metamorpherrat | 8512f6411b7c8bc5b320059b78484b1603b5ecb31f5405824815b6ffb47e57e2

General

Target

8512f6411b7c8bc5b320059b78484b1603b5ecb31f5405824815b6ffb47e57e2.exe
Size

78KB
MD5

12d6e4ff4033556686cdccaf7af4478f
SHA1

c2f3f06052a6389f9ff79797e2b6d19d42c27cb9
SHA256

8512f6411b7c8bc5b320059b78484b1603b5ecb31f5405824815b6ffb47e57e2
SHA512

97c39fbd3fecef75050dbfe517a902a4e329e2cd0190924b73a1634847e50de7ae1af88af7e34624dbf9b1ff6d8b0a66eee401583517e003542ec42197e34593
SSDEEP

1536:mPWV5jAXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtN6i9/Bj1nZ:mPWV5j4SyRxvY3md+dWWZyh9/9

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	8512f6411b7c8bc5b320059b78484b1603b5ecb31f5405824815b6ffb47e57e2.exe

Deletes itself 1 IoCs

pid	Process
3936	tmpAE9F.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3936	tmpAE9F.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpAE9F.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpAE9F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8512f6411b7c8bc5b320059b78484b1603b5ecb31f5405824815b6ffb47e57e2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3340	8512f6411b7c8bc5b320059b78484b1603b5ecb31f5405824815b6ffb47e57e2.exe
Token: SeDebugPrivilege	3936	tmpAE9F.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3340 wrote to memory of 1228	3340	8512f6411b7c8bc5b320059b78484b1603b5ecb31f5405824815b6ffb47e57e2.exe	83
PID 3340 wrote to memory of 1228	3340	8512f6411b7c8bc5b320059b78484b1603b5ecb31f5405824815b6ffb47e57e2.exe	83
PID 3340 wrote to memory of 1228	3340	8512f6411b7c8bc5b320059b78484b1603b5ecb31f5405824815b6ffb47e57e2.exe	83
PID 1228 wrote to memory of 4564	1228	vbc.exe	85
PID 1228 wrote to memory of 4564	1228	vbc.exe	85
PID 1228 wrote to memory of 4564	1228	vbc.exe	85
PID 3340 wrote to memory of 3936	3340	8512f6411b7c8bc5b320059b78484b1603b5ecb31f5405824815b6ffb47e57e2.exe	86
PID 3340 wrote to memory of 3936	3340	8512f6411b7c8bc5b320059b78484b1603b5ecb31f5405824815b6ffb47e57e2.exe	86
PID 3340 wrote to memory of 3936	3340	8512f6411b7c8bc5b320059b78484b1603b5ecb31f5405824815b6ffb47e57e2.exe	86

C:\Users\Admin\AppData\Local\Temp\8512f6411b7c8bc5b320059b78484b1603b5ecb31f5405824815b6ffb47e57e2.exe
"C:\Users\Admin\AppData\Local\Temp\8512f6411b7c8bc5b320059b78484b1603b5ecb31f5405824815b6ffb47e57e2.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3340
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v7nlg3ll.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1228
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB0D1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1E93176355F74772BBD5C0ADA826B6AF.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4564
- C:\Users\Admin\AppData\Local\Temp\tmpAE9F.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpAE9F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8512f6411b7c8bc5b320059b78484b1603b5ecb31f5405824815b6ffb47e57e2.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB0D1.tmp

Filesize
1KB

MD5
8aebc193ff5568ef599b05ec0c6da595

SHA1
c7948da9545dc4319f36af5c49f1040bd0d4c208

SHA256
ed57948d0e8c0ff946e80bb5fa54f47f6e1145a6c5854bf1b44a657f04dd11bd

SHA512
008882a1d777d7d130f5b9c092ce77369aa047d94866db21e84625f8e7fdc37aab1fd0036cffbe77fd829f4709c0bd0b3efa031187abf9f75c17aed79b30941b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAE9F.tmp.exe

Filesize
78KB

MD5
b8a1a737dd502226402846dff324e8c6

SHA1
ebde3e008dbdaefe2695e6c91e0a1d369541ed25

SHA256
2db4ba551c93c5a00a793cadccc14617e0576622e52a3f4b3ca49ce41981ff2c

SHA512
ab69b445385a9f87fd4426641bfd0f430720353af3a822215168cd53020a8ef8d4d1b9ad91dbed88f714d175e7f9ca05340017256498e2d4046dd2f0c6b16f42

Download Submit
C:\Users\Admin\AppData\Local\Temp\v7nlg3ll.0.vb

Filesize
14KB

MD5
501816f91cc02511038774ad14e9fb42

SHA1
dd13a4b052b9d4868c624fd95a33afe40fc624b2

SHA256
74bfd07efd727d974e223f9c1daa99f6a8834b9573ea685e8e0adb3700cf44eb

SHA512
97216ff5bc09d4ad89bb3edbbc6b406f56b878ec3b86a03f9a72c59710a6461f7f665298a980c8ae41a9b4566157851830df3ec5c47f00f6fa58d40378096239

Download Submit
C:\Users\Admin\AppData\Local\Temp\v7nlg3ll.cmdline

Filesize
266B

MD5
9b5d34206665492b27e78ca030d1305e

SHA1
423c40eb0edb5907c3b0e1b7cd2aa7be273dd6e6

SHA256
028c2b7fd7e90b93847d3c60b7fbb6b9a6fc1f96a09bcabde74459dfe9a92ea6

SHA512
9ba15610881b3e5b0bf8de65e34d5dbee4d4a0ac89096246bc123389462959a350ca3143e1380a9c46887af6fc14a321bcacac76f49974e9ac14d4239f015da1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1E93176355F74772BBD5C0ADA826B6AF.TMP

Filesize
660B

MD5
0ae695f7599039d6471632a8cdcb5a2e

SHA1
1825db7eb937804e51ed9c0ee6d71975b4567788

SHA256
d913f9b19333d105d531ee797e835e53334f3974147f5a4fefc410cf48356722

SHA512
91460e46b03a6baaff5197eddfdac23bf2ba81518e095f2ce0710d48f81b7b27d08b972fbff5fbc03082f591a2d27539fd3b507717095e7fae8460c2e92b502a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/1228-18-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/1228-9-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/3340-2-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/3340-0-0x00000000748C2000-0x00000000748C3000-memory.dmp

Filesize
4KB

Download
memory/3340-1-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/3340-23-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/3936-22-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/3936-24-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/3936-26-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/3936-27-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/3936-28-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads