metamorpherrat | 6b9047ef8b63d813c70d08babf683b2fd56197dc0c544f1782bb51f53423c374

General

Target

6b9047ef8b63d813c70d08babf683b2fd56197dc0c544f1782bb51f53423c374.exe
Size

78KB
MD5

5035de61a0f808de5e03d37b266c6beb
SHA1

f265a2271892904229287ed7b62c974a2a20bb0e
SHA256

6b9047ef8b63d813c70d08babf683b2fd56197dc0c544f1782bb51f53423c374
SHA512

c1803625cbce1da19375d43ba87b7e5afec2d008222725e16d28b0ace601c06b0d8abd6b09ff24c03fb9abe4d4e307eed9bcaae9a91bee2b356119cf78e41265
SSDEEP

1536:WPWtHY6JJteVdv5wyFppaVs+aYTCgtWzYXxxiMrBnP5oYZNQtC9/s1Eu:WPWtHYO3e/vqyA11XYUBxprBPjcC9/C

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	6b9047ef8b63d813c70d08babf683b2fd56197dc0c544f1782bb51f53423c374.exe

Executes dropped EXE 1 IoCs

pid	Process
1816	tmp8B77.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System.Management = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sbscmp20_mscorlib.exe\""	tmp8B77.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8B77.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6b9047ef8b63d813c70d08babf683b2fd56197dc0c544f1782bb51f53423c374.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2376	6b9047ef8b63d813c70d08babf683b2fd56197dc0c544f1782bb51f53423c374.exe
Token: SeDebugPrivilege	1816	tmp8B77.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 1236	2376	6b9047ef8b63d813c70d08babf683b2fd56197dc0c544f1782bb51f53423c374.exe	84
PID 2376 wrote to memory of 1236	2376	6b9047ef8b63d813c70d08babf683b2fd56197dc0c544f1782bb51f53423c374.exe	84
PID 2376 wrote to memory of 1236	2376	6b9047ef8b63d813c70d08babf683b2fd56197dc0c544f1782bb51f53423c374.exe	84
PID 1236 wrote to memory of 1552	1236	vbc.exe	88
PID 1236 wrote to memory of 1552	1236	vbc.exe	88
PID 1236 wrote to memory of 1552	1236	vbc.exe	88
PID 2376 wrote to memory of 1816	2376	6b9047ef8b63d813c70d08babf683b2fd56197dc0c544f1782bb51f53423c374.exe	90
PID 2376 wrote to memory of 1816	2376	6b9047ef8b63d813c70d08babf683b2fd56197dc0c544f1782bb51f53423c374.exe	90
PID 2376 wrote to memory of 1816	2376	6b9047ef8b63d813c70d08babf683b2fd56197dc0c544f1782bb51f53423c374.exe	90

C:\Users\Admin\AppData\Local\Temp\6b9047ef8b63d813c70d08babf683b2fd56197dc0c544f1782bb51f53423c374.exe
"C:\Users\Admin\AppData\Local\Temp\6b9047ef8b63d813c70d08babf683b2fd56197dc0c544f1782bb51f53423c374.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xlnhgryb.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1236
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D4C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBDABB9B92C4641EC88C97C50515B185D.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1552
- C:\Users\Admin\AppData\Local\Temp\tmp8B77.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8B77.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6b9047ef8b63d813c70d08babf683b2fd56197dc0c544f1782bb51f53423c374.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8D4C.tmp

Filesize
1KB

MD5
f051d5845ff86b7b89bf5fb9b59e5e48

SHA1
38a390e114d02fe6163265bd66d0dce74526c68e

SHA256
41ee881504f52d2d90dcb9a153a4ddbff71c9136cbaef6bf58d203a226346cdb

SHA512
aecb1c7765d2eeeef064848b66e1bd08ba3ea83765cef505adcaf16175b11d679e837cf72b7b7826e3c049c3be166300166b03821b27da7a26bde7d36f57dbf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8B77.tmp.exe

Filesize
78KB

MD5
4a6de933bca17e36a23c8b8682bca1c2

SHA1
1c1f5e3d6dc631c3f1fc44ff722a8f7ecd3c28ab

SHA256
b121684c6c6345829504cbe063a5ce9187a8f7232fc2ce38d2ef4379c9118cec

SHA512
6507a63cb7cbcf67ed47899904db79d24477b2b277a45e809c740623a88f8797c3b2b475ea5775726c15538d2c27e857b6b72f8cb1ec6860d7e76b8d20fefe05

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBDABB9B92C4641EC88C97C50515B185D.TMP

Filesize
660B

MD5
219f1c06e54cdfdfe02988d4cf455665

SHA1
c1aaa4b73f7e92a07e286613ae328c5b3bf024e8

SHA256
bfcec6b48d8042943d551d4621bc946da549378777c893afdc3da61764cfcafe

SHA512
b19a89781d5ebf55cde79d281a8043767c1c1fc95bf70ea95ff49443809992bac7caf5dab322931b2fc29dfc2b07c883d1302e76b933c9c106c8af7567c3922c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xlnhgryb.0.vb

Filesize
15KB

MD5
f8f2e8f97f86ad346c1e4a4eb9ca938c

SHA1
c383900e6fdf92542f2dd175c74dc03f4e52e467

SHA256
cd0bd1d044ed8b6db02f79a9c624bccc3bddac77fc378f62d90c211ce2215791

SHA512
2a40c3990d37dc08e62d169a857daa0e22fa1dce5d5161fd373c3cf57d4beedbdebf51c3f0c73400aee36d0f1a4977beaededd6e87f939c145c177fbe6c2b029

Download Submit
C:\Users\Admin\AppData\Local\Temp\xlnhgryb.cmdline

Filesize
266B

MD5
d489275e56157c805335a48734d42ac1

SHA1
c3e25e71eacb9938fc2eb853d52b145e45e9dc98

SHA256
baec0685f69f8022c3ff9b1263bad7ff1c91d88ddccb7155beffc8cef898ce0d

SHA512
d6c7e2f0e2b7c2e3e467c505b91949a92ccf5a609880e65a3baa6a4da071cc2f939927121b87daed25e54c62fddc8a235b3ba01d7fcff9d19bc43f46f74a63ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8481b7e4924c14743ffc0d34075e2ce3

SHA1
e8e7ef480499ba85190b8d5f8e43f761850b0ef3

SHA256
6110931ed1cb1b1a141d4a12044a062646f14be3566a286106e5f59ceaddc4ac

SHA512
3c4ee8221c5238aed57e4fdbcd74833edcf46d5ed602840b5265438538405b4378a1966e9cd0c34a5ce52d0afe7bd7e0d9aac6b420e515fe1ea52477f957a7e1

Download Submit
memory/1236-18-0x00000000750F0000-0x00000000756A1000-memory.dmp

Filesize
5.7MB

Download
memory/1236-9-0x00000000750F0000-0x00000000756A1000-memory.dmp

Filesize
5.7MB

Download
memory/1816-25-0x00000000750F0000-0x00000000756A1000-memory.dmp

Filesize
5.7MB

Download
memory/1816-23-0x00000000750F0000-0x00000000756A1000-memory.dmp

Filesize
5.7MB

Download
memory/1816-24-0x00000000750F0000-0x00000000756A1000-memory.dmp

Filesize
5.7MB

Download
memory/1816-27-0x00000000750F0000-0x00000000756A1000-memory.dmp

Filesize
5.7MB

Download
memory/1816-28-0x00000000750F0000-0x00000000756A1000-memory.dmp

Filesize
5.7MB

Download
memory/1816-29-0x00000000750F0000-0x00000000756A1000-memory.dmp

Filesize
5.7MB

Download
memory/2376-2-0x00000000750F0000-0x00000000756A1000-memory.dmp

Filesize
5.7MB

Download
memory/2376-1-0x00000000750F0000-0x00000000756A1000-memory.dmp

Filesize
5.7MB

Download
memory/2376-22-0x00000000750F0000-0x00000000756A1000-memory.dmp

Filesize
5.7MB

Download
memory/2376-0-0x00000000750F2000-0x00000000750F3000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads