metamorpherrat | 551d2ba4e7467f30fdae24fc5633ae6e26f1ca271e807b1267818d9f96304910

General

Target

551d2ba4e7467f30fdae24fc5633ae6e26f1ca271e807b1267818d9f96304910N.exe
Size

78KB
MD5

1f868660854617ee3ec7eb725188bdd0
SHA1

81ed12ec6dac4d4b74f80f02337cda1ed3bf0be2
SHA256

551d2ba4e7467f30fdae24fc5633ae6e26f1ca271e807b1267818d9f96304910
SHA512

963cbd76196c10c45d2ae2c576b45083e35a9599112f9ddc1f6c878945de4a247210152a23af480dfcf9c70c84235c0a8195cc7cebc986ed93a37f5e81b4b7ac
SSDEEP

1536:lPCHHM7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtg9/t16X:lPCHshASyRxvhTzXPvCbW2Ug9/w

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	551d2ba4e7467f30fdae24fc5633ae6e26f1ca271e807b1267818d9f96304910N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	2424	dw20.exe
Token: SeBackupPrivilege	2424	dw20.exe
Token: SeDebugPrivilege	3520	551d2ba4e7467f30fdae24fc5633ae6e26f1ca271e807b1267818d9f96304910N.exe
Token: SeBackupPrivilege	2424	dw20.exe
Token: SeBackupPrivilege	2424	dw20.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3520 wrote to memory of 2424	3520	551d2ba4e7467f30fdae24fc5633ae6e26f1ca271e807b1267818d9f96304910N.exe	84
PID 3520 wrote to memory of 2424	3520	551d2ba4e7467f30fdae24fc5633ae6e26f1ca271e807b1267818d9f96304910N.exe	84
PID 3520 wrote to memory of 2424	3520	551d2ba4e7467f30fdae24fc5633ae6e26f1ca271e807b1267818d9f96304910N.exe	84
PID 3520 wrote to memory of 2216	3520	551d2ba4e7467f30fdae24fc5633ae6e26f1ca271e807b1267818d9f96304910N.exe	85
PID 3520 wrote to memory of 2216	3520	551d2ba4e7467f30fdae24fc5633ae6e26f1ca271e807b1267818d9f96304910N.exe	85
PID 3520 wrote to memory of 2216	3520	551d2ba4e7467f30fdae24fc5633ae6e26f1ca271e807b1267818d9f96304910N.exe	85
PID 2216 wrote to memory of 1552	2216	vbc.exe	89
PID 2216 wrote to memory of 1552	2216	vbc.exe	89
PID 2216 wrote to memory of 1552	2216	vbc.exe	89

C:\Users\Admin\AppData\Local\Temp\551d2ba4e7467f30fdae24fc5633ae6e26f1ca271e807b1267818d9f96304910N.exe
"C:\Users\Admin\AppData\Local\Temp\551d2ba4e7467f30fdae24fc5633ae6e26f1ca271e807b1267818d9f96304910N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 452
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:2424
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\loekgyji.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9579.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc51D7610A2063484A8F8DA48C71723B8A.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9579.tmp

Filesize
1KB

MD5
a8d950a531b7a1b00a0e0b0a19d9ac70

SHA1
dafe548aa44e784a01a0767963d259b0222b59a2

SHA256
c7e1fcc904fd2f9e66739060d42a972c8da0daee2cfbc31fe2bb64f7a9727bad

SHA512
bbf2fb6c29ab1bb8a477eac47e5dcbd0fcbc4e9ef0de30c23b2249102297c855ca94a46104f892d11ef7476223e088be6dc53a76bf695e33abfeb8ca25445f89

Download Submit
C:\Users\Admin\AppData\Local\Temp\loekgyji.0.vb

Filesize
15KB

MD5
62e3df85965a51c18a4c168d8a1a8a96

SHA1
6f92b48a4622375dcfbd72f3c77d0c16c6a25108

SHA256
7eaf245ffc1ae98831e07756a776e334e68a85aa1ace68b82708bea96d34731f

SHA512
69f36f374b3e5bc507bb170b18d940b3426a368ce643870a22e34f763cf2822bda1180ad7d070cddd629f8bbca26637937f5af27e7adfec58ca0f1ae7a8ef27f

Download Submit
C:\Users\Admin\AppData\Local\Temp\loekgyji.cmdline

Filesize
266B

MD5
e02370d50ee2c88c0bbb2d4aab4a5dd5

SHA1
38b3814fd558eab63e8b72c6c3146734df537839

SHA256
de2ac9aafefb5de4cdbd9450ac977a84a9df3124bb4d6d69887f67071e9e297a

SHA512
d78e8b3b529faf714ebd96e4181fb64608b609b52560ff80b5707e804355af610455e212abea5798b2d0031e35b5cf7d260a1d2a405e127dee6af22950354f68

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc51D7610A2063484A8F8DA48C71723B8A.TMP

Filesize
660B

MD5
70e4fbdfae17369f02c28503abe94918

SHA1
113cae136694a8103ce426fe86f195e80c5326b0

SHA256
31e3db7c41a4f0432fd039075a599da58195a0058da1c627380f532c58c0a070

SHA512
d1fd75cca17fb428e2d133e8050125a9488d6c565449ff6101d73f715eb8d34fd35c9a5d21289438a974b2b1a3eb9bd4df89428759a01e4baa53a731254340ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2216-19-0x0000000074CF0000-0x00000000752A1000-memory.dmp

Filesize
5.7MB

Download
memory/2216-25-0x0000000074CF0000-0x00000000752A1000-memory.dmp

Filesize
5.7MB

Download
memory/3520-0-0x0000000074CF2000-0x0000000074CF3000-memory.dmp

Filesize
4KB

Download
memory/3520-1-0x0000000074CF0000-0x00000000752A1000-memory.dmp

Filesize
5.7MB

Download
memory/3520-2-0x0000000074CF0000-0x00000000752A1000-memory.dmp

Filesize
5.7MB

Download
memory/3520-22-0x0000000074CF0000-0x00000000752A1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads