metamorpherrat | b7a3e95f3dd3c706412f0c9abe4a5301ad697a35d3fa96eebeab2b1b99b891bc

General

Target

b2fffbe3ec5f623a23275569218e95c0N.exe
Size

78KB
MD5

b2fffbe3ec5f623a23275569218e95c0
SHA1

7725c7f995f9373f1e5d9b18f30e81203b77cf49
SHA256

b7a3e95f3dd3c706412f0c9abe4a5301ad697a35d3fa96eebeab2b1b99b891bc
SHA512

921ac5355617960bf687e272d90abe5aa8ba3f76223c4186d1ef06bcdb07aebc517f06b301483ef3016d620c6873f3de383a3fef4b1fe14ec7b966deeafc3a2b
SSDEEP

1536:ty5jwdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtN6y9/b13W:ty5jfn7N041QqhgN9/Q

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	b2fffbe3ec5f623a23275569218e95c0N.exe

Executes dropped EXE 1 IoCs

pid	Process
3648	tmp886A.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp886A.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2fffbe3ec5f623a23275569218e95c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp886A.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4720	b2fffbe3ec5f623a23275569218e95c0N.exe
Token: SeDebugPrivilege	3648	tmp886A.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4720 wrote to memory of 3704	4720	b2fffbe3ec5f623a23275569218e95c0N.exe	84
PID 4720 wrote to memory of 3704	4720	b2fffbe3ec5f623a23275569218e95c0N.exe	84
PID 4720 wrote to memory of 3704	4720	b2fffbe3ec5f623a23275569218e95c0N.exe	84
PID 3704 wrote to memory of 1248	3704	vbc.exe	88
PID 3704 wrote to memory of 1248	3704	vbc.exe	88
PID 3704 wrote to memory of 1248	3704	vbc.exe	88
PID 4720 wrote to memory of 3648	4720	b2fffbe3ec5f623a23275569218e95c0N.exe	89
PID 4720 wrote to memory of 3648	4720	b2fffbe3ec5f623a23275569218e95c0N.exe	89
PID 4720 wrote to memory of 3648	4720	b2fffbe3ec5f623a23275569218e95c0N.exe	89

C:\Users\Admin\AppData\Local\Temp\b2fffbe3ec5f623a23275569218e95c0N.exe
"C:\Users\Admin\AppData\Local\Temp\b2fffbe3ec5f623a23275569218e95c0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\edi7qzya.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3704
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES89E1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc72CE55FC1CCC427A8A60EC805E96FD49.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1248
- C:\Users\Admin\AppData\Local\Temp\tmp886A.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp886A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b2fffbe3ec5f623a23275569218e95c0N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES89E1.tmp

Filesize
1KB

MD5
fa7c39615aebddd3b6193cfb44749f05

SHA1
78a1200ac483811825580076e9a88231d8d691af

SHA256
52727007ec93b265ddcc76d781edc6025f76daab59359f46739472be3ba13d6d

SHA512
3563534a3b86c3b73670273c005b1121cb955659a60966af9c71f237f17bdd30324f5ff5290d1f7af1ef700335e8d7f99c24d0bca14f27d6df6672a6ce5dd74b

Download Submit
C:\Users\Admin\AppData\Local\Temp\edi7qzya.0.vb

Filesize
14KB

MD5
d67d4134f87644aaa725b77a7e12a865

SHA1
f9d7f7765e79755557aa5fd4e99d1b0835c6a796

SHA256
5cd4c4644fc9b700bba143363ef38859cabb8a97ce411f90c9c12c53c19e1b9d

SHA512
e221105ae430bea22bd943aa9d93c381d2fe8e297c3553f67a97cc410d6cb5cfe5078d83694522ed09c1abcf7ae40650ac7c9fd1cb9ff442ada153a074087f55

Download Submit
C:\Users\Admin\AppData\Local\Temp\edi7qzya.cmdline

Filesize
266B

MD5
7a0a551c483ad660e8e1098d9fdc9557

SHA1
fb7fae2ae754ecad949ea2e2edcf9ecb597680e2

SHA256
411a3ae2db0e3637a181f338c6871aa03c7dfa1812e2232cb5db926fad8fd51f

SHA512
fb6f37873324acb0b7d5be8660a37da7a9a85915b9aff8aba3b70758fcd61c50537dd4ae3ffdd8e7f6c307a4cc7e336b34abbc537dda5dc47d6c0556949e9fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp886A.tmp.exe

Filesize
78KB

MD5
717525d362ddca02df4d122333dee7de

SHA1
17350470873170d5fef9b4f40e4d386c7bdaa488

SHA256
45864ba1302c2534ad83154af295666a1081eede2dce1b2421a42971123b09dd

SHA512
852533bfb8f520b92886b60a0f91fa034c7cad91a9fb014d2282bc0c4f465ba355047f55230180a4bdcedcc29e386800ce9732f486c8c98179fa730f74265846

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc72CE55FC1CCC427A8A60EC805E96FD49.TMP

Filesize
660B

MD5
416eeeec9e3e736dc677ce980b28e92f

SHA1
bc6a0841e10c37737ad313ea6cdbeeb7e30c44d1

SHA256
afe67f5acca5b4343dbae5fa7cea7a5b74ece800d3c76c54aba7a945e39a4708

SHA512
202191cf276eb2f2f4f17e1579ddf99dd8964f9830f4f03ac6dbffbeea0827a1f3c4d27804bca0059c0a6bcda1c271f31228d60f8192877307bfd281437b6937

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/3648-23-0x0000000075240000-0x00000000757F1000-memory.dmp

Filesize
5.7MB

Download
memory/3648-24-0x0000000075240000-0x00000000757F1000-memory.dmp

Filesize
5.7MB

Download
memory/3648-26-0x0000000075240000-0x00000000757F1000-memory.dmp

Filesize
5.7MB

Download
memory/3648-27-0x0000000075240000-0x00000000757F1000-memory.dmp

Filesize
5.7MB

Download
memory/3648-28-0x0000000075240000-0x00000000757F1000-memory.dmp

Filesize
5.7MB

Download
memory/3704-9-0x0000000075240000-0x00000000757F1000-memory.dmp

Filesize
5.7MB

Download
memory/3704-18-0x0000000075240000-0x00000000757F1000-memory.dmp

Filesize
5.7MB

Download
memory/4720-2-0x0000000075240000-0x00000000757F1000-memory.dmp

Filesize
5.7MB

Download
memory/4720-1-0x0000000075240000-0x00000000757F1000-memory.dmp

Filesize
5.7MB

Download
memory/4720-22-0x0000000075240000-0x00000000757F1000-memory.dmp

Filesize
5.7MB

Download
memory/4720-0-0x0000000075242000-0x0000000075243000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads