize
266B

MD5
879e7a72145a45c8892a83e026776079

SHA1
7cd8d48981be43585018d6ea53b41da42030e6ea

SHA256
9ff8fb2e3adcd900106d3bc550db58ad27c6ea6b62353e02dd7ec7a91d5e8433

SHA512
ecea83a30814617398cea3dcca8668344c4abe41812a60e58ff1555b4aea7d316247191b0ea83ebbac002184ff441a74577efa6360abba73b33a7f3abbd9edbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8DB9.tmp

Filesize
1KB

MD5
e6096b76754919283180b5e5e63e4a11

SHA1
54d86d6af5927f412849ef63acd3f2851b87480b

SHA256
38a31f5c8e55f436935a730f3ab344125e262aa0bbd6a2db6faa5aa9095297c4

SHA512
f5cd9a46fb1c015d84297fdb0568f9a6c38cbefac835a693875be3301ad73ffce6faba1bbe39b43f3586b3cdd0a3630603487b226e529d471d18a9c78ca9be83

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8CA0.tmp.exe

Filesize
78KB

MD5
63ca07f3c213ad9d2da147418801e67c

SHA1
f686ccc166f82040482932ad86cafb19b7e4d62b

SHA256
9f1badee9dda36380582e6269d6106107cac8aaaecef760f18d3744e5e462b57

SHA512
d9fa9878f0792e6287e6b6e935d9d80bea52fb5cf53bef0419b6a53bdb19a22f09d98dc68c3b955c6393eeb3220087ac6ce8bbda2aff8456e596a35794d481ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD197C1C8459F4793B55B50C933DCA745.TMP

Filesize
660B

MD5
6ff243134472ea075b22c763c1761038

SHA1
c22bafe552324b7a0b2452e1423d40bf85280bc7

SHA256
a082abe7a4eb9c6783bb0ff9fd92daa406a35f18c68ef6d17839acd602620bc0

SHA512
9a81cb62aab4a34df3a5da4974929ca12c81a61b2495b238f82428e466e09c40a5d26bf309f357d97139023b3eac5377e2cdda4b7dd8aa35786f597cfb5f77f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/2832-1-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/2832-22-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/2832-0-0x00000000745F2000-0x00000000745F3000-memory.dmp

Filesize
4KB

Download
memory/2832-2-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/4884-23-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/4884-24-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/4884-26-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/4884-27-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/4884-28-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/4884-29-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/4884-30-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/5064-18-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/5064-9-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads