metamorpherrat | b77ffa2d207284169106d837b65f41fae1fc40335d6d561f16a519507b819fcc

General

Target

b7e955b408896bd111883b2797b5206d.exe
Size

78KB
MD5

b7e955b408896bd111883b2797b5206d
SHA1

fd564fe92e456cd0777b8f6468a4cee8499c313d
SHA256

b77ffa2d207284169106d837b65f41fae1fc40335d6d561f16a519507b819fcc
SHA512

461b0bc42f32123fc0bf08cd008985ea9a760588daf00db5a225667baf7e9f38d5d69918f0cf639f218f6b7ab20fae27919392d8cd50f745f78e98deb886c9d8
SSDEEP

1536:APWtHY6JJteVdv5wyFppaVs+aYTCgtWzYXxxiMrBnP5oYZNQtT9/21Lp:APWtHYO3e/vqyA11XYUBxprBPjcT9/y

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	b7e955b408896bd111883b2797b5206d.exe

Executes dropped EXE 1 IoCs

pid	Process
2612	tmp3642.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System.Management = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sbscmp20_mscorlib.exe\""	tmp3642.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4884	b7e955b408896bd111883b2797b5206d.exe
Token: SeDebugPrivilege	2612	tmp3642.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 4452	4884	b7e955b408896bd111883b2797b5206d.exe	87
PID 4884 wrote to memory of 4452	4884	b7e955b408896bd111883b2797b5206d.exe	87
PID 4884 wrote to memory of 4452	4884	b7e955b408896bd111883b2797b5206d.exe	87
PID 4452 wrote to memory of 4000	4452	vbc.exe	89
PID 4452 wrote to memory of 4000	4452	vbc.exe	89
PID 4452 wrote to memory of 4000	4452	vbc.exe	89
PID 4884 wrote to memory of 2612	4884	b7e955b408896bd111883b2797b5206d.exe	92
PID 4884 wrote to memory of 2612	4884	b7e955b408896bd111883b2797b5206d.exe	92
PID 4884 wrote to memory of 2612	4884	b7e955b408896bd111883b2797b5206d.exe	92

C:\Users\Admin\AppData\Local\Temp\b7e955b408896bd111883b2797b5206d.exe
"C:\Users\Admin\AppData\Local\Temp\b7e955b408896bd111883b2797b5206d.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bvglprph.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4452
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES372D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc83D455EA6424F428D3453CE2969D7B.TMP"
    3⤵
    PID:4000
- C:\Users\Admin\AppData\Local\Temp\tmp3642.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp3642.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b7e955b408896bd111883b2797b5206d.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES372D.tmp

Filesize
1KB

MD5
7e1432cd85a9a0a5316c29416aae9ad6

SHA1
f09479ba4d28b9c45b4e9501d0ecfa104ab4df57

SHA256
80ee75d3bcf3e4ea61b450705caf343e2c46987b613c48ed3353a8e52dd869c8

SHA512
f787532f2626b77a4624ca507b2b646ce7218b528e0cee17364959e18c7d72a7a548cd73c950e2df021c8784d90dc13aa7a081384db6df4113d9792ed46c4a8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bvglprph.0.vb

Filesize
15KB

MD5
0363d3b8902dd8ccaea9ce7e7b73a383

SHA1
2a5b611112aad1a2ba7589ef98f20e1e9e6a1c10

SHA256
7ce17945078318a043b19d286b84c244a2aa1c4415e2ac6cbee825285b7321d3

SHA512
d23ab37a8ff47fbe620c6dcf33d9b60cdcdd7f43d5c4a1eb5ba3e1126155561c9821dc3eb6a28ef0be90f04b3e3d9201c13be43948bce36c867bc016c305fed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\bvglprph.cmdline

Filesize
266B

MD5
5e2990854601411e7fb030af08e6a99e

SHA1
424c6baff8868f71a95b7ede9f7865760cf9feef

SHA256
b68c0c826389159923027bff2bfba12da608d5824323be1d3b4e1eb1993db8e2

SHA512
84bb8dadc54df13c99cb8aef958f08175730d30d150421976496eab46501b7108571015eade625f5e0a555ecc1645905d8568e5deeab3c75534c6be7c50f2e9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3642.tmp.exe

Filesize
78KB

MD5
923ec4f5674285082e02a1bdbf7226f3

SHA1
ed7e903d9017d8621612cae8465b9e60e1a96aff

SHA256
01449be7e63f7829c84b945e2a3f31653de04f49571a2506df6d8f9564e14d26

SHA512
60ff42dfcb564a0f6283eb67d8927a1364c543d53c5cbcd5e2047f88e729ea1f8f4ce70073ee904789541cff960e82fe33a33265927fcd43452371a486158a02

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc83D455EA6424F428D3453CE2969D7B.TMP

Filesize
660B

MD5
8ba5dfcba5a66a45f44b8aa1f12b03b3

SHA1
b8824ad0be96ddc4e477d21f0779f32b279f9fd5

SHA256
366adf29c463f69bfec5298cceee1e7de4067ffff15a4eb5d786e08b517fe92c

SHA512
0a859becc2c776ffe19c9b941d8e4a648b4284aebbd4ca5db5d4a6d70dd9d352ae3df9f21517906a3bec6ceabc8063cea39088e1ae0bdce346776763958cfaad

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8481b7e4924c14743ffc0d34075e2ce3

SHA1
e8e7ef480499ba85190b8d5f8e43f761850b0ef3

SHA256
6110931ed1cb1b1a141d4a12044a062646f14be3566a286106e5f59ceaddc4ac

SHA512
3c4ee8221c5238aed57e4fdbcd74833edcf46d5ed602840b5265438538405b4378a1966e9cd0c34a5ce52d0afe7bd7e0d9aac6b420e515fe1ea52477f957a7e1

Download Submit
memory/2612-25-0x0000000074C10000-0x00000000751C1000-memory.dmp

Filesize
5.7MB

Download
memory/2612-21-0x0000000074C10000-0x00000000751C1000-memory.dmp

Filesize
5.7MB

Download
memory/2612-22-0x0000000001300000-0x0000000001310000-memory.dmp

Filesize
64KB

Download
memory/2612-23-0x0000000074C10000-0x00000000751C1000-memory.dmp

Filesize
5.7MB

Download
memory/2612-26-0x0000000001300000-0x0000000001310000-memory.dmp

Filesize
64KB

Download
memory/2612-27-0x0000000001300000-0x0000000001310000-memory.dmp

Filesize
64KB

Download
memory/2612-28-0x0000000001300000-0x0000000001310000-memory.dmp

Filesize
64KB

Download
memory/4884-1-0x00000000016D0000-0x00000000016E0000-memory.dmp

Filesize
64KB

Download
memory/4884-0-0x0000000074C10000-0x00000000751C1000-memory.dmp

Filesize
5.7MB

Download
memory/4884-20-0x0000000074C10000-0x00000000751C1000-memory.dmp

Filesize
5.7MB

Download
memory/4884-2-0x0000000074C10000-0x00000000751C1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads